Hi,
I'm currently evaluating Keycloak for my usecase. We have a hierarchical
multi-tenant application (sport clubs and teams ).
As we have users that work in multiple clubs the multiple realm scenario is
not feasible for our application.
There are users that may have roles like "club-admin" for certain club or
"team-admin" for a certain team
To evaluate permission if a user can do something on a certain team like
"modifying a team" or "create a training session" I would need to set
the
role of a club/team-admin into context of the club or team.
When I understand it correctly the roles that are assigned by a group a
user belongs are global, meaning if try to figure out if a user can modify
a certain team, the resolved roles will not reflect in which team an user
maybe a trainer-admin.
Therefore to achieve some rules like this I could encode the club/team
context in the roles name like "club-admin@123" or team
"team-admin@987".
Is this a scalable approach or is there better solution for this?