[Hawkular-dev] Authorization flow

Hi, I have read the threads about the tenantId/integration with Keycloak, but I am still having some doubts about the ideal flow. Please, let me know if my flow is correct: - We will have users associated by tenants, so a tuple (tenantId, userId) should be unique i.e. (tenantA, userA), (tenantB, userA). - A tuple (tenantId, userId) will have associated a list of roles (with hierarchy like an organization ?). - Metrics/Definitions/Resources should be unique by tenant, so our backend should have something like (tenantId, {metricId|resourceId|definitionId}). - In the APIs, tenantId will be explicit nor implicit. - Keycloak would be responsible to pass a (tenantId, userId) + roles list to the component/application. So, my main doubt is about how are we thinking to work with the authorization, I guess that component backend should define some authorization rules based on roles and permissions, right ? I guess that this part should be more or less shared for all components. Is there any draft about it ? Perhaps this question is very early and it can be put on hold for later, but just curious about it, as I would like to think in possible impacts. Thanks, Lucas