Custom attribute ownership and access rights

Hi, we’re building a centralized identity management SAAS where users can store attributes and share them with third party customers.

I’ve created a users and a customers realm.
The user can add attributes to themselves (which they own), but we also want to allow customers to add custom attributes to a user (which the customer would be the main owner of).
In order for the user to be able to share the attribute with another customer, both the user and the customer who owns the attribute need to allow access.
The customer should be able to select the custom attribute as client scope while creating a new client if the customer who owns the attribute has allowed access.

I’m not sure which approach is best to solve this use case and would love some input.

Possible solutions:

  1. The customer would “tag” the attribute as public, private or which other customers to allow access to the attribute, either by adding another attribute with the same name but with _access postfix or storing access rights in a separate database (outside of Keycloak).
  2. Creating a realm / customer which “inherit” user attributes from the users realm (instead of having a customers realm).
    Not sure if it’s possible to “inherit” users from other realms?
    Also, it would only solve the private and public access cases.
  3. Allow customers to request access to another customers custom attribute by adding a role or something to the customer that want access when the customer that owns the attribute has accepted the request.

Any other possible solutions?

Also, would you extend Keycloak with this functionality or build separate microservices that talk to Keycloak through the API with a custom UI.