This is more of an early stage question around idiomatic approaches for modelling permissions/roles for user created resources in Keycloak. For this use case I'm not sure if I should just use Keycloak for identity management and leave access management to the application.
Proposed use case: In the application, resources belong to a company, A company can have multiple users. Some users are admin users, and are responsible for setting up roles/permissions for other users. These permissions may grant global access (eg User can view all files) or resource specific access (Eg User can view/modify files in the marketing folder).
A more concrete example is AWS IAM. Multiple users can be on a single AWS account, but access can be controlled at varying levels. For example, a role might be set up which grants S3 Read permissions, and a different role might have S3 Delete permission on a marketing bucket.
Because these resources/roles are user created and managed, I imagine my application would need to provide its own UI and then use the REST API to communicate with Keycloak. Because these are all user generated and there could be many companies that are using the application, I could foresee a very large amount of resource related data being persisted in Keycloak.
I'm not sure if this is a good idea - I imagine I would need to communicate with the Keycloak servers frequently to verify a given user has access to the resources they are trying to request/modify. It seems like Keycloak is more suitable for scopes/permissions that are not tied to specific user created resources? If it is a standard use case, is there any documentation around approaches like this (I haven't been able to find anything)?
