[keycloak-user] Fwd: Multi-tiered Permissions

Hi, I need some input on the best way to solve authorization for a retail chain scenario. Here's the scenario: A retailer has 10,000 stores and 30,000 users While each user has a primary store, they can work in other stores in their region At his/her primary store UserA (clerk) has the following scopes: POS, DailyCloseout For secondary stores, a UserA has only the POS scope While there are many more scopes, and user roles, the problem to solve is this multi-tiered permissions structure. UserA's permissions depend on the store context. I've set up stores as resources (of type "store"), each resource has a storeNbr attribute I've set up scopes of POS, DailyCloseout, SalesReports, etc. I'm struggling with a clean way to tie a user to his/her "storeX" : [ "scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute, and after mapping it, got it working with a javascript policy but that's a maintenance nightmare at best. I can set up roles with names like <storeNbr>.<scopeA>. It's better than the user attribute route, but still feels like a hack. I'm guessing I could write a Drools policy that could, using the identity from the context, read from a database that contains this structure. BUT this provider is in tech preview / not supported, so I'm not excited about this route. Lastly, I guess I could write a custom policy provider. These last two require me to maintain a separate database (and app to maintain it), so I'm not thrilled with either of them. So, what have I missed? Is there an elegant way to solve this? Thanks for your help! Scott -- Scott G. Warren SUM Global Technology swarren(a)sumglobal.com 678.469.3455