[keycloak-user] AuthZ with realm roles

Hi guys, yet another question... AuthZ is quite mysterious! I am trying to protect my API with realm roles. I have an API looking like this: http://www.example.com/api/v1/cities/rome/houses http://www.example.com/api/v1/cities/rome/streets Each endpoint supports GET/PUT/POST/DELETE. Each role must have the form: <view|manage>:<asset>[:<city>[:<resource filter>]] For example roles can be: - view:houses - view:houses:rome - view:houses:rome:owner==smith - manage:houses:rome "manage": gives you all CRUD operations, while with "view" you can only read resources. Do you think this design is correct? Any other suggestion? What is not practical is that I have to force my users to use this role format. The resource filter part is also hard to implement, has it requires to check the content of the responses...