Data model for hierarchical role based access control

We are trying to determine the best way to design hierarchical roles and would prefer to design something native within Keycloak instead of creating additional tables outside of Keycloak.

We need to create three level roles (i) tenant administrator (ii) enterprise administrator (iii) individual user. Our application would have multiple tenants with each tenant having multiple enterprises and each enterprise having multiple users. For example, you can think of a large business (a tenant) having offices in multiple locations (enterprises) and each location having multiple employees.

We need to setup users that have access to either all enterprises under the tenant or subset of (one or more) enterprises. Based on the access configured, the user gets to manage subset of the enterprises.

Any best practices on the best way to go about this with KeyCloak?


Hi - I am currently facing the same situation. I would be interested to know how you manage to configure the hierarchical role based access control in Keycloak.