[keycloak-user] Setup of role model with two layers in keycloak

Hello there! I'm part of a frontend project and I need some help to bring our authorization model into keycloak. We're building on node.js and the whole project uses stateless micro services - both in our frontend middleware and for the whole backend services we use. The frontend uses the standard JS adapter for session and token management. So far we have identified four roles: travel agent, back office, configurator and data security officer. That's easy so far. My problem is how to model the next authorization layer we need. For example: For the travel agents we want to be able to grant per person whether he can see specific customer data or is able to cancel orders. There are about 6-8 options for the travel agents. Thus, for the back office there shall be options for stock operations or different views on orders and so on. Like the backend we don't persist any data! That's why I have store all the things in keycloak and find a way to easily bring these information back to our middleware. Here's what I tried / thought of so far: * Use groups for the first layer and roles for the second one. --> doesn't work because the groups don't get exposed in the token. * Use realm roles for the upper and attributes for the lower hierarchy. --> attributes are not included in the access token. * Use realm roles for the upper and client roles on the lower hierarchy. --> works, but we have to make sure that roles on the second layer are definitely associated with only one role on the first layer. I don't know how yet. * Use roles for the first layer and resources on the second one. --> That seems to get very close to what we need. But at the moment I can't figure out the correct approach with all these policies and permissions... Thanks for any help and please let me know, if I shall provide some further information. Sven