[keycloak-user] How to get permission to all child resources

Hello, We are new to Keycloak and we are exploring its abilities for securing our web api. One things we are trying to do is to get all permissions associated with a user for all child resources in a RPT. For example, let's say I'm trying to expose the folder Document on my file system to the network via REST. This Document folder may have millions of files and subfolders, most of them are accessible by all Users, some are only available to Admin, and some are for Customers only. On Keycloak server, i would define 3 resources named: "All Docs" with URL /Document/* and Role policy granting access to all Users "For Admin" with URL /Document/Administration/* and Role policy granting access to only Admins "For Customer" with URL /Document/Products/* and Role policy granting access to only Customers If i use the entitlement API, i can ask if Sarah who is a Users and a Customers can access "All Docs". However, if Sarah want to know/list all files under /Document/Administration/Contracts/Sarah/* then how should i ask entitlement API since this URL is not declared as a resource in Keycloak? If i can call the API for this path, I would like to receive from the API some permissions info starting from /Document/Administration because this is the closest ancestor known to Keycloak regarding the path being asked. Hope to get some insight soon ​Thai​