I’m trying to solve a use-case where a user can manage and add only users from / to a dedicated group.
This is the setup so far:
I’ve created Group-x and group-x-admin.
A group policy has been added to group-x for group-admin with the scopes manage, manage-members, manage-membership, view-members.
This works so far that the user in group-admin can view / change only user from group-x.
Now, this configuration doesn’t allow to add a new user.
If I assign the role manage-user to the user in group-admin, or the group itself, all users from the entire realm are visible.
How can I achieve that the user can add a new user to the group and see only the group’s users?