For fine grine auth, and user group concepts, should I extend or build outside of keycloak?

Hello,

keycloak is good for authenticating users and setting up roles and attributes, but if I want more fine grained auth - access control to specific entities in my system, do I need to combine keycloak with something else?

In my system we have many IoT devices. I want to add/restrict users to certain devices. Naively I would maintain tables mapping a userId to a deviceId (or perhaps userId to groupId and then groupId to deviceId). To figure out what/if a user has access to a IoT device I would use the user id from keycloak and look it up in these aforementioned tables.

I feel like I am reinventing the wheel a bit. Can keycloak do this for me, or should I be extending keycloak to do this? Or is this not what keycloak primarily designed for, and in fact I should have a separate auth service that works with keycloak to achieve what I have described

Thanks

Keycloak has authorization functionality. Take a look at the Authorization Services documentation:
https://www.keycloak.org/docs/latest/authorization_services/

Not sure that link helped. I’m still confused.

Imagine I have
Users
Devices

I want to allow groups of users to access groups of devices

UserGroup
IoTDeviceGroup

IoTDeviceGroup can have 0 or more UserGroups associated with it. Only users in UserGroups associateed with IoTDeviceGroup can access the device.

Additionally I would like to restrict UserGroups to have either read or read-write permissions (and maybe different permissions in the future too).

I am wondering if keycloak should know about IoTDeviceGroup and UserGroups, or does that belong in the domain of my application?