[keycloak-user] Multi-tenancy with groups

[Wyns Dean]

Hi there

A client of ours requires multi-tenancy (multiple customers) but without isolation of users. In others words, one user can be linked to multiple customers. A user with the permission to do so, should be able to manage their customer's users.

For this client we created a realm to completely isolate it. So we would use groups to implement the customers below our client.
Is creating a group per customer the best way to implement this? And then restrict the user management by using the fine-grained permissions built into the Keycloak admin console?

Or is there another better way?

Thanks
Dean