[keycloak-user] SSO for two groups of web applications?

Hi, Is it possible to authenticate users using *one* Keycloak server for *two* groups of web applications. For example, if a user signs in a web app in the 1st group, the user can access all the apps in the 1st group but none in the 2nd group, vice versa. If it's possible, how? Or any documentation? Thanks and regards, Weijun