keycloak defining too many group in keycloak when having a composite user roles

Hi~ my company is going to replace the old identity and access management solution by keycloak, but I am currently facing some problems.

The user group is composed of quite different parts. For example, It is divided by different site, work location, work title,office type, the system etc. They are somehow interrelated but there is no pre-asumption about which parts must related to which other one.

To simpify, a user can be defined according to:

site (eg. site A)

work title (eg. account clerk)

work location (eg. New York)

office type (eg. account office)

system used (eg. payment system)

However, since each parts of user identity contain various value (i.e., there are 12 site,28 work title,10 work location,20 office type etc), and like user with account clerk title are not all work in New York, some may work in Houston, Chicago, or the same user may even have two user identity that one work in Houston, another in Chicago. An account clerk can even be sit in admin office instead of account office

My problem is, when I try to define groups in keycloak to manager user, the user identity above will lead to a huge number of groups (over 100 thousand combination), which is hard to manage, even applying composite roles and sub-group

In the old way user identity is just sync from active directory with an xml contains that user’s attribute (work location, etc). It’s easy to distinguish and auth different rights for a user

To apply keycloak now, firstly I have to pre-define different group (which linked to different realm role and client role) before the user data is sync so that the user identity is matched correctly, which I don’t need to pre-define it in the past

I think similar issue may often happened among enterprise, is there any better way in keycloak that can facilitate above scenario more dynamically?

Or how can I utilize the relation between client role/realm role/group in a proper way? may be the attribute field in roles can also be useful, but I am confused at the moment

I can also add service between active directory and keycloak to data massage before it sync, to keycloak, but in which way could I handle it better?

It would be very grateful if someone can offer help here, there is tied deadline ahead and I still get stuck.

Besides, I am currently using LDAP and krb5 when connecting AD and keycloak. Could I also do something with it?