Challenge
I’m implementing a team based approach to managing resources in Keycloak.
Users in my application create a number of resources (50-500) and delegate access in their organisation to teams of users.
Every participant in a team should be able to add and delete members from the team.
What is the best practice Keycloak architecture to achieve this?
Current solution
Currently the user who creates the resources becomes the owner of the resource in Keycloak. The owner can then delegate access to the resource to other team members using User-Managed Access.
This works fine but has the drawback that only the resource owner can add or remove users from the team. It’s also not possible to change resource owner, so if that users quits, we have to recreate the resource with another owner.
Potential solutions
Let the resource server client service account be the owner of all resources and use Impersonation and UMA to allow other users to add and remove users from having access to the resource.
If I need the concept of “ownership” of the resource, I could handle that in my application with a ownership flag.
This is the only solution I can think of implementing at the moment, does it make sense? Are there other ways I should consider?