xgp
commented
1 year ago @janhaesen Agreed that it is a nice to have. We initially considered replicating the whole Keycloak group, role, composite role, etc. model on a per-organization basis, but we didn't have the need from customers at the time. Part of the initial priority was to make the model fairly simple to understand and reason. We're open to PRs, but this one is unlikely to be done by us in the short-term.
It would be nice to have the ability to have groups available per organisation. The reasoning behind it would be that in general Keycloak roles (to which I'd prefer to refer to as permission, but won't for sake of terminology) will be grouped into a role, e.g. Admin, Support, Finance Ops, etc. This way this could be assigned to a user under the organisation.
The idea would be that there's a general set of groups that are by default provided but can be amended (overruled/overridden) by the organisation, for instance because they'd want to make it more/less restrictive. This functionality is already available in Keycloak itself, but would be nice to have on an organisation level as well.
Another way this is sometimes achieved, but likely would be less intuitive, is the composite roles in Keycloak.