Handling authorization on multiple roles and resources

My company plans to use keycloak for IDP. We want keycloak to handle our authentication and authorization requirements. This means we want to avoid calling our database for authorization in every rest API. Authentication is already figured out with keycloak, but we are confused about authorization. We can’t handle authorization using RBAC. We need ABAC or Resource-based authorization.

Basically, it’s a job portal-like setup. There are three roles: admin, company, and candidate. Let’s say we have two (not actually) different kinds of resources. One is company, the other is candidate. An admin can do all kinds of operations on both of those resources. The company can only view some candidates(resource) which are allowed by the admin. The same way candidates can only view companies that are allowed by an admin. candidate can edit his own candidate resource and same for company too. Admin will allow accessing many number candidates to the company. Therefore, we can’t add all of these candidate ids to the company’s tokens. So how do we handle this situation?

What maximum authorization can we handle using keycloak without a server specific authorization? I heard there is something called policy enforcement; is it useful in this scenario?

We have two clients: the ReactJS frontend client and the Nodejs backend client. Both clients have the same set of user roles(candidate, company, admin). Do we need client roles or realm roles enough? What if we later split a candidate and company into two separate clients?

Thanks in advance