[keycloak-user] Attaching Role to an Entity

Hello team, I am a new fan and after writing my own solution painfully we are hoping to convert to KeyCloak. First, thank you all for your efforts and supporting this project. I have gone through the tutorials and terminology, however, I can not seem to mold a suitable model for my authorization use case through Keycloak concepts. Please consider this use scenario: - You provide a SaaS solution for Car Dealerships. - Every dealership inherits a set of default roles upon creation e.g. admin, manager, sales, accountant,..) - Dealership could add/remove permissions to the default roles. - Dealership can define their own custom roles. - A dealership has multiple vendors and each vendor has a couple of roles (admin, accountant, vendor) - A dealership has numerous departments and each department may have their own roles for that department In my built-in model, I have a table that connects a Role to a Principal (an entity) and the ACLs (or permissions) are assigned to the roles. The Principal could be "DealershipA", "DealershipB", "Vendor1" and "Department0". Now my questions is: What is the best practice to implement this scenario in Keycloak. - How would you connect/assign a role to an entity? - Would you consider a Dealership, Vendor or a Department a Resource or a Client or what? Thank you in advance for all your help,