Hello everyone.

I’m trying to solve a use-case where a user can manage and add only users from / to a dedicated group.

This is the setup so far:

I’ve created Group-x and group-x-admin.

A group policy has been added to group-x for group-admin with the scopes manage, manage-members, manage-membership, view-members.

This works so far that the user in group-admin can view / change only user from group-x.

Now, this configuration doesn’t allow to add a new user.

If I assign the role manage-user to the user in group-admin, or the group itself, all users from the entire realm are visible.

How can I achieve that the user can add a new user to the group and see only the group’s users?

Thank you!