Hello, Currently we (as a company) are trying to determine if Keycloak can meet our requirements of authorization for our products. The authentication part seems obvious and will be enough for what we are trying to do, but we do have some questions about the authorization part. In our application a user can create a so called 'Process'. This process goes through a workflow-engine, which determines the next status based on some business rules and configured steps. What we are trying to achieve through Keycloak is the following: - Is user X (with role R) authorized for action (/resource) Y with scope Write? (This looks like a basic question which Keycloak can answer for sure) - Is user X (with role R) authorized for action (/resource) Y with scope Write when the given resource (process) is in status A? In abstract terms we are trying to determine: Is user [X] with role [R] authorized for resource [Y] with scope [S] when the requested resource instance [Y1] has a property [Prop] with value [V]? We did some research in the Keycloak documentation, and there is spoken of CBAC (Context-Based Access Control) but there are no examples or specific documentation to be found. My summarized question(s): - Is the given use-case above possible with Keycloak? - If so, how would the status of a process be defined? Is this a resource? Or should/can we use the CBAC engine? - If we have to implement a custom 'Authorization' provider for this, could you give a short example? We have the option to possibly buy Keycloak support, but we first want to verify if it is even an option for our use-cases. Kind regards, Sander