Display only accessible clients in Applications page of Account Console


I have a requirement to display the list of only accessible applications (Clients) on Applications page of Account Console of a certain user.

I implemented settings as follows, unfortunately not only accessible clients but other clients are also displayed on the Applications screen. Could you give me some suggestion to limit display to only accessible clients?

  • Create clients for every applications in realm. I set “Always Display in Console” to ON display clients on the Applications screen of Account Console. I also created a Client roles to assign to the Group. Please refer my setting in the end of this message.
  • Create a Group and assign the Client Roles of the target Client.
  • Created users and joined the Group.
    "clientId": "keycloak-test",
    "rootUrl": "",
    "baseUrl": "https://keyloak-test.xx.yy",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": true,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": false,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": true,
    "protocol": "saml",
    "attributes": {
        "saml.force.post.binding": "true",
        "saml.multivalued.roles": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "use.refresh.tokens": "true",
        "saml.signing.certificate": "the hashed string",
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "false",
        "client_credentials.use_refresh_token": "false",
        "saml.signature.algorithm": "RSA_SHA256",
        "require.pushed.authorization.requests": "false",
        "saml.client.signature": "false",
        "saml.signing.private.key": "the hashed string",
        "id.token.as.detached.signature": "false",
        "saml.assertion.signature": "false",
        "saml.encrypt": "false",
        "saml.server.signature": "true",
        "exclude.session.state.from.auth.response": "false",
        "saml.artifact.binding.identifier": "the hashed string",
        "saml.artifact.binding": "false",
        "saml_force_name_id_format": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "true",
        "display.on.consent.screen": "true",
        "saml_name_id_format": "username",
        "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
        "saml.onetimeuse.condition": "false"
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": false,
    "nodeReRegistrationTimeout": -1,
    "defaultClientScopes": [
    "optionalClientScopes": [],
    "access": {
        "view": true,
        "configure": true,
        "manage": true