I have a following use case:

1. My solution has multiple projects and each project can have two roles: Project Administrator (who can view and edit project information) and a Project Viewer (who can only view project information)
2. There is also a high level Root Administrator who creates these projects and then assigns users to the project level roles.

In KeyCloak, is there a way to create roles under a resource?

Let’s take an example:

1. There are 3 users: Bob, John and Adam.
2. Bob is the Root Administrator
3. Bob creates two projects: ProjectA and ProjectB
4. For ProjectA, Bob assigns the role of Project Admin to John and Project Viewer role to Adam.
5. For ProjectB, Bob assigns the role of Project Admin to Adam and Project Viewer role to John

How do configure KeyCloak for such a use-case?
Please also note that Bob can later on create new Projects and delete the old ones.

I am still learning KeyCloak but one way to do so is as follows:

1. Bob is the Admin for KeyCloak and so can create new resources in it
2. For ProjectA, Bob creates 2 roles: ProjectA-Admin, ProjectA-Viewer. John is assigned to former role and Adam to the later
3. For ProjectB, Bob creates 2 roles: ProjectB-Admin, ProjectB-Viewer. Adam is assigned to former role and John to the later
4. Whenever a new Project needs to be added, Bob has to create a new Project-Admin and -Viewer roles, and assign users to those roles.

I believe these roles would be contained in the access token, so the resource server can parse the roles in the token using some pattern such as (ProjectName-Role) and then decide what kind of permission the user has. One can also create Policies and Permissions as well.

Please provide your feedback. Thanks for your help.