[keycloak-user] group membership policy was: How to implement this using Keycloak

Hi all, there was a post in 2016 that kind of descibes my problem: http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html <http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html> unfortunately without any concrete pointers or examples. To paraphrase: there’s a protected resource called Project, and an owner a Project Manager. Each project manager has access to only their own projects (owner-only policy). Project Managers in turn report to one or more Portfolio Managers. A Portfolio Manager should be able to access all his/her project manager's projects (portforlio-manager policy). Let’s assume the system design if flexible and this fact who are the Portfolio Managers for a particular Project Manager can be either kept inside Keycloak or in the client app itself. How can this be implemented as a JavaScrtipt authorization policy in Keycloak? I guess the request can be injected with this info somehow but can’t figure it out from the docs. regards, Milan