Best practice for role/permission management

Hi, I’d like to get some suggestions on how to best leverage KeyCloak within my architecture.

Our current setup is a set of Java (Springboot) Microservices. We use spring security oauth’s authorization service with a custom data model of users, roles, and permissions.

Users are assigned to roles; Permissions are assigned to roles.

Roles can be added/removed, permission membership changed without technical impact.

All APIs use @PreAuthorize to check for the existence of a specific permission.

We’re looking to use KeyCloak in a multi-tenanted structure (similar to this example: – what is the best approach for managing users in roles and then applying that to individual API endpoints?


It depends on many factors.

  • How complex is the entire structure
  • How much time are you willing to spend
  • How many times do these roles and permissions change

You can check out for what Keycloak has to offer.
I’m only making an assumption here but because you said you are only using @PreAuthorize then Keycloak maybe a good solution to migrate to.