Fine grained Group Administration access

I am trying to have it so that only users in a specific group can ‘administer/manage’ another group.
I have enabled the tech preview functionlity with -Dkeycloak.profile=preview.
I have then created the admin group, and created a role that allows query-group, and assigned it to this new group.

I have then created the new group and enabled permissions and set the group to be able to perform:

  • view
  • manage
  • view-members
  • manage-members
  • manage-membership

And then logging in as a user in that admin group I can see the list of groups, and can only access the one I’m suppose to. But then going Members I only see the list, but cannot add new members.

So I then gave the permissions to query-users and view-users.
Then go into the users list, and view groups for any user, but I still cannot add the group to any users.

Has anyone been able to get this functionality working?


I am running Keycloak 10.0.2

I should add if I give the permission manage-members, it works as expected in that I can modify the user in the group.

This isn’t the functionality I am after though, in that I want to just be able to add or remove any user to this particular group, so it just seems to be an issue with manage-memberships role/permission.