Merge branch 'feature/tenant-group-239' into dev

2026-02-12 10:46:05 +09:00
parent 7131d667ab 74884f6616
commit d12b431894
105 changed files with 37200 additions and 1351 deletions
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -31,6 +31,7 @@ func migrateSchemas(db *gorm.DB) error {
 	slog.Info("[Bootstrap] Migrating database schemas...")
 	// Add all domain models here
 	return db.AutoMigrate(
+		&domain.TenantGroup{},
 		&domain.Tenant{},
 		&domain.TenantDomain{},
 		&domain.User{},
--- a/backend/internal/bootstrap/keto_sync.go
+++ b/backend/internal/bootstrap/keto_sync.go
@@ -25,6 +25,18 @@ func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
 		if t.ParentID != nil {
 			_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parent", *t.ParentID)
 		}
+		if t.TenantGroupID != nil {
+			_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parent_group", *t.TenantGroupID)
+		}
+	}
+
+	// 1.1 Sync Tenant Groups (Group Admins)
+	var groups []domain.TenantGroup
+	if err := db.Find(&groups).Error; err == nil {
+		slog.Info("Syncing tenant groups to Keto", "count", len(groups))
+		for range groups {
+			// 그룹 관리자 개념 확정 후 관계 생성 로직 추가 예정
+		}
 	}

 	// 2. Sync All Users
--- a/backend/internal/domain/auth_models.go
+++ b/backend/internal/domain/auth_models.go
@@ -68,18 +68,19 @@ type SignupRequest struct {
 // User Profile Models

 type UserProfileResponse struct {
-	ID              string         `json:"id"`
-	Email           string         `json:"email"`
-	Name            string         `json:"name"`
-	Phone           string         `json:"phone"`
-	Role            string         `json:"role"` // 추가
-	Department      string         `json:"department"`
-	AffiliationType string         `json:"affiliationType"`
-	CompanyCode     string         `json:"companyCode,omitempty"`
-	TenantID        *string        `json:"tenantId,omitempty"`       // 추가
-	RelyingPartyID  *string        `json:"relyingPartyId,omitempty"` // 추가
-	Metadata        map[string]any `json:"metadata,omitempty"`
-	Tenant          *Tenant        `json:"tenant,omitempty"`
+	ID                string         `json:"id"`
+	Email             string         `json:"email"`
+	Name              string         `json:"name"`
+	Phone             string         `json:"phone"`
+	Role              string         `json:"role"` // 추가
+	Department        string         `json:"department"`
+	AffiliationType   string         `json:"affiliationType"`
+	CompanyCode       string         `json:"companyCode,omitempty"`
+	TenantID          *string        `json:"tenantId,omitempty"`       // 추가
+	RelyingPartyID    *string        `json:"relyingPartyId,omitempty"` // 추가
+	Metadata          map[string]any `json:"metadata,omitempty"`
+	Tenant            *Tenant        `json:"tenant,omitempty"`
+	ManageableTenants []Tenant       `json:"manageableTenants,omitempty"` // 추가: 관리 가능한 테넌트 목록
 }

 type UpdateUserRequest struct {
--- a/backend/internal/domain/tenant.go
+++ b/backend/internal/domain/tenant.go
@@ -17,23 +17,47 @@ const (

 // Tenant represents a tenant model stored in PostgreSQL.
 type Tenant struct {
-	ID          string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
-	ParentID    *string        `gorm:"type:uuid;index" json:"parentId,omitempty"` // 부모 테넌트 ID
-	Name        string         `gorm:"not null" json:"name"`
-	Slug        string         `gorm:"uniqueIndex;not null" json:"slug"`
-	Description string         `json:"description"`
-	Status      string         `gorm:"default:'pending'" json:"status"`
-	Domains     []TenantDomain `gorm:"foreignKey:TenantID" json:"domains,omitempty"`
-	Config      JSONMap        `gorm:"type:jsonb" json:"config,omitempty"`
-	CreatedAt   time.Time      `json:"createdAt"`
-	UpdatedAt   time.Time      `json:"updatedAt"`
-	DeletedAt   gorm.DeletedAt `gorm:"index" json:"-"`
+	ID            string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
+	ParentID      *string        `gorm:"type:uuid;index" json:"parentId,omitempty"` // 부모 테넌트 ID
+	TenantGroupID *string        `gorm:"type:uuid;index" json:"tenantGroupId,omitempty"`
+	TenantGroup   *TenantGroup   `gorm:"foreignKey:TenantGroupID" json:"tenantGroup,omitempty"`
+	Name          string         `gorm:"not null" json:"name"`
+	Slug          string         `gorm:"uniqueIndex;not null" json:"slug"`
+	Description   string         `json:"description"`
+	Status        string         `gorm:"default:'pending'" json:"status"`
+	Domains       []TenantDomain `gorm:"foreignKey:TenantID" json:"domains,omitempty"`
+	Config        JSONMap        `gorm:"type:jsonb" json:"config,omitempty"`
+	CreatedAt     time.Time      `json:"createdAt"`
+	UpdatedAt     time.Time      `json:"updatedAt"`
+	DeletedAt     gorm.DeletedAt `gorm:"index" json:"-"`
 }

 func (t *Tenant) IsActive() bool {
 	return t.Status == TenantStatusActive
 }

+// GetMergedConfig merges the group-level config with tenant-level config.
+// Tenant config takes precedence.
+func (t *Tenant) GetMergedConfig() JSONMap {
+	merged := make(JSONMap)
+
+	// 1. Apply Group Config (Base)
+	if t.TenantGroup != nil && t.TenantGroup.Config != nil {
+		for k, v := range t.TenantGroup.Config {
+			merged[k] = v
+		}
+	}
+
+	// 2. Apply Tenant Config (Overrides)
+	if t.Config != nil {
+		for k, v := range t.Config {
+			merged[k] = v
+		}
+	}
+
+	return merged
+}
+
 // BeforeCreate hook to generate UUID if not present.
 func (t *Tenant) BeforeCreate(tx *gorm.DB) (err error) {
 	if t.ID == "" {
--- a/backend/internal/domain/tenant_group.go
+++ b/backend/internal/domain/tenant_group.go
@@ -0,0 +1,32 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+// TenantGroup represents a collection of tenants.
+type TenantGroup struct {
+	ID          string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
+	Name        string         `gorm:"not null" json:"name"`
+	Slug        string         `gorm:"uniqueIndex;not null" json:"slug"`
+	Description string         `json:"description"`
+	Tenants     []Tenant       `gorm:"foreignKey:TenantGroupID" json:"tenants,omitempty"`
+	Config      JSONMap        `gorm:"type:jsonb" json:"config,omitempty"`
+	CreatedAt   time.Time      `json:"createdAt"`
+	UpdatedAt   time.Time      `json:"updatedAt"`
+	DeletedAt   gorm.DeletedAt `gorm:"index" json:"-"`
+}
+
+func (tg *TenantGroup) TableName() string {
+	return "tenant_groups"
+}
+
+func (tg *TenantGroup) BeforeCreate(tx *gorm.DB) (err error) {
+	if tg.ID == "" {
+		tg.ID = uuid.NewString()
+	}
+	return
+}
--- a/backend/internal/handler/admin_handler.go
+++ b/backend/internal/handler/admin_handler.go
@@ -1,22 +1,51 @@
 package handler

 import (
+	"baron-sso-backend/internal/service"
 	"runtime"
 	"time"

 	"github.com/gofiber/fiber/v2"
 )

-type AdminHandler struct{}
+type AdminHandler struct {
+	Keto service.KetoService
+}

-func NewAdminHandler() *AdminHandler {
-	return &AdminHandler{}
+func NewAdminHandler(keto service.KetoService) *AdminHandler {
+	return &AdminHandler{Keto: keto}
 }

 func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }

+func (h *AdminHandler) CheckPermission(c *fiber.Ctx) error {
+	namespace := c.Query("namespace")
+	object := c.Query("object")
+	relation := c.Query("relation")
+	subject := c.Query("subject")
+
+	if namespace == "" || object == "" || relation == "" || subject == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "namespace, object, relation, and subject are required"})
+	}
+
+	allowed, err := h.Keto.CheckPermission(c.Context(), subject, namespace, object, relation)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{
+		"allowed": allowed,
+		"query": fiber.Map{
+			"namespace": namespace,
+			"object":    object,
+			"relation":  relation,
+			"subject":   subject,
+		},
+	})
+}
+
 // GetSystemStats returns runtime statistics for monitoring
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -125,10 +125,11 @@ func GenerateSecureAlnumToken(length int) string {

 func GenerateUserCode() string {
 	const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ"
-	return fmt.Sprintf("%c%c-%03d",
+	// [Fixed] 요청하신 포맷 (영문 2자리 + 숫자 6자리, 하이픈 없음)으로 변경
+	return fmt.Sprintf("%c%c%06d",
 		letters[rand.Intn(len(letters))],
 		letters[rand.Intn(len(letters))],
-		rand.Intn(1000),
+		rand.Intn(1000000),
 	)
 }

@@ -958,13 +959,20 @@ func (h *AuthHandler) InitEnchantedLink(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "Identity provider unavailable"})
 	}

-	// [Changed] 토큰 길이를 사용자의 요청에 맞춰 6글자(3바이트)로, pendingRef를 8글자(4바이트)로 조정
 	userCode := GenerateUserCode()
 	token := GenerateSecureToken(3)
 	pendingRef := GenerateSecureToken(3)

 	slog.Info("[Enchanted] Initiating enchanted link", "loginID", loginID, "token", token, "pendingRef", pendingRef)

+	// [Added] 사용자가 입력할 간편 코드를 Redis에 저장합니다. (이게 없으면 인증이 안 됩니다)
+	shortCodePayload, _ := json.Marshal(shortLoginCodePayload{
+		LoginID:    lookupLoginID,
+		Code:       token,
+		PendingRef: pendingRef,
+	})
+	h.RedisService.Set(prefixLoginCodeShort+userCode, string(shortCodePayload), defaultExpiration)
+
 	// Store in Redis
 	sessionData, _ := json.Marshal(map[string]string{
 		"status":  statusPending,
@@ -1018,12 +1026,13 @@ func (h *AuthHandler) InitEnchantedLink(c *fiber.Ctx) error {
 		}
 	} else {
 		// Send SMS
-		content := fmt.Sprintf("[Baron 로그인] 로그인 링크: %s | 코드: %s", link, userCode)
+		phone := sanitizePhoneForSms(loginID)
+		content := fmt.Sprintf("[Baron 로그인] 로그인 링크: %s | 간편 코드: %s", link, userCode)
 		if drySend {
-			slog.Info("[Enchanted][DrySend] SMS send skipped", "loginID", loginID, "content", content)
+			slog.Info("[Enchanted][DrySend] SMS send skipped", "loginID", phone, "content", content)
 		} else {
-			slog.Info("[Enchanted] Sending SMS via Naver Cloud", "loginID", loginID)
-			if err := h.SmsService.SendSms(loginID, content); err != nil {
+			slog.Info("[Enchanted] Sending SMS via Naver Cloud", "to", phone)
+			if err := h.SmsService.SendSms(phone, content); err != nil {
 				slog.Error("[Enchanted] SMS Failed", "error", err)
 				return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
 			}
@@ -1585,12 +1594,12 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
 	// --- OIDC 로그인 흐름 처리 끝 ---

 	resp := fiber.Map{
-		"sessionJwt": authInfo.SessionToken.JWT,
-		"status":     "ok",
-		"provider":   h.IdpProvider.Name(),
+		"sessionToken": authInfo.SessionToken.JWT,
+		"status":       "ok",
+		"provider":     h.IdpProvider.Name(),
 	}
 	if authInfo.RefreshToken != nil {
-		resp["refreshJwt"] = authInfo.RefreshToken.JWT
+		resp["refreshToken"] = authInfo.RefreshToken.JWT
 	}
 	if authInfo.Subject != "" {
 		resp["subject"] = authInfo.Subject
@@ -2066,6 +2075,16 @@ type kratosCourierRequest struct {
 	Body         string                 `json:"body"`
 }

+// sanitizePhoneForSms - 네이버 SMS 등 국내 발송기를 위해 +82 형식을 010 형식으로 변환합니다.
+func sanitizePhoneForSms(phone string) string {
+	p := strings.ReplaceAll(phone, "-", "")
+	p = strings.ReplaceAll(p, " ", "")
+	if strings.HasPrefix(p, "+82") {
+		return "0" + p[3:]
+	}
+	return p
+}
+
 // HandleKratosCourierRelay - Kratos courier HTTP 요청을 받아 메일/SMS 발송으로 변환합니다.
 func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
 	var req kratosCourierRequest
@@ -2444,16 +2463,6 @@ func extractFirstString(data map[string]interface{}, keys ...string) string {
 	return ""
 }

-func sanitizePhoneForSms(phone string) string {
-	sanitized := strings.TrimSpace(phone)
-	if strings.HasPrefix(sanitized, "+82") {
-		sanitized = "0" + sanitized[3:]
-	}
-	sanitized = strings.ReplaceAll(sanitized, "-", "")
-	sanitized = strings.ReplaceAll(sanitized, " ", "")
-	return sanitized
-}
-
 // --- User Profile Handlers ---

 func (h *AuthHandler) formatPhoneForDisplay(phone string) string {
@@ -3944,6 +3953,13 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 		}
 	}

+	// Fetch Manageable Tenants for Admins
+	if profile.Role == domain.RoleSuperAdmin || profile.Role == domain.RoleTenantAdmin || profile.Role == domain.RoleRPAdmin {
+		if tenants, err := h.TenantService.ListManageableTenants(c.Context(), profile.ID); err == nil {
+			profile.ManageableTenants = tenants
+		}
+	}
+
 	// 4. Save to Redis Cache (Short TTL)
 	if h.RedisService != nil && cacheKey != "" {
 		if data, err := json.Marshal(profile); err == nil {
@@ -4773,10 +4789,7 @@ func extractLoginIDFromClaims(claims map[string]any) string {
 }

 func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, error) {
-	kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
-	if kratosURL == "" {
-		kratosURL = "http://kratos:4433"
-	}
+	kratosURL := strings.TrimRight(utils.GetEnv("KRATOS_PUBLIC_URL", "http://kratos:4433"), "/")
 	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
 	if err != nil {
 		return "", nil, err
@@ -4807,10 +4820,7 @@ func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string
 }

 func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
-	kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
-	if kratosURL == "" {
-		kratosURL = "http://kratos:4433"
-	}
+	kratosURL := strings.TrimRight(utils.GetEnv("KRATOS_PUBLIC_URL", "http://kratos:4433"), "/")
 	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
 	if err != nil {
 		return "", err
@@ -4833,6 +4843,7 @@ func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
 	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
 		return "", err
 	}
+
 	return result.ID, nil
 }

@@ -4841,10 +4852,7 @@ func (h *AuthHandler) issueKratosSession(ctx context.Context, identityID string)
 		return "", fmt.Errorf("kratos identity id is empty")
 	}

-	kratosAdminURL := strings.TrimRight(os.Getenv("KRATOS_ADMIN_URL"), "/")
-	if kratosAdminURL == "" {
-		kratosAdminURL = "http://kratos:4434"
-	}
+	kratosAdminURL := strings.TrimRight(utils.GetEnv("KRATOS_ADMIN_URL", "http://kratos:4434"), "/")

 	payload := map[string]interface{}{
 		"identity_id": identityID,
--- a/backend/internal/handler/auth_handler_login_test.go
+++ b/backend/internal/handler/auth_handler_login_test.go
@@ -288,8 +288,8 @@ func TestPasswordLogin_NoOIDC_Success(t *testing.T) {
 	}
 	var got map[string]string
 	json.NewDecoder(resp.Body).Decode(&got)
-	if got["sessionJwt"] != "valid-jwt" {
-		t.Errorf("expected jwt valid-jwt, got %s", got["sessionJwt"])
+	if got["sessionToken"] != "valid-jwt" {
+		t.Errorf("expected jwt valid-jwt, got %s", got["sessionToken"])
 	}
 	// No redirectTo
 	if _, ok := got["redirectTo"]; ok {
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -22,15 +22,17 @@ type DevHandler struct {
 	SecretRepo  domain.ClientSecretRepository
 	KratosAdmin *service.KratosAdminService
 	ConsentRepo repository.ClientConsentRepository
+	RPService   service.RelyingPartyService
 }

-func NewDevHandler(redis domain.RedisRepository, secretRepo domain.ClientSecretRepository, consentRepo repository.ClientConsentRepository) *DevHandler {
+func NewDevHandler(redis domain.RedisRepository, secretRepo domain.ClientSecretRepository, consentRepo repository.ClientConsentRepository, rpService service.RelyingPartyService) *DevHandler {
 	return &DevHandler{
 		Hydra:       service.NewHydraAdminService(),
 		Redis:       redis,
 		SecretRepo:  secretRepo,
 		KratosAdmin: service.NewKratosAdminService(),
 		ConsentRepo: consentRepo,
+		RPService:   rpService,
 	}
 }

@@ -95,38 +97,58 @@ type clientUpsertRequest struct {
 }

 func (h *DevHandler) ListClients(c *fiber.Ctx) error {
-	limit := c.QueryInt("limit", 50)
-	offset := c.QueryInt("offset", 0)
-	if limit <= 0 {
-		limit = 50
-	}
-	if offset < 0 {
-		offset = 0
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized: user profile not found"})
 	}

-	clients, err := h.Hydra.ListClients(c.Context(), limit, offset)
+	// Super Admin sees all (best effort via Hydra list for now, or we can use RPService if it's improved)
+	if profile.Role == domain.RoleSuperAdmin {
+		limit := c.QueryInt("limit", 50)
+		offset := c.QueryInt("offset", 0)
+		clients, err := h.Hydra.ListClients(c.Context(), limit, offset)
+		if err != nil {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+		}
+		items := make([]clientSummary, 0, len(clients))
+		for _, client := range clients {
+			items = append(items, h.mapClientSummary(client))
+		}
+		return c.JSON(clientListResponse{Items: items, Limit: limit, Offset: offset})
+	}
+
+	// For others, only show manageable tenants' clients
+	var tenantIDs []string
+	for _, t := range profile.ManageableTenants {
+		tenantIDs = append(tenantIDs, t.ID)
+	}
+
+	if len(tenantIDs) == 0 && profile.TenantID != nil {
+		tenantIDs = append(tenantIDs, *profile.TenantID)
+	}
+
+	if len(tenantIDs) == 0 {
+		return c.JSON(clientListResponse{Items: []clientSummary{}, Limit: 50, Offset: 0})
+	}
+
+	rps, err := h.RPService.ListByTenantIDs(c.Context(), tenantIDs)
 	if err != nil {
-		if errors.Is(err, service.ErrHydraNotFound) {
-			return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "clients not found"})
-		}
-		errMsg := err.Error()
-		if strings.Contains(errMsg, "connection refused") || strings.Contains(errMsg, "dial tcp") {
-			return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{
-				"error": "Hydra service is unavailable. Please check if Ory Hydra is running.",
-			})
-		}
-		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": errMsg})
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

-	items := make([]clientSummary, 0, len(clients))
-	for _, client := range clients {
-		items = append(items, h.mapClientSummary(client))
+	items := make([]clientSummary, 0, len(rps))
+	for _, rp := range rps {
+		// We need HydraClient details for the summary
+		client, err := h.Hydra.GetClient(c.Context(), rp.ClientID)
+		if err == nil {
+			items = append(items, h.mapClientSummary(*client))
+		}
 	}

 	return c.JSON(clientListResponse{
 		Items:  items,
-		Limit:  limit,
-		Offset: offset,
+		Limit:  len(items),
+		Offset: 0,
 	})
 }

@@ -144,6 +166,11 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := client.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	summary := h.mapClientSummary(*client)
 	return c.JSON(clientDetailResponse{
 		Client: summary,
@@ -197,11 +224,49 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 }

 func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+	}
+
 	var req clientUpsertRequest
 	if err := c.BodyParser(&req); err != nil {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
 	}

+	// Determine Tenant ID
+	targetTenantID := c.Get("X-Tenant-ID")
+	if targetTenantID == "" && profile.TenantID != nil {
+		targetTenantID = *profile.TenantID
+	}
+
+	if targetTenantID == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "X-Tenant-ID header is required"})
+	}
+
+	// Set for audit logging
+	c.Locals("tenant_id", targetTenantID)
+
+	// Validate Permission
+	isAllowed := false
+	if profile.Role == domain.RoleSuperAdmin {
+		isAllowed = true
+	} else {
+		for _, t := range profile.ManageableTenants {
+			if t.ID == targetTenantID {
+				isAllowed = true
+				break
+			}
+		}
+		if !isAllowed && profile.TenantID != nil && *profile.TenantID == targetTenantID {
+			isAllowed = true
+		}
+	}
+
+	if !isAllowed {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "you do not have permission to create clients for this tenant"})
+	}
+
 	clientID := strings.TrimSpace(valueOr(req.ID, ""))
 	if clientID == "" {
 		clientID = uuid.NewString()
@@ -257,11 +322,18 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 		Metadata:                metadata,
 	}

-	created, err := h.Hydra.CreateClient(c.Context(), clientReq)
+	// Use RPService to ensure Keto relations are created
+	rp, err := h.RPService.Create(c.Context(), targetTenantID, clientReq)
 	if err != nil {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Fetch back the Hydra client to get the secret (RPService.Create returns domain.RelyingParty which has limited fields)
+	created, err := h.Hydra.GetClient(c.Context(), rp.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "client created but failed to retrieve details"})
+	}
+
 	// Store secret in metadata for later retrieval
 	if created.ClientSecret != "" {
 		// 1. Store in PostgreSQL (Source of Truth)
@@ -307,6 +379,11 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := current.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	clientType := ""
 	if req.Type != nil {
 		clientType = strings.ToLower(strings.TrimSpace(*req.Type))
@@ -382,6 +459,14 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "client id is required"})
 	}

+	// Fetch first for audit log tenant_id
+	client, err := h.Hydra.GetClient(c.Context(), clientID)
+	if err == nil {
+		if tid, ok := client.Metadata["tenant_id"].(string); ok {
+			c.Locals("tenant_id", tid)
+		}
+	}
+
 	if err := h.Hydra.DeleteClient(c.Context(), clientID); err != nil {
 		if errors.Is(err, service.ErrHydraNotFound) {
 			return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "client not found"})
@@ -403,11 +488,24 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 }

 func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+	}
+
 	clientID := strings.TrimSpace(c.Query("client_id"))
 	if clientID == "" {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "client_id is required"})
 	}

+	// Permission Check
+	if profile.Role != domain.RoleSuperAdmin {
+		allowed, err := h.RPService.CheckPermission(c.Context(), profile.ID, clientID, "view")
+		if err != nil || !allowed {
+			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: you do not have permission to view consents for this client"})
+		}
+	}
+
 	subject := strings.TrimSpace(c.Query("subject"))
 	limit := c.QueryInt("limit", 50)
 	offset := c.QueryInt("offset", 0)
@@ -484,12 +582,28 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
 }

 func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+	}
+
 	subject := strings.TrimSpace(c.Query("subject"))
 	if subject == "" {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "subject is required"})
 	}
 	clientID := strings.TrimSpace(c.Query("client_id"))

+	// Permission Check (if clientID is provided)
+	if clientID != "" && profile.Role != domain.RoleSuperAdmin {
+		allowed, err := h.RPService.CheckPermission(c.Context(), profile.ID, clientID, "manage")
+		if err != nil || !allowed {
+			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: you do not have permission to revoke consents for this client"})
+		}
+	} else if clientID == "" && profile.Role != domain.RoleSuperAdmin {
+		// If clientID is not provided, we might need a more global check or just disallow it for non-superadmins
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "client_id is required for non-superadmins"})
+	}
+
 	// If subject is not a UUID, try to resolve it as an identifier (email/username)
 	if _, err := uuid.Parse(subject); err != nil {
 		resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), subject)
@@ -532,6 +646,11 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := current.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	// 3. Update Hydra
 	current.ClientSecret = newSecret
 	updated, err := h.Hydra.UpdateClient(c.Context(), clientID, *current)
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -1,8 +1,10 @@
 package handler

 import (
+	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -10,8 +12,75 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
 )

+type MockRPService struct {
+	mock.Mock
+}
+
+func (m *MockRPService) Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error) {
+	args := m.Called(ctx, tenantID, client)
+	return args.Get(0).(*domain.RelyingParty), args.Error(1)
+}
+
+func (m *MockRPService) Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error) {
+	args := m.Called(ctx, clientID)
+	return args.Get(0).(*domain.RelyingParty), args.Get(1).(*domain.HydraClient), args.Error(2)
+}
+
+func (m *MockRPService) List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
+	args := m.Called(ctx, tenantID)
+	return args.Get(0).([]domain.RelyingParty), args.Error(1)
+}
+
+func (m *MockRPService) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
+	args := m.Called(ctx)
+	return args.Get(0).([]domain.RelyingParty), args.Error(1)
+}
+
+func (m *MockRPService) ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error) {
+	args := m.Called(ctx, tenantIDs)
+	return args.Get(0).([]domain.RelyingParty), args.Error(1)
+}
+
+func (m *MockRPService) Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error) {
+	args := m.Called(ctx, clientID, client)
+	return args.Get(0).(*domain.RelyingParty), args.Error(1)
+}
+
+func (m *MockRPService) Delete(ctx context.Context, clientID string) error {
+	args := m.Called(ctx, clientID)
+	return args.Error(0)
+}
+
+func (m *MockRPService) CheckPermission(ctx context.Context, userID, clientID, relation string) (bool, error) {
+	args := m.Called(ctx, userID, clientID, relation)
+	return args.Bool(0), args.Error(1)
+}
+
+func (m *MockRPService) AddOwner(ctx context.Context, clientID, subject string) error {
+	args := m.Called(ctx, clientID, subject)
+	return args.Error(0)
+}
+
+func (m *MockRPService) RemoveOwner(ctx context.Context, clientID, subject string) error {
+	args := m.Called(ctx, clientID, subject)
+	return args.Error(0)
+}
+
+func (m *MockRPService) ListOwners(ctx context.Context, clientID string) ([]string, error) {
+	args := m.Called(ctx, clientID)
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func withMockProfile(profile *domain.UserProfileResponse) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		c.Locals("user_profile", profile)
+		return c.Next()
+	}
+}
+
 func TestListClients_Success(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.URL.Path == "/clients" {
@@ -30,7 +99,11 @@ func TestListClients_Success(t *testing.T) {
 		},
 	}
 	app := fiber.New()
-	app.Get("/api/v1/dev/clients", h.ListClients)
+	adminProfile := &domain.UserProfileResponse{
+		ID:   "admin-1",
+		Role: domain.RoleSuperAdmin,
+	}
+	app.Get("/api/v1/dev/clients", withMockProfile(adminProfile), h.ListClients)

 	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
 	resp, _ := app.Test(req, -1)
@@ -66,7 +139,11 @@ func TestGetClient_Success(t *testing.T) {
 		},
 	}
 	app := fiber.New()
-	app.Get("/api/v1/dev/clients/:id", h.GetClient)
+	adminProfile := &domain.UserProfileResponse{
+		ID:   "admin-1",
+		Role: domain.RoleSuperAdmin,
+	}
+	app.Get("/api/v1/dev/clients/:id", withMockProfile(adminProfile), h.GetClient)

 	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-123", nil)
 	resp, _ := app.Test(req, -1)
@@ -92,7 +169,11 @@ func TestGetClient_NotFound(t *testing.T) {
 		},
 	}
 	app := fiber.New()
-	app.Get("/api/v1/dev/clients/:id", h.GetClient)
+	adminProfile := &domain.UserProfileResponse{
+		ID:   "admin-1",
+		Role: domain.RoleSuperAdmin,
+	}
+	app.Get("/api/v1/dev/clients/:id", withMockProfile(adminProfile), h.GetClient)

 	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/non-existent", nil)
 	resp, _ := app.Test(req, -1)
@@ -109,30 +190,49 @@ func TestCreateClient_Success(t *testing.T) {
 				"client_secret": "secret-123",
 			}), nil
 		}
-		return httpJSONAny(r, http.StatusInternalServerError, map[string]string{"error": "hydra error"}), nil
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/new-client-123" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":     "new-client-123",
+				"client_name":   "New App",
+				"client_secret": "secret-123",
+				"metadata":      map[string]interface{}{"status": "active"},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusInternalServerError, map[string]string{"error": "hydra error path: " + r.URL.Path}), nil
 	})

 	secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
 	redisRepo := &mockRedisRepo{data: make(map[string]string)}
+	mockRP := new(MockRPService)

 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
 			AdminURL:   "http://hydra.test",
+			PublicURL:  "http://hydra-public.test",
 			HTTPClient: &http.Client{Transport: transport},
 		},
 		SecretRepo: secretRepo,
 		Redis:      redisRepo,
+		RPService:  mockRP,
 	}
 	app := fiber.New()
-	app.Post("/api/v1/dev/clients", h.CreateClient)
+	adminProfile := &domain.UserProfileResponse{
+		ID:   "admin-1",
+		Role: domain.RoleSuperAdmin,
+	}
+	app.Post("/api/v1/dev/clients", withMockProfile(adminProfile), h.CreateClient)

 	body, _ := json.Marshal(map[string]interface{}{
 		"client_name":  "New App",
 		"type":         "confidential",
 		"redirectUris": []string{"http://localhost/cb"},
 	})
+
+	mockRP.On("Create", mock.Anything, "t1", mock.Anything).Return(&domain.RelyingParty{ClientID: "new-client-123"}, nil)
+
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Tenant-ID", "t1")

 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusCreated, resp.StatusCode)
--- a/backend/internal/handler/relying_party_handler.go
+++ b/backend/internal/handler/relying_party_handler.go
@@ -10,10 +10,11 @@ import (

 type RelyingPartyHandler struct {
 	Service service.RelyingPartyService
+	UserSvc *service.KratosAdminService
 }

-func NewRelyingPartyHandler(s service.RelyingPartyService) *RelyingPartyHandler {
-	return &RelyingPartyHandler{Service: s}
+func NewRelyingPartyHandler(s service.RelyingPartyService, userSvc *service.KratosAdminService) *RelyingPartyHandler {
+	return &RelyingPartyHandler{Service: s, UserSvc: userSvc}
 }

 func (h *RelyingPartyHandler) Create(c *fiber.Ctx) error {
@@ -110,3 +111,58 @@ func (h *RelyingPartyHandler) Delete(c *fiber.Ctx) error {

 	return c.SendStatus(fiber.StatusNoContent)
 }
+
+func (h *RelyingPartyHandler) ListOwners(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	subjects, err := h.Service.ListOwners(c.Context(), clientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	type ownerInfo struct {
+		Subject string `json:"subject"`
+		Name    string `json:"name,omitempty"`
+		Email   string `json:"email,omitempty"`
+		Type    string `json:"type"` // "user" or "group"
+	}
+
+	owners := make([]ownerInfo, 0, len(subjects))
+	for _, s := range subjects {
+		info := ownerInfo{Subject: s, Type: "unknown"}
+		if len(s) > 5 && s[:5] == "User:" {
+			info.Type = "user"
+			userID := s[5:]
+			identity, err := h.UserSvc.GetIdentity(c.Context(), userID)
+			if err == nil && identity != nil {
+				info.Name, _ = identity.Traits["name"].(string)
+				info.Email, _ = identity.Traits["email"].(string)
+			}
+		} else if len(s) > 10 && s[:10] == "UserGroup:" {
+			info.Type = "group"
+			// Group name enrichment could be added if we have a GroupService here
+		}
+		owners = append(owners, info)
+	}
+
+	return c.JSON(owners)
+}
+
+func (h *RelyingPartyHandler) AddOwner(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	subject := c.Params("subject") // e.g. "User:uuid"
+
+	if err := h.Service.AddOwner(c.Context(), clientID, subject); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "owner added"})
+}
+
+func (h *RelyingPartyHandler) RemoveOwner(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	subject := c.Params("subject")
+
+	if err := h.Service.RemoveOwner(c.Context(), clientID, subject); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "owner removed"})
+}
--- a/backend/internal/handler/tenant_group_handler.go
+++ b/backend/internal/handler/tenant_group_handler.go
@@ -0,0 +1,193 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+type TenantGroupHandler struct {
+	Service     service.TenantGroupService
+	UserService *service.KratosAdminService
+}
+
+func NewTenantGroupHandler(svc service.TenantGroupService, userSvc *service.KratosAdminService) *TenantGroupHandler {
+	return &TenantGroupHandler{Service: svc, UserService: userSvc}
+}
+
+type tenantGroupSummary struct {
+	ID          string          `json:"id"`
+	Name        string          `json:"name"`
+	Slug        string          `json:"slug"`
+	Description string          `json:"description"`
+	Tenants     []tenantSummary `json:"tenants,omitempty"`
+	Config      domain.JSONMap  `json:"config,omitempty"`
+	CreatedAt   string          `json:"createdAt"`
+	UpdatedAt   string          `json:"updatedAt"`
+}
+
+func (h *TenantGroupHandler) ListGroups(c *fiber.Ctx) error {
+	limit := c.QueryInt("limit", 50)
+	offset := c.QueryInt("offset", 0)
+
+	groups, total, err := h.Service.ListGroups(c.Context(), limit, offset)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	items := make([]tenantGroupSummary, 0, len(groups))
+	for _, g := range groups {
+		items = append(items, mapTenantGroupSummary(g))
+	}
+
+	return c.JSON(fiber.Map{
+		"items":  items,
+		"total":  total,
+		"limit":  limit,
+		"offset": offset,
+	})
+}
+
+func (h *TenantGroupHandler) GetGroup(c *fiber.Ctx) error {
+	id := c.Params("id")
+	group, err := h.Service.GetGroup(c.Context(), id)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "group not found"})
+	}
+	return c.JSON(mapTenantGroupSummary(*group))
+}
+
+func (h *TenantGroupHandler) CreateGroup(c *fiber.Ctx) error {
+	var req struct {
+		Name        string `json:"name"`
+		Slug        string `json:"slug"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	group, err := h.Service.CreateGroup(c.Context(), req.Name, req.Slug, req.Description)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.Status(fiber.StatusCreated).JSON(mapTenantGroupSummary(*group))
+}
+
+func (h *TenantGroupHandler) UpdateGroup(c *fiber.Ctx) error {
+	id := c.Params("id")
+	var req struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	group, err := h.Service.UpdateGroup(c.Context(), id, req.Name, req.Description)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(mapTenantGroupSummary(*group))
+}
+
+func (h *TenantGroupHandler) DeleteGroup(c *fiber.Ctx) error {
+	id := c.Params("id")
+	if err := h.Service.DeleteGroup(c.Context(), id); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *TenantGroupHandler) AddTenantToGroup(c *fiber.Ctx) error {
+	groupID := c.Params("id")
+	tenantID := c.Params("tenantId")
+
+	if err := h.Service.AddTenantToGroup(c.Context(), groupID, tenantID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "tenant added to group"})
+}
+
+func (h *TenantGroupHandler) RemoveTenantFromGroup(c *fiber.Ctx) error {
+	groupID := c.Params("id")
+	tenantID := c.Params("tenantId")
+
+	if err := h.Service.RemoveTenantFromGroup(c.Context(), groupID, tenantID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "tenant removed from group"})
+}
+
+func (h *TenantGroupHandler) ListAdmins(c *fiber.Ctx) error {
+	groupID := c.Params("id")
+	userIDs, err := h.Service.ListGroupAdmins(c.Context(), groupID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	type adminInfo struct {
+		ID    string `json:"id"`
+		Name  string `json:"name"`
+		Email string `json:"email"`
+	}
+
+	admins := make([]adminInfo, 0, len(userIDs))
+	for _, uid := range userIDs {
+		identity, err := h.UserService.GetIdentity(c.Context(), uid)
+		if err == nil && identity != nil {
+			name, _ := identity.Traits["name"].(string)
+			email, _ := identity.Traits["email"].(string)
+			admins = append(admins, adminInfo{
+				ID:    uid,
+				Name:  name,
+				Email: email,
+			})
+		} else {
+			// Fallback if identity not found in Kratos
+			admins = append(admins, adminInfo{ID: uid})
+		}
+	}
+
+	return c.JSON(admins)
+}
+
+func (h *TenantGroupHandler) AddAdmin(c *fiber.Ctx) error {
+	groupID := c.Params("id")
+	userID := c.Params("userId")
+
+	if err := h.Service.AddGroupAdmin(c.Context(), groupID, userID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "admin added to group"})
+}
+
+func (h *TenantGroupHandler) RemoveAdmin(c *fiber.Ctx) error {
+	groupID := c.Params("id")
+	userID := c.Params("userId")
+
+	if err := h.Service.RemoveGroupAdmin(c.Context(), groupID, userID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "admin removed from group"})
+}
+
+func mapTenantGroupSummary(g domain.TenantGroup) tenantGroupSummary {
+	tenants := make([]tenantSummary, 0, len(g.Tenants))
+	for _, t := range g.Tenants {
+		tenants = append(tenants, mapTenantSummary(t))
+	}
+
+	return tenantGroupSummary{
+		ID:          g.ID,
+		Name:        g.Name,
+		Slug:        g.Slug,
+		Description: g.Description,
+		Tenants:     tenants,
+		Config:      g.Config,
+		CreatedAt:   g.CreatedAt.Format(time.RFC3339),
+		UpdatedAt:   g.UpdatedAt.Format(time.RFC3339),
+	}
+}
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -14,22 +14,25 @@ import (
 type TenantHandler struct {
 	DB      *gorm.DB
 	Service service.TenantService
+	Keto    service.KetoService
+	UserSvc *service.KratosAdminService
 }

-func NewTenantHandler(db *gorm.DB, svc service.TenantService) *TenantHandler {
-	return &TenantHandler{DB: db, Service: svc}
+func NewTenantHandler(db *gorm.DB, svc service.TenantService, keto service.KetoService, userSvc *service.KratosAdminService) *TenantHandler {
+	return &TenantHandler{DB: db, Service: svc, Keto: keto, UserSvc: userSvc}
 }

 type tenantSummary struct {
-	ID          string         `json:"id"`
-	Name        string         `json:"name"`
-	Slug        string         `json:"slug"`
-	Description string         `json:"description"`
-	Status      string         `json:"status"`
-	Domains     []string       `json:"domains,omitempty"`
-	Config      domain.JSONMap `json:"config,omitempty"`
-	CreatedAt   string         `json:"createdAt"`
-	UpdatedAt   string         `json:"updatedAt"`
+	ID            string         `json:"id"`
+	Name          string         `json:"name"`
+	Slug          string         `json:"slug"`
+	Description   string         `json:"description"`
+	Status        string         `json:"status"`
+	TenantGroupID *string        `json:"tenantGroupId,omitempty"`
+	Domains       []string       `json:"domains,omitempty"`
+	Config        domain.JSONMap `json:"config,omitempty"`
+	CreatedAt     string         `json:"createdAt"`
+	UpdatedAt     string         `json:"updatedAt"`
 }

 type tenantListResponse struct {
@@ -100,7 +103,7 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
 	}

 	var tenants []domain.Tenant
-	if err := h.DB.Order("created_at desc").Limit(limit).Offset(offset).Preload("Domains").Find(&tenants).Error; err != nil {
+	if err := h.DB.Order("created_at desc").Limit(limit).Offset(offset).Preload("Domains").Preload("TenantGroup").Find(&tenants).Error; err != nil {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

@@ -123,7 +126,7 @@ func (h *TenantHandler) GetTenant(c *fiber.Ctx) error {
 	}

 	var tenant domain.Tenant
-	if err := h.DB.Preload("Domains").First(&tenant, "id = ?", tenantID).Error; err != nil {
+	if err := h.DB.Preload("Domains").Preload("TenantGroup").First(&tenant, "id = ?", tenantID).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "tenant not found"})
 		}
@@ -204,12 +207,13 @@ func (h *TenantHandler) UpdateTenant(c *fiber.Ctx) error {
 	}

 	var req struct {
-		Name        *string        `json:"name"`
-		Slug        *string        `json:"slug"`
-		Description *string        `json:"description"`
-		Status      *string        `json:"status"`
-		Domains     []string       `json:"domains"`
-		Config      map[string]any `json:"config"`
+		Name          *string        `json:"name"`
+		Slug          *string        `json:"slug"`
+		Description   *string        `json:"description"`
+		Status        *string        `json:"status"`
+		TenantGroupID *string        `json:"tenantGroupId"`
+		Domains       []string       `json:"domains"`
+		Config        map[string]any `json:"config"`
 	}
 	if err := c.BodyParser(&req); err != nil {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
@@ -251,6 +255,29 @@ func (h *TenantHandler) UpdateTenant(c *fiber.Ctx) error {
 		tenant.Config = req.Config
 	}

+	// Handle Group Change
+	if req.TenantGroupID != nil {
+		oldGroupID := tenant.TenantGroupID
+		newGroupID := req.TenantGroupID
+		if *newGroupID == "" {
+			newGroupID = nil
+		}
+
+		// Update Keto if group changed
+		if h.Keto != nil {
+			// Remove old group relation if existed
+			if oldGroupID != nil && (newGroupID == nil || *oldGroupID != *newGroupID) {
+				_ = h.Keto.DeleteRelation(c.Context(), "Tenant", tenant.ID, "parent_group", *oldGroupID)
+			}
+			// Add new group relation
+			if newGroupID != nil && (oldGroupID == nil || *oldGroupID != *newGroupID) {
+				_ = h.Keto.CreateRelation(c.Context(), "Tenant", tenant.ID, "parent_group", *newGroupID)
+			}
+		}
+
+		tenant.TenantGroupID = newGroupID
+	}
+
 	if err := h.DB.Save(&tenant).Error; err != nil {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}
@@ -301,6 +328,58 @@ func (h *TenantHandler) DeleteTenant(c *fiber.Ctx) error {
 	return c.SendStatus(fiber.StatusNoContent)
 }

+func (h *TenantHandler) ListAdmins(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	userIDs, err := h.Service.ListTenantAdmins(c.Context(), tenantID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	type adminInfo struct {
+		ID    string `json:"id"`
+		Name  string `json:"name"`
+		Email string `json:"email"`
+	}
+
+	admins := make([]adminInfo, 0, len(userIDs))
+	for _, uid := range userIDs {
+		identity, err := h.UserSvc.GetIdentity(c.Context(), uid)
+		if err == nil && identity != nil {
+			name, _ := identity.Traits["name"].(string)
+			email, _ := identity.Traits["email"].(string)
+			admins = append(admins, adminInfo{
+				ID:    uid,
+				Name:  name,
+				Email: email,
+			})
+		} else {
+			admins = append(admins, adminInfo{ID: uid})
+		}
+	}
+
+	return c.JSON(admins)
+}
+
+func (h *TenantHandler) AddAdmin(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	userID := c.Params("userId")
+
+	if err := h.Service.AddTenantAdmin(c.Context(), tenantID, userID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "admin added to tenant"})
+}
+
+func (h *TenantHandler) RemoveAdmin(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	userID := c.Params("userId")
+
+	if err := h.Service.RemoveTenantAdmin(c.Context(), tenantID, userID); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{"message": "admin removed from tenant"})
+}
+
 func mapTenantSummary(t domain.Tenant) tenantSummary {
 	domains := make([]string, 0, len(t.Domains))
 	for _, d := range t.Domains {
@@ -308,15 +387,16 @@ func mapTenantSummary(t domain.Tenant) tenantSummary {
 	}

 	return tenantSummary{
-		ID:          t.ID,
-		Name:        t.Name,
-		Slug:        t.Slug,
-		Description: t.Description,
-		Status:      t.Status,
-		Domains:     domains,
-		Config:      t.Config,
-		CreatedAt:   t.CreatedAt.Format(time.RFC3339),
-		UpdatedAt:   t.UpdatedAt.Format(time.RFC3339),
+		ID:            t.ID,
+		Name:          t.Name,
+		Slug:          t.Slug,
+		Description:   t.Description,
+		Status:        t.Status,
+		TenantGroupID: t.TenantGroupID,
+		Domains:       domains,
+		Config:        t.GetMergedConfig(),
+		CreatedAt:     t.CreatedAt.Format(time.RFC3339),
+		UpdatedAt:     t.UpdatedAt.Format(time.RFC3339),
 	}
 }

--- a/backend/internal/handler/tenant_handler_test.go
+++ b/backend/internal/handler/tenant_handler_test.go
@@ -70,6 +70,26 @@ func (m *MockTenantService) SetKetoService(keto service.KetoService) {
 	m.Called(keto)
 }

+func (m *MockTenantService) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
+	args := m.Called(ctx, userID)
+	return args.Get(0).([]domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantService) AddTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	args := m.Called(ctx, tenantID, userID)
+	return args.Error(0)
+}
+
+func (m *MockTenantService) RemoveTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	args := m.Called(ctx, tenantID, userID)
+	return args.Error(0)
+}
+
+func (m *MockTenantService) ListTenantAdmins(ctx context.Context, tenantID string) ([]string, error) {
+	args := m.Called(ctx, tenantID)
+	return args.Get(0).([]string), args.Error(1)
+}
+
 func TestTenantHandler_CreateTenant(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
--- a/backend/internal/handler/tenant_rebac_handler_test.go
+++ b/backend/internal/handler/tenant_rebac_handler_test.go
@@ -0,0 +1,123 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/middleware"
+	"baron-sso-backend/internal/service"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+// Reusing MockKetoService from previous step or defining here if needed
+type MockKetoService struct {
+	mock.Mock
+}
+
+func (m *MockKetoService) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
+	args := m.Called(ctx, subject, namespace, object, relation)
+	return args.Bool(0), args.Error(1)
+}
+
+func (m *MockKetoService) CreateRelation(ctx context.Context, namespace, object, relation, subject string) error {
+	return m.Called(ctx, namespace, object, relation, subject).Error(0)
+}
+
+func (m *MockKetoService) DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error {
+	return m.Called(ctx, namespace, object, relation, subject).Error(0)
+}
+
+func (m *MockKetoService) ListRelations(ctx context.Context, namespace, object, relation, subject string) ([]service.RelationTuple, error) {
+	args := m.Called(ctx, namespace, object, relation, subject)
+	return args.Get(0).([]service.RelationTuple), args.Error(1)
+}
+
+func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
+	args := m.Called(ctx, namespace, relation, subject)
+	return args.Get(0).([]string), args.Error(1)
+}
+
+// MockAuthHandler implements middleware.AuthProfileProvider
+type MockAuthHandler struct {
+	mock.Mock
+}
+
+func (m *MockAuthHandler) GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) {
+	args := m.Called(c)
+	return args.Get(0).(*domain.UserProfileResponse), args.Error(1)
+}
+
+func TestRequireKetoPermission_Tenant_AuditContext(t *testing.T) {
+	app := fiber.New()
+	mockKeto := new(MockKetoService)
+	mockAuth := new(MockAuthHandler)
+
+	config := middleware.RBACConfig{
+		AuthHandler: mockAuth,
+		KetoService: mockKeto,
+	}
+
+	userID := "user-1"
+	tenantID := "tenant-abc"
+
+	// Mock user profile
+	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
+		ID:   userID,
+		Role: domain.RoleTenantAdmin,
+	}, nil)
+
+	// Mock Keto: Allow access
+	mockKeto.On("CheckPermission", mock.Anything, userID, "Tenant", tenantID, "manage").Return(true, nil)
+
+	// Route with middleware
+	app.Get("/test/tenants/:id", middleware.RequireKetoPermission(config, "Tenant", "manage"), func(c *fiber.Ctx) error {
+		// Verify that tenant_id was injected into Locals for audit log
+		assert.Equal(t, tenantID, c.Locals("tenant_id"))
+		return c.SendStatus(fiber.StatusOK)
+	})
+
+	// Execute
+	req := httptest.NewRequest("GET", "/test/tenants/"+tenantID, nil)
+	resp, _ := app.Test(req)
+
+	// Verify
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	mockKeto.AssertExpectations(t)
+	mockAuth.AssertExpectations(t)
+}
+
+func TestRequireKetoPermission_Deny(t *testing.T) {
+	app := fiber.New()
+	mockKeto := new(MockKetoService)
+	mockAuth := new(MockAuthHandler)
+
+	config := middleware.RBACConfig{
+		AuthHandler: mockAuth,
+		KetoService: mockKeto,
+	}
+
+	userID := "user-bad"
+	tenantID := "tenant-secret"
+
+	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
+		ID:   userID,
+		Role: domain.RoleUser,
+	}, nil)
+
+	// Mock Keto: Deny access
+	mockKeto.On("CheckPermission", mock.Anything, userID, "Tenant", tenantID, "view").Return(false, nil)
+
+	app.Get("/test/tenants/:id", middleware.RequireKetoPermission(config, "Tenant", "view"), func(c *fiber.Ctx) error {
+		return c.SendStatus(fiber.StatusOK)
+	})
+
+	req := httptest.NewRequest("GET", "/test/tenants/"+tenantID, nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+}
--- a/backend/internal/middleware/rbac.go
+++ b/backend/internal/middleware/rbac.go
@@ -46,6 +46,11 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "missing object id for permission check"})
 		}

+		// Set tenant_id for audit logging if namespace is Tenant
+		if namespace == "Tenant" {
+			c.Locals("tenant_id", objectID)
+		}
+
 		// Check with Keto
 		allowed, err := config.KetoService.CheckPermission(c.Context(), profile.ID, namespace, objectID, relation)
 		if err != nil || !allowed {
--- a/backend/internal/middleware/rbac_test.go
+++ b/backend/internal/middleware/rbac_test.go
@@ -54,6 +54,14 @@ func (m *MockKetoService) ListRelations(ctx context.Context, namespace, object,
 	return args.Get(0).([]service.RelationTuple), args.Error(1)
 }

+func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
+	args := m.Called(ctx, namespace, relation, subject)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]string), args.Error(1)
+}
+
 // Fixed MockKetoService to match service.KetoService exactly if possible.
 // Wait, middleware/rbac.go imports baron-sso-backend/internal/service.
 // So I should use service.RelationTuple.
--- a/backend/internal/repository/tenant_group_repository.go
+++ b/backend/internal/repository/tenant_group_repository.go
@@ -0,0 +1,65 @@
+package repository
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+
+	"gorm.io/gorm"
+)
+
+type TenantGroupRepository interface {
+	Create(ctx context.Context, group *domain.TenantGroup) error
+	Update(ctx context.Context, group *domain.TenantGroup) error
+	Delete(ctx context.Context, id string) error
+	FindByID(ctx context.Context, id string) (*domain.TenantGroup, error)
+	List(ctx context.Context, limit, offset int) ([]domain.TenantGroup, int64, error)
+	AddTenant(ctx context.Context, groupID, tenantID string) error
+	RemoveTenant(ctx context.Context, groupID, tenantID string) error
+}
+
+type tenantGroupRepository struct {
+	db *gorm.DB
+}
+
+func NewTenantGroupRepository(db *gorm.DB) TenantGroupRepository {
+	return &tenantGroupRepository{db: db}
+}
+
+func (r *tenantGroupRepository) Create(ctx context.Context, group *domain.TenantGroup) error {
+	return r.db.WithContext(ctx).Create(group).Error
+}
+
+func (r *tenantGroupRepository) Update(ctx context.Context, group *domain.TenantGroup) error {
+	return r.db.WithContext(ctx).Save(group).Error
+}
+
+func (r *tenantGroupRepository) Delete(ctx context.Context, id string) error {
+	return r.db.WithContext(ctx).Delete(&domain.TenantGroup{}, "id = ?", id).Error
+}
+
+func (r *tenantGroupRepository) FindByID(ctx context.Context, id string) (*domain.TenantGroup, error) {
+	var group domain.TenantGroup
+	if err := r.db.WithContext(ctx).Preload("Tenants").First(&group, "id = ?", id).Error; err != nil {
+		return nil, err
+	}
+	return &group, nil
+}
+
+func (r *tenantGroupRepository) List(ctx context.Context, limit, offset int) ([]domain.TenantGroup, int64, error) {
+	var groups []domain.TenantGroup
+	var total int64
+	db := r.db.WithContext(ctx).Model(&domain.TenantGroup{})
+	db.Count(&total)
+	if err := db.Limit(limit).Offset(offset).Find(&groups).Error; err != nil {
+		return nil, 0, err
+	}
+	return groups, total, nil
+}
+
+func (r *tenantGroupRepository) AddTenant(ctx context.Context, groupID, tenantID string) error {
+	return r.db.WithContext(ctx).Model(&domain.Tenant{}).Where("id = ?", tenantID).Update("tenant_group_id", groupID).Error
+}
+
+func (r *tenantGroupRepository) RemoveTenant(ctx context.Context, groupID, tenantID string) error {
+	return r.db.WithContext(ctx).Model(&domain.Tenant{}).Where("id = ? AND tenant_group_id = ?", tenantID, groupID).Update("tenant_group_id", nil).Error
+}
--- a/backend/internal/repository/tenant_repository.go
+++ b/backend/internal/repository/tenant_repository.go
@@ -14,6 +14,7 @@ type TenantRepository interface {
 	FindBySlug(ctx context.Context, slug string) (*domain.Tenant, error)
 	FindByName(ctx context.Context, name string) (*domain.Tenant, error)
 	FindByDomain(ctx context.Context, domainName string) (*domain.Tenant, error)
+	FindByIDs(ctx context.Context, ids []string) ([]domain.Tenant, error)
 	AddDomain(ctx context.Context, tenantID string, domainName string) error
 }

@@ -41,6 +42,17 @@ func (r *tenantRepository) FindByID(ctx context.Context, id string) (*domain.Ten
 	return &tenant, nil
 }

+func (r *tenantRepository) FindByIDs(ctx context.Context, ids []string) ([]domain.Tenant, error) {
+	var tenants []domain.Tenant
+	if len(ids) == 0 {
+		return tenants, nil
+	}
+	if err := r.db.WithContext(ctx).Preload("Domains").Where("id IN ?", ids).Find(&tenants).Error; err != nil {
+		return nil, err
+	}
+	return tenants, nil
+}
+
 func (r *tenantRepository) FindBySlug(ctx context.Context, slug string) (*domain.Tenant, error) {
 	var tenant domain.Tenant
 	if err := r.db.WithContext(ctx).Preload("Domains").Where("slug = ?", slug).First(&tenant).Error; err != nil {
--- a/backend/internal/service/hydra_admin_service.go
+++ b/backend/internal/service/hydra_admin_service.go
@@ -2,6 +2,7 @@ package service

 import (
 	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/utils"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -27,8 +28,8 @@ type HydraAdminService struct {

 func NewHydraAdminService() *HydraAdminService {
 	return &HydraAdminService{
-		AdminURL:  getenv("HYDRA_ADMIN_URL", "http://hydra:4445"),
-		PublicURL: getenv("HYDRA_PUBLIC_URL", "http://hydra:4444"),
+		AdminURL:  utils.GetEnv("HYDRA_ADMIN_URL", "http://hydra:4445"),
+		PublicURL: utils.GetEnv("HYDRA_PUBLIC_URL", "http://hydra:4444"),
 	}
 }

--- a/backend/internal/service/keto_service.go
+++ b/backend/internal/service/keto_service.go
@@ -1,6 +1,7 @@
 package service

 import (
+	"baron-sso-backend/internal/utils"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -9,7 +10,6 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
-	"os"
 	"time"
 )

@@ -18,6 +18,7 @@ type KetoService interface {
 	CreateRelation(ctx context.Context, namespace, object, relation, subject string) error
 	DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error
 	ListRelations(ctx context.Context, namespace, object, relation, subject string) ([]RelationTuple, error)
+	ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error)
 }

 type ketoService struct {
@@ -27,14 +28,8 @@ type ketoService struct {
 }

 func NewKetoService() KetoService {
-	readURL := os.Getenv("KETO_READ_URL")
-	if readURL == "" {
-		readURL = "http://keto:4466"
-	}
-	writeURL := os.Getenv("KETO_WRITE_URL")
-	if writeURL == "" {
-		writeURL = "http://keto:4467"
-	}
+	readURL := utils.GetEnv("KETO_READ_URL", "http://keto:4466")
+	writeURL := utils.GetEnv("KETO_WRITE_URL", "http://keto:4467")

 	return &ketoService{
 		readURL:  readURL,
@@ -192,3 +187,40 @@ func (s *ketoService) DeleteRelation(ctx context.Context, namespace, object, rel
 	slog.Info("Keto relation deleted", "namespace", namespace, "object", object, "relation", relation, "subject", subject)
 	return nil
 }
+
+func (s *ketoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
+	u, _ := url.Parse(fmt.Sprintf("%s/relation-tuples", s.readURL))
+	q := u.Query()
+	q.Set("namespace", namespace)
+	q.Set("relation", relation)
+	q.Set("subject_id", subject)
+	u.RawQuery = q.Encode()
+
+	req, _ := http.NewRequestWithContext(ctx, "GET", u.String(), nil)
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("keto returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var res relationTuplesResponse
+	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
+		return nil, err
+	}
+
+	objects := make([]string, 0, len(res.RelationTuples))
+	seen := make(map[string]bool)
+	for _, rt := range res.RelationTuples {
+		if !seen[rt.Object] {
+			objects = append(objects, rt.Object)
+			seen[rt.Object] = true
+		}
+	}
+
+	return objects, nil
+}
--- a/backend/internal/service/kratos_admin_service.go
+++ b/backend/internal/service/kratos_admin_service.go
@@ -1,6 +1,7 @@
 package service

 import (
+	"baron-sso-backend/internal/utils"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -28,7 +29,7 @@ type KratosAdminService struct {

 func NewKratosAdminService() *KratosAdminService {
 	return &KratosAdminService{
-		AdminURL: getenvKratos("KRATOS_ADMIN_URL", "http://kratos:4434"),
+		AdminURL: utils.GetEnv("KRATOS_ADMIN_URL", "http://kratos:4434"),
 	}
 }

@@ -227,8 +228,9 @@ func (s *KratosAdminService) httpClient() *http.Client {
 }

 func getenvKratos(key, fallback string) string {
-	if v := os.Getenv(key); v != "" {
-		return v
+	v := os.Getenv(key)
+	if v == "" {
+		return fallback
 	}
-	return fallback
+	return strings.Trim(v, "\"")
 }
--- a/backend/internal/service/ory_service.go
+++ b/backend/internal/service/ory_service.go
@@ -2,6 +2,7 @@ package service

 import (
 	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/utils"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -27,9 +28,9 @@ type OryProvider struct {

 func NewOryProvider() *OryProvider {
 	return &OryProvider{
-		KratosAdminURL:  getenv("KRATOS_ADMIN_URL", "http://kratos:4434"),
-		KratosPublicURL: getenv("KRATOS_PUBLIC_URL", "http://kratos:4433"),
-		HydraAdminURL:   getenv("HYDRA_ADMIN_URL", "http://hydra:4445"),
+		KratosAdminURL:  utils.GetEnv("KRATOS_ADMIN_URL", "http://kratos:4434"),
+		KratosPublicURL: utils.GetEnv("KRATOS_PUBLIC_URL", "http://kratos:4433"),
+		HydraAdminURL:   utils.GetEnv("HYDRA_ADMIN_URL", "http://hydra:4445"),
 	}
 }

@@ -728,10 +729,12 @@ func (o *OryProvider) UpdateUserPassword(loginID, newPassword string, r *http.Re
 }

 func getenv(key, fallback string) string {
-	if v := os.Getenv(key); v != "" {
-		return v
+	v := os.Getenv(key)
+	if v == "" {
+		return fallback
 	}
-	return fallback
+	// Strip surrounding double quotes if present
+	return strings.Trim(v, "\"")
 }

 // findIdentityID: Kratos Admin API에서 credentials_identifier로 검색 후 첫 번째 identity id 반환
--- a/backend/internal/service/relying_party_service.go
+++ b/backend/internal/service/relying_party_service.go
@@ -15,6 +15,10 @@ type RelyingPartyService interface {
 	ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error)
 	Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error)
 	Delete(ctx context.Context, clientID string) error
+	CheckPermission(ctx context.Context, userID, clientID, relation string) (bool, error)
+	AddOwner(ctx context.Context, clientID, subject string) error
+	RemoveOwner(ctx context.Context, clientID, subject string) error
+	ListOwners(ctx context.Context, clientID string) ([]string, error)
 }

 type relyingPartyService struct {
@@ -158,6 +162,31 @@ func (s *relyingPartyService) Delete(ctx context.Context, clientID string) error
 	return nil
 }

+func (s *relyingPartyService) CheckPermission(ctx context.Context, userID, clientID, relation string) (bool, error) {
+	return s.ketoService.CheckPermission(ctx, userID, "RelyingParty", clientID, relation)
+}
+
+func (s *relyingPartyService) AddOwner(ctx context.Context, clientID, subject string) error {
+	return s.ketoService.CreateRelation(ctx, "RelyingParty", clientID, "owners", subject)
+}
+
+func (s *relyingPartyService) RemoveOwner(ctx context.Context, clientID, subject string) error {
+	return s.ketoService.DeleteRelation(ctx, "RelyingParty", clientID, "owners", subject)
+}
+
+func (s *relyingPartyService) ListOwners(ctx context.Context, clientID string) ([]string, error) {
+	tuples, err := s.ketoService.ListRelations(ctx, "RelyingParty", clientID, "owners", "")
+	if err != nil {
+		return nil, err
+	}
+
+	subjects := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		subjects = append(subjects, t.SubjectID)
+	}
+	return subjects, nil
+}
+
 func (s *relyingPartyService) mapHydraToDomain(client *domain.HydraClient) *domain.RelyingParty {
 	if client == nil {
 		return nil
--- a/backend/internal/service/relying_party_service_test.go
+++ b/backend/internal/service/relying_party_service_test.go
@@ -54,6 +54,14 @@ func (m *MockKetoService) ListRelations(ctx context.Context, namespace, object,
 	return args.Get(0).([]RelationTuple), args.Error(1)
 }

+func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
+	args := m.Called(ctx, namespace, relation, subject)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]string), args.Error(1)
+}
+
 // --- Test Helpers ---

 type hydraRoundTripperFunc func(*http.Request) (*http.Response, error)
--- a/backend/internal/service/tenant_group_service.go
+++ b/backend/internal/service/tenant_group_service.go
@@ -0,0 +1,130 @@
+package service
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/repository"
+	"context"
+	"log/slog"
+)
+
+type TenantGroupService interface {
+	CreateGroup(ctx context.Context, name, slug, description string) (*domain.TenantGroup, error)
+	GetGroup(ctx context.Context, id string) (*domain.TenantGroup, error)
+	ListGroups(ctx context.Context, limit, offset int) ([]domain.TenantGroup, int64, error)
+	UpdateGroup(ctx context.Context, id string, name, description string) (*domain.TenantGroup, error)
+	DeleteGroup(ctx context.Context, id string) error
+	AddTenantToGroup(ctx context.Context, groupID, tenantID string) error
+	RemoveTenantFromGroup(ctx context.Context, groupID, tenantID string) error
+	AddGroupAdmin(ctx context.Context, groupID, userID string) error
+	RemoveGroupAdmin(ctx context.Context, groupID, userID string) error
+	ListGroupAdmins(ctx context.Context, groupID string) ([]string, error)
+}
+
+type tenantGroupService struct {
+	repo repository.TenantGroupRepository
+	keto KetoService
+}
+
+func NewTenantGroupService(repo repository.TenantGroupRepository, keto KetoService) TenantGroupService {
+	return &tenantGroupService{repo: repo, keto: keto}
+}
+
+func (s *tenantGroupService) CreateGroup(ctx context.Context, name, slug, description string) (*domain.TenantGroup, error) {
+	group := &domain.TenantGroup{
+		Name:        name,
+		Slug:        slug,
+		Description: description,
+	}
+	if err := s.repo.Create(ctx, group); err != nil {
+		return nil, err
+	}
+	return group, nil
+}
+
+func (s *tenantGroupService) GetGroup(ctx context.Context, id string) (*domain.TenantGroup, error) {
+	return s.repo.FindByID(ctx, id)
+}
+
+func (s *tenantGroupService) ListGroups(ctx context.Context, limit, offset int) ([]domain.TenantGroup, int64, error) {
+	return s.repo.List(ctx, limit, offset)
+}
+
+func (s *tenantGroupService) UpdateGroup(ctx context.Context, id string, name, description string) (*domain.TenantGroup, error) {
+	group, err := s.repo.FindByID(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	group.Name = name
+	group.Description = description
+	if err := s.repo.Update(ctx, group); err != nil {
+		return nil, err
+	}
+	return group, nil
+}
+
+func (s *tenantGroupService) DeleteGroup(ctx context.Context, id string) error {
+	return s.repo.Delete(ctx, id)
+}
+
+func (s *tenantGroupService) AddTenantToGroup(ctx context.Context, groupID, tenantID string) error {
+	if err := s.repo.AddTenant(ctx, groupID, tenantID); err != nil {
+		return err
+	}
+
+	// [Keto] ReBAC: Tenant -> Group membership
+	if s.keto != nil {
+		err := s.keto.CreateRelation(ctx, "Tenant", tenantID, "parent_group", groupID)
+		if err != nil {
+			slog.Error("Failed to sync Keto relation for tenant group", "tenantID", tenantID, "groupID", groupID, "error", err)
+		}
+	}
+	return nil
+}
+
+func (s *tenantGroupService) RemoveTenantFromGroup(ctx context.Context, groupID, tenantID string) error {
+	if err := s.repo.RemoveTenant(ctx, groupID, tenantID); err != nil {
+		return err
+	}
+
+	// [Keto] ReBAC: Remove Tenant -> Group membership
+	if s.keto != nil {
+		err := s.keto.DeleteRelation(ctx, "Tenant", tenantID, "parent_group", groupID)
+		if err != nil {
+			slog.Error("Failed to remove Keto relation for tenant group", "tenantID", tenantID, "groupID", groupID, "error", err)
+		}
+	}
+	return nil
+}
+
+func (s *tenantGroupService) AddGroupAdmin(ctx context.Context, groupID, userID string) error {
+	if s.keto == nil {
+		return nil
+	}
+	return s.keto.CreateRelation(ctx, "TenantGroup", groupID, "admins", "User:"+userID)
+}
+
+func (s *tenantGroupService) RemoveGroupAdmin(ctx context.Context, groupID, userID string) error {
+	if s.keto == nil {
+		return nil
+	}
+	return s.keto.DeleteRelation(ctx, "TenantGroup", groupID, "admins", "User:"+userID)
+}
+
+func (s *tenantGroupService) ListGroupAdmins(ctx context.Context, groupID string) ([]string, error) {
+	if s.keto == nil {
+		return []string{}, nil
+	}
+	tuples, err := s.keto.ListRelations(ctx, "TenantGroup", groupID, "admins", "")
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		// subject_id is "User:uuid"
+		if len(t.SubjectID) > 5 && t.SubjectID[:5] == "User:" {
+			userIDs = append(userIDs, t.SubjectID[5:])
+		}
+	}
+	return userIDs, nil
+}
--- a/backend/internal/service/tenant_rebac_service_test.go
+++ b/backend/internal/service/tenant_rebac_service_test.go
@@ -0,0 +1,108 @@
+package service
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+// MockTenantRepository is a mock implementation of repository.TenantRepository
+type MockTenantRepository struct {
+	mock.Mock
+}
+
+func (m *MockTenantRepository) Create(ctx context.Context, tenant *domain.Tenant) error {
+	return m.Called(ctx, tenant).Error(0)
+}
+
+func (m *MockTenantRepository) Update(ctx context.Context, tenant *domain.Tenant) error {
+	return m.Called(ctx, tenant).Error(0)
+}
+
+func (m *MockTenantRepository) FindByID(ctx context.Context, id string) (*domain.Tenant, error) {
+	args := m.Called(ctx, id)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantRepository) FindBySlug(ctx context.Context, slug string) (*domain.Tenant, error) {
+	args := m.Called(ctx, slug)
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantRepository) FindByName(ctx context.Context, name string) (*domain.Tenant, error) {
+	args := m.Called(ctx, name)
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantRepository) FindByDomain(ctx context.Context, domainName string) (*domain.Tenant, error) {
+	args := m.Called(ctx, domainName)
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantRepository) FindByIDs(ctx context.Context, ids []string) ([]domain.Tenant, error) {
+	args := m.Called(ctx, ids)
+	return args.Get(0).([]domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantRepository) AddDomain(ctx context.Context, tenantID string, domainName string) error {
+	return m.Called(ctx, tenantID, domainName).Error(0)
+}
+
+func TestTenantService_ListManageableTenants_Inheritance(t *testing.T) {
+	mockRepo := new(MockTenantRepository)
+	mockKeto := new(MockKetoService)
+	svc := &tenantService{
+		repo: mockRepo,
+		keto: mockKeto,
+	}
+
+	userID := "user-123"
+	ctx := context.Background()
+
+	// 1. Mock direct tenant management (admins relation)
+	mockKeto.On("ListObjects", ctx, "Tenant", "admins", userID).Return([]string{"t-direct-1"}, nil)
+
+	// 2. Mock group management (admins of a group)
+	mockKeto.On("ListObjects", ctx, "TenantGroup", "admins", userID).Return([]string{"g-1"}, nil)
+
+	// 3. Mock tenants belonging to group g-1
+	mockKeto.On("ListRelations", ctx, "Tenant", "", "parent_group", "TenantGroup:g-1").Return([]RelationTuple{
+		{Object: "t-inherited-1", Relation: "parent_group", SubjectID: "TenantGroup:g-1"},
+		{Object: "t-inherited-2", Relation: "parent_group", SubjectID: "TenantGroup:g-1"},
+	}, nil)
+
+	// 4. Expect repository to fetch all unique IDs: t-direct-1, t-inherited-1, t-inherited-2
+	expectedIDs := []string{"t-direct-1", "t-inherited-1", "t-inherited-2"}
+	mockRepo.On("FindByIDs", ctx, mock.MatchedBy(func(ids []string) bool {
+		// Check if all expected IDs are present (order doesn't matter since we dedup via map)
+		foundCount := 0
+		for _, eid := range expectedIDs {
+			for _, id := range ids {
+				if id == eid {
+					foundCount++
+					break
+				}
+			}
+		}
+		return foundCount == len(expectedIDs) && len(ids) == len(expectedIDs)
+	})).Return([]domain.Tenant{
+		{ID: "t-direct-1", Name: "Direct Tenant"},
+		{ID: "t-inherited-1", Name: "Inherited Tenant 1"},
+		{ID: "t-inherited-2", Name: "Inherited Tenant 2"},
+	}, nil)
+
+	// Execute
+	tenants, err := svc.ListManageableTenants(ctx, userID)
+
+	// Verify
+	assert.NoError(t, err)
+	assert.Len(t, tenants, 3)
+	mockKeto.AssertExpectations(t)
+	mockRepo.AssertExpectations(t)
+}
--- a/backend/internal/service/tenant_service.go
+++ b/backend/internal/service/tenant_service.go
@@ -18,8 +18,12 @@ type TenantService interface {
 	GetTenantByDomain(ctx context.Context, emailDomain string) (*domain.Tenant, error)
 	GetTenantBySlug(ctx context.Context, slug string) (*domain.Tenant, error)
 	GetTenant(ctx context.Context, id string) (*domain.Tenant, error)
+	ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error)
 	ApproveTenant(ctx context.Context, id string) error
 	SetKetoService(keto KetoService) // 추가
+	AddTenantAdmin(ctx context.Context, tenantID, userID string) error
+	RemoveTenantAdmin(ctx context.Context, tenantID, userID string) error
+	ListTenantAdmins(ctx context.Context, tenantID string) ([]string, error)
 }

 type tenantService struct {
@@ -39,6 +43,60 @@ func (s *tenantService) GetTenant(ctx context.Context, id string) (*domain.Tenan
 	return s.repo.FindByID(ctx, id)
 }

+func (s *tenantService) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
+	if s.keto == nil {
+		return nil, errors.New("keto service not initialized")
+	}
+
+	// 1. Get directly managed tenants
+	directTenantIDs, err := s.keto.ListObjects(ctx, "Tenant", "admins", userID)
+	if err != nil {
+		slog.Error("Failed to list directly managed tenants from Keto", "userID", userID, "error", err)
+	}
+
+	// 2. Get managed tenant groups
+	groupIDs, err := s.keto.ListObjects(ctx, "TenantGroup", "admins", userID)
+	if err != nil {
+		slog.Error("Failed to list managed tenant groups from Keto", "userID", userID, "error", err)
+	}
+
+	// 3. Get tenants belonging to those groups
+	var groupInheritedTenantIDs []string
+	for _, groupID := range groupIDs {
+		// In Keto, we defined: Tenant#parent_group@TenantGroup:GroupID#_
+		// To find tenants in a group, we look for relations where namespace=Tenant, relation=parent_group, subject=TenantGroup:GroupID#_
+		// Wait, my ListObjects lists objects given a subject.
+		// So subject="TenantGroup:"+groupID+"#_"
+		// Object is Tenant ID.
+		ts, err := s.keto.ListRelations(ctx, "Tenant", "", "parent_group", "TenantGroup:"+groupID)
+		if err == nil {
+			for _, t := range ts {
+				groupInheritedTenantIDs = append(groupInheritedTenantIDs, t.Object)
+			}
+		}
+	}
+
+	// Combine and deduplicate IDs
+	allIDsMap := make(map[string]bool)
+	for _, id := range directTenantIDs {
+		allIDsMap[id] = true
+	}
+	for _, id := range groupInheritedTenantIDs {
+		allIDsMap[id] = true
+	}
+
+	allIDs := make([]string, 0, len(allIDsMap))
+	for id := range allIDsMap {
+		allIDs = append(allIDs, id)
+	}
+
+	if len(allIDs) == 0 {
+		return []domain.Tenant{}, nil
+	}
+
+	return s.repo.FindByIDs(ctx, allIDs)
+}
+
 func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, description string, domains []string) (*domain.Tenant, error) {
 	// Validate Slug
 	if ok, msg := utils.ValidateSlug(slug); !ok {
@@ -153,3 +211,35 @@ func (s *tenantService) GetTenantByDomain(ctx context.Context, emailDomain strin
 func (s *tenantService) GetTenantBySlug(ctx context.Context, slug string) (*domain.Tenant, error) {
 	return s.repo.FindBySlug(ctx, slug)
 }
+
+func (s *tenantService) AddTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	if s.keto == nil {
+		return errors.New("keto service not initialized")
+	}
+	return s.keto.CreateRelation(ctx, "Tenant", tenantID, "admins", "User:"+userID)
+}
+
+func (s *tenantService) RemoveTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	if s.keto == nil {
+		return errors.New("keto service not initialized")
+	}
+	return s.keto.DeleteRelation(ctx, "Tenant", tenantID, "admins", "User:"+userID)
+}
+
+func (s *tenantService) ListTenantAdmins(ctx context.Context, tenantID string) ([]string, error) {
+	if s.keto == nil {
+		return nil, errors.New("keto service not initialized")
+	}
+	tuples, err := s.keto.ListRelations(ctx, "Tenant", tenantID, "admins", "")
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		if len(t.SubjectID) > 5 && t.SubjectID[:5] == "User:" {
+			userIDs = append(userIDs, t.SubjectID[5:])
+		}
+	}
+	return userIDs, nil
+}
--- a/backend/internal/utils/env.go
+++ b/backend/internal/utils/env.go
@@ -0,0 +1,22 @@
+package utils
+
+import (
+	"os"
+	"strings"
+)
+
+// GetEnv retrieves the value of the environment variable named by the key.
+// It returns the value if it exists, otherwise it returns the fallback value.
+// It automatically strips surrounding double quotes from the value.
+func GetEnv(key, fallback string) string {
+	v := os.Getenv(key)
+	if v == "" {
+		return fallback
+	}
+	// Strip surrounding double quotes if present
+	v = strings.TrimSpace(v)
+	if len(v) >= 2 && v[0] == '"' && v[len(v)-1] == '"' {
+		return v[1 : len(v)-1]
+	}
+	return v
+}