We are working in a microservice environment, where each of the services has its own client. When exploring KC abilities for ABAC, I have noticed that the policies&permissions are always scoped inside individual client, there is no way to relate permission in one client to the other, nor there is any global scope.
Example: if user A has a privilege P in client C, he should be also able to do P2 in client C2. But this cross-client references do not seem to be possible.
Example 2: we have a data model that is shared across the clients (some source data) and the clients operate over this data. We also need to have data-driven entitlements (such as: User1 can see “House” entity). And we’d like to define policies that combine these global data-entitlements with local permission of the application. Such as: if user can see the given house, he can also “call the cleaning lady to the house” (some client specific activity over the entity).
Is there any way how to handle these use cases in Keycloak? Or is the ABAC model always constraint to a single client?