[keycloak-user] regarding custom attributes and mapping resources to users

Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us...). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash