Fine Grained Group Administration Management


I have a Keycloak instance with one realm. There are multiple groups (companies) that are allowed to open the security-admin-console for this realm. Each group will have a sub-group named ‘admins’. I want users under the ‘admins’ sub-group to be able to view, manage, create new users and assign them only to the group that themselves belong to in the admin console. I have enabled the tech preview functionality with -Dkeycloak.profile=preview .

I created a role named ‘group-admins’ in the realm roles and i assigned the following roles view-users, query-users, manage-users and view-events of the client realm-management then i assigned the role to the sub-group ‘admins’ the main group. The problem is that the users that are in the ‘admins’ sub-group are able to see other groups, users and events instead of only viewing their own group. Is there any way of limiting the visibility so that they can see only their group instead of being global (the entire realm).