Hi there, I am new to keycloak and try to use it as auth server in my solution. I have next entity's model: the *devices* are owned by a particular *company* to which belongs some *users*. A user with role *admin* can grant permission for viewing some set of devices to a regular user but only those devices that belong to admin's company. Thus all users except admins can view the only subset of all devices in the company. Based on requirements I decided to make a company as *group* and devices as keycloak's *resources*. To evaluating permissions I chose *rule-based policy*. The problem is I ran into next question about hot to implement other relations and business rules: 1. Can I set the group as an owner of the resource to check this relation in policy? 2. Which mechanism better to use in my case to grant view permission on a particular device to a regular user? If someone is more experienced in keycloak and knows how to better represent such model, please help. Thank you in advance. *P.S.* For the second question I have two solutions: - Create on each device new role which name consists of *device's name* + word *view* (This solution has big disadvantage because If user has over 1000 devices the *Permission Ticket* will be very huge) - Represent mapping between user and device via scope -- when you admin set relation between particular device and user to the resource (device) added scope which name consists of *user id* plus word *view* (I know it is not good way to use scopes but I have no idea can better configure this relation in keycloak)