[keycloak-user] Group-based permissions for resources

Dear all, I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC. The application manages resources based on their association with user groups. Its simplified path schema is similar to /{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to map organizations to Keycloak user groups. 1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see a way to check against path parameters. 2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of group-based authorization? Thanks for any pointers and input. Best regards Christian