xgp
commented
6 days ago ensuring that users from TenantA cannot see or manage users from TenantB
Users are normal Keycloak users. "see"ing other users is up to roles in Keycloak or in keycloak-orgs. For example, if a user has the view-users (Client realm-management) role, they will be able to "see" other users. If a user has view-members organization role, they will be able to "see" other users in their organization/tenant.
So, what you want is possible, but is enforced by the way you use Client, Realm and Organization Roles. I'd suggest you read up on how this works in Keycloak and keycloak-orgs:
We are exploring multitenancy for our use case, where we want to manage multiple tenants within a single realm. We came across the keycloak-orgs extension through some blog posts and wanted to investigate it further. One specific concern we have is about user isolation: ensuring that users from TenantA cannot see or manage users from TenantB. Does the keycloak-orgs extension support this capability, or is this isolation managed by Keycloak itself? We couldn't find detailed documentation on this, so any insights would be helpful.