Design Resource Authorization with Many to Many relationship

I am trying to design a learning app with users, classroom, and articles.
My issue is how to represent the resources in keycloak to manage authorization.

I have two users:

  • user1 belongs to classroom 1 and 2 and owns article1, article2, article3
  • user 2 belongs to classroom 1
  • article1 is owned by user1
  • article2 is owned by user1
  • article3 is owned by user1

How can I define resources so that user1 can share to everyone within classroom1? (eg: giving access to user2 indirectly).



I am simplifying the issue but the pattern is similar to what I am trying to achieve.

Any help would be much appreciated.

I am thinking to use the attributes field in the declared article resources.

For example:
resource uri ‘/article/1’ would have a list of classroom id attribute:

  • classroomId: 1

Would that be a bad practice?