Hi, I'm currently evaluating Keycloak for my usecase. We have a hierarchical multi-tenant application (sport clubs and teams ). As we have users that work in multiple clubs the multiple realm scenario is not feasible for our application. There are users that may have roles like "club-admin" for certain club or "team-admin" for a certain team To evaluate permission if a user can do something on a certain team like "modifying a team" or "create a training session" I would need to set the role of a club/team-admin into context of the club or team. When I understand it correctly the roles that are assigned by a group a user belongs are global, meaning if try to figure out if a user can modify a certain team, the resolved roles will not reflect in which team an user maybe a trainer-admin. Therefore to achieve some rules like this I could encode the club/team context in the roles name like "club-admin@123" or team "team-admin@987". Is this a scalable approach or is there better solution for this?