Add wildcard group permission

Author: Y-Sindo

articles/azure-web-pubsub/concept-client-protocols.md

@@ -4,7 +4,7 @@ description: This article presents an overview of the client protocols for Azure
 author: vicancy
 ms.author: lianwei
 ms.service: azure-web-pubsub
-ms.topic: conceptual 
+ms.topic: conceptual
 ms.date: 11/08/2021
 ms.custom: sfi-ropc-nochange
 ---
@@ -42,13 +42,13 @@ You could also configure properties for the client connection when generating th
 
 You could also add custom claims into the access token, and these values are preserved as the `claims` property in [connect upstream request body](./reference-cloud-events.md#system-connect-event).
 
-[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients. 
+[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients.
 
 <a name="simple_client"></a>
 
 ## The simple WebSocket client
 
-A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol. 
+A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol.
 
 For example, in JavaScript, you can create a simple WebSocket client by using the following code:
 
@@ -62,7 +62,7 @@ var client2 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', '
 
 Simple WebSocket client has two modes: `sendEvent` and `sendToGroup`. The mode is determined once the connection is established and cannot be changed later.
 
-`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events. 
+`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events.
 
 ```javascript
 // Every data frame is considered as a `message` event
@@ -102,7 +102,7 @@ var pubsubClient = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'joinGroup',
         group: 'group1',
@@ -114,7 +114,7 @@ pubsubClient.send(
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'sendToGroup',
         group: 'group1',
@@ -191,6 +191,8 @@ As you likely noticed in the earlier PubSub WebSocket client description, a clie
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 The permission of a client can be granted in several ways:
@@ -199,7 +201,7 @@ The permission of a client can be granted in several ways:
 
 Client can connect to the service using a JWT. The token payload can carry information such as the `role` of the client. When signing the JWT to the client, you can grant permissions to the client by giving the client specific roles.
 
-For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`: 
+For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`:
 
 ```js
 let token = await serviceClient.getClientAccessToken({

articles/azure-web-pubsub/concept-service-internals.md

@@ -212,6 +212,8 @@ A client can publish to other clients only when it's _authorized_ to. The `role`
 | `webpubsub.sendToGroup`            | The client can publish messages to any group.       |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join/leave group `<group>`.          |
 | `webpubsub.sendToGroup.<group>`    | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)).
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)).
 
 The server-side can also grant or revoke permissions of the client dynamically through [server protocol](#connection-manager) as to be illustrated in a later section.
 

articles/azure-web-pubsub/concept-wildcard-group-roles.md

@@ -0,0 +1,130 @@
+---
+title: Use wildcard group role patterns
+description: Learn how to grant Azure Web PubSub clients permissions to many groups using wildcard role patterns.
+author: kevinguo-ed
+ms.author: kevinguo
+ms.service: azure-web-pubsub
+ms.topic: conceptual
+ms.date: 10/14/2025
+ms.custom:
+---
+
+# Use wildcard group role patterns
+
+Azure Web PubSub now supports wildcard pattern matching in client "group" roles so you can authorize a client for many related groups with a single role string. This reduces token size, simplifies permission management, and improves performance versus enumerating many concrete group roles.
+
+You can continue to use the existing literal roles:
+
+- `webpubsub.sendToGroup.{groupName}`
+- `webpubsub.joinLeaveGroup.{groupName}`
+
+But you can now also use the new pattern roles:
+
+- `webpubsub.sendToGroups.{pattern}`
+- `webpubsub.joinLeaveGroups.{pattern}`
+
+Where `{pattern}` follows the wildcard syntax below.
+
+## When to use pattern roles
+
+Use pattern roles when:
+
+- A user or device must access a large but bounded dynamic set of groups (for example: all groups for a specific tenant or project)
+- You want to keep access tokens small (avoid listing dozens or hundreds of explicit group roles)
+
+Avoid over-broad patterns (like `**`) unless absolutely required; follow the principle of least privilege.
+
+## Pattern syntax
+
+| Symbol | Meaning |
+| ------ | ------- |
+| `?` | Matches exactly one character except `/` |
+| `*` | Matches zero or more characters except `/` |
+| `**` | Matches zero or more characters including `/` (crosses path boundaries) |
+| `\` | Escape character for `\`, `*`, `?` |
+
+Additional rules:
+
+- `/` acts as a path separator and is never matched by `?` or `*` (only by `**`).
+- Use `**` sparingly; prefer narrower patterns (`clientA/*/chat`).
+- Up to five total `*` characters (including those forming `**`) are allowed in a single pattern.
+
+### Examples
+
+| Pattern | Matches | Does not match |
+| ------- | ------- | -------------- |
+| `chat-*` | `chat-1`, `chat-room` | `chat/1`, `xchat-1` |
+| `clientA/*` | `clientA/alpha`, `clientA/1` | `clientA/alpha/room1`, `clientB/alpha` |
+| `clientA/**` | `clientA/alpha`, `clientA/alpha/room1` | `clientB/anything` |
+| `clientA/rooms/?1` | `clientA/rooms/a1`, `clientA/rooms/11` | `clientA/rooms/1`, `clientA/rooms/a/1` |
+| `literal\*star` | `literal*star` | `literalXstar` |
+
+### Escaping
+
+Prefix `*`, `?`, or `\` with `\` to match the literal character. Example: `project\*123` matches only `project*123`.
+
+## Using pattern roles in code
+
+Add the pattern role to the `roles` collection when generating a client access token. The client then automatically has the implied permissions for matching groups.
+
+## Code samples
+
+# [JavaScript](#tab/javascript)
+
+```js
+const token = await serviceClient.getClientAccessToken({
+  roles: [
+    // Can send to all groups under clientA/
+  'webpubsub.sendToGroups.clientA/**',
+    // Can join/leave any direct child group under clientA/public/
+  'webpubsub.joinLeaveGroups.clientA/public/*'
+  ]
+});
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+var url = service.GetClientAccessUri(roles: new [] {
+  "webpubsub.sendToGroups.clientA/**",
+  "webpubsub.joinLeaveGroups.clientA/public/*"
+});
+```
+
+# [Python](#tab/python)
+
+```python
+token = service.get_client_access_token(roles=[
+  "webpubsub.sendToGroups.clientA/**",
+  "webpubsub.joinLeaveGroups.clientA/public/*"
+])
+```
+
+# [Java](#tab/java)
+
+```java
+GetClientAccessTokenOptions opt = new GetClientAccessTokenOptions();
+opt.addRole("webpubsub.sendToGroups.clientA/**");
+opt.addRole("webpubsub.joinLeaveGroups.clientA/public/*");
+WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
+```
+
+---
+
+## Security guidance
+
+- Prefer the narrowest pattern that satisfies the scenario.
+
+## Frequently asked questions
+
+**Q: Can I mix literal and pattern roles?**
+Yes. A literal role always applies exactly; patterns add broader coverage.
+
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Generate client access URL and use roles](howto-generate-client-access-url.md)
+
+> [!div class="nextstepaction"]
+> [Authorize access with Microsoft Entra ID](concept-azure-ad-authorization.md)

articles/azure-web-pubsub/howto-connect-mqtt-websocket-client.md

@@ -43,6 +43,8 @@ A client can publish to other clients only when it's *authorized* to do so. A cl
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 ## Authentication and authorization

articles/azure-web-pubsub/howto-generate-client-access-url.md

@@ -80,6 +80,19 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      });
      ```
 
+  - Configure pattern roles to cover many groups
+
+     ```js
+     let token = await serviceClient.getClientAccessToken({
+       roles: [
+         // send to any group under clientA/
+         "webpubsub.sendToGroups.clientA/**",
+         // join/leave any direct child of clientA/public/
+         "webpubsub.joinLeaveGroups.clientA/public/*"
+       ]
+     });
+     ```
+
    - Configure a group `group1` that the client joins once it connects using this Client Access URL
 
      ```js
@@ -99,7 +112,7 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      ```csharp
      // for web pubsub native clients
      var url = service.GetClientAccessUri();
-     
+
      // for mqtt clients
      var url = service.GetClientAccessUri(clientProtocol: WebPubSubClientProtocol.Mqtt);
      ```
@@ -128,6 +141,15 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.sendToGroup.group1" });
      ```
 
+  - Configure pattern roles to cover many groups
+
+     ```csharp
+     var url = service.GetClientAccessUri(roles: new [] {
+  "webpubsub.sendToGroups.clientA/**",
+  "webpubsub.joinLeaveGroups.clientA/public/*"
+     });
+     ```
+
    - Configure a group `group1` that the client joins once it connects using this Client Access URL
 
      ```csharp
@@ -145,7 +167,7 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      ```python
      # for web pubsub native clients
      token = service.get_client_access_token();
-     
+
      # for mqtt clients
      token = service.get_client_access_token(client_protocol="MQTT")
      ```
@@ -174,6 +196,15 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      token = service.get_client_access_token(roles=["webpubsub.sendToGroup.group1"])
      ```
 
+  - Configure pattern roles to cover many groups
+
+     ```python
+     token = service.get_client_access_token(roles=[
+  "webpubsub.sendToGroups.clientA/**",
+  "webpubsub.joinLeaveGroups.clientA/public/*"
+     ])
+     ```
+
    - Configure a group `group1` that the client joins once it connects using this Client Access URL
 
      ```python
@@ -233,6 +264,15 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      WebPubSubClientAccessToken token = service.getClientAccessToken(option);
      ```
 
+  - Configure pattern roles to cover many groups
+
+     ```java
+     GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+  option.addRole("webpubsub.sendToGroups.clientA/**");
+  option.addRole("webpubsub.joinLeaveGroups.clientA/public/*");
+     WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+     ```
+
    - Configure a group `group1` that the client joins once it connects using this Client Access URL
 
      ```java
@@ -258,15 +298,15 @@ You could also use Microsoft Entra ID and generate the token by invoking [Genera
 1. Use the Microsoft Entra token to invoke `:generateToken`.
 
 1. Gather the following information:
-   
+
     | Value name | How to get the value |
     | --- | --- |
     | TenantId | TenantId is the value of **Directory (tenant) ID** on the **Overview** pane of the application you registered. |
     | ClientId | ClientId is the value of **Application (client) ID** from the **Overview** pane of the application you registered. |
     | ClientSecret | ClientSecret is the value of the client secret you just added in step #1 |
-   
+
 1. Get the Microsoft Entra ID token from Microsoft identity platform
-   
+
     We use [CURL](https://curl.se/) tool to show how to invoke the REST APIs. The tool is bundled into Windows 10/11, and you could install the tool following [Install CURL](https://curl.se/download.html).
 
     ```bash
@@ -316,3 +356,6 @@ You could also use Microsoft Entra ID and generate the token by invoking [Genera
       "token": "ABCDEFG.ABC.ABC"
     }
     ```
+
+> [!TIP]
+> See [Wildcard group role patterns](concept-wildcard-group-roles.md) for syntax, escaping, and security guidance.

articles/azure-web-pubsub/includes/reference-permission.md

@@ -2,8 +2,8 @@
 author: vicancy
 ms.author: lianwei
 ms.service: azure-web-pubsub
-ms.topic: include 
-ms.date: 01/24/2023
+ms.topic: include
+ms.date: 10/14/2025
 ---
 
 ## Permissions
@@ -17,5 +17,7 @@ A PubSub WebSocket client can only publish to other clients when it's authorized
 | `webpubsub.sendToGroup` | The client can publish messages to any group.
 | `webpubsub.joinLeaveGroup.<group>` | The client can join/leave the group `<group>`.
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to the group `<group>`.
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](../concept-wildcard-group-roles.md)).
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](../concept-wildcard-group-roles.md)).
 
 The server can dynamically grant or revoke client permissions through REST APIs or server SDKs.

articles/azure-web-pubsub/toc.yml

@@ -251,6 +251,8 @@
       href: concept-billing-model.md
     - name: Microsoft Entra Authorization
       href: concept-azure-ad-authorization.md
+    - name: Wildcard group role patterns
+      href: concept-wildcard-group-roles.md
     - name: Metrics
       href: concept-metrics.md
     - name: Security