Model a AWS IAM kind of usecase in Keycloak

I’m working on a problem statement that involves an AWS IAM kind of setup for multiple teams. There is one realm that takes care of AuthX for a bunch of applications. The kind of users that would want to interact with Keycloak to obtain tokens would be:

  1. The team’s human users with federated login via an external IDP. - Password Grant Flow
  2. The team’s machine users (or clients in Keycloak lingo) - Client Credentials Flow
  3. The team’s root user who can add or remove users and clients. - Password Grant Flow

How would one model this in Keycloak?

It is important that the tokens tell the backend, the team the user/machine requests belong to since they link this to resource ownership.

One approach I have been toying with is to use attributes like a “team_id” on each user of the same team. This attribute would eventually land in the token which would solve the resource ownership problem.

But I wouldn’t know how I can achieve the same for Keycloak clients.

This approach also does not solve the “root” user problem though.

Am I thinking in the right direction? What else can I try ?