Single Realm Multi-Tenancy with Tenant Level Administrators

Introduction

Hi there! I’ve been assigned the task of authenticating a system I am working on and the authentication has some rather strange requirements. Hopefully somebody on here has some tips, thank you in advance.

User Base

Companies

Our user base is comprised of various different companies and their employees. Some of these companies are the owners of resources. In the first instance I need to provide a way of allowing these resource owning companies to grant access to their resources to other companies (as well as being able to access their resources themselves).
This cross company access requirement makes me think it would be better to approach this as a multi-tenant solution rather than having to have multiple realms and copy configurations around.
Hopefully this diagram can make the situation clearer:

Users

Each of the aforementioned companies needs to be able to manage their own users, probably through some sort of admin role / user. In essence this means they should be able to add / remove / grant privileges within their company (group?).
It is obviously important that administrators cannot elevate their access possibly into other companies resources. I am aware of the fine grained admin permissions technical preview, however I am yet to figure out how to make it work in a way I’d expect.

Rough Idea

I have played around with a few approaches. What I primarily think could work is having a client for each resource owning company to capture which resources they are responsible for, then a group for each company so they can theoretically manage their own users.

Please let me know if anything is unclear, thank you.

Realms are separate entities.

Inside the realm, give the user the manage-realm role for the Realm-management client. This user will have full admin powers inside that realm, and only inside it.

Users can access their realm’s admin console on <keycloak_host>/auth/admin/<realm>/console