How to manage different apps and access within an app

I’m using Keycloak for authentication and authorization to multiple web apps.
Each web app will have roles for each functionality in the app, e.g. the item app will have VIEW_ITEMS, CREATE_ITEM, DELETE_ITEM, and the admin app will have VIEW_USERS, VIEW_USER_ACTIVITY.

I was thinking about creating a client for each app. I can then create composite roles that group together these roles and get assigned to users.

This was working fine, but now I need to be able to create different buckets for items in the item app and users can have different roles to work with items depending on the bucket the item is in, so in bucket A I can only VIEW_ITEMS, but in bucket B I also have CREATE_ITEM.

Would it make sense to create a client for each bucket as well as each app, so I would have CREATE_ITEM in client bucket_b and VIEW_ITEMS in client bucket_a. Or should I create roles like BUCKET_B_CREATE_ITEM, BUCKET_A_CREATE_ITEM in the item client? Or use groups somehow?

I don’t want to reinvent the wheel so I was hoping that someone had some insight into what would be a good way to implement this.

You could use OpenID Connect for Authentication (e.g., Authorization Code Flow + PKCE) and OAuth 2.0 scopes (and claims) for Authorization.

Ref: Getting started with Keycloak