[keycloak-user] How to implement this using Keycloak

Hi all, I’m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction. Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What’s the best way to set up authorization for this service? As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated. Thanks, Rong