I am dealing with a SaaS platform which supports multi tenancy
This is how our architecture is
Partner under partner we have clients for example (partner means take google as partner and clients means who are using its service)
we have users at partner level and client level same way roles at partner and level and client level as well.
A role contains the permission set and clients which needs to be part of user.role is tied with user.when user logged in they can only see particular clients with the give permission set applied. So now we are using spring security to do authentication and authorization. Is keycloak supports this type of model. Please check the following hierarchy for better understanding.