Make Groups read-only while allowing to create Users


I am trying to restrict the user of the realm to the following actions:

  • create / modify / delete users
  • assign users to a group
  • filter users by group
  • have READ-ONLY view of the groups, not being able to modify or create.

I succeeded with all functionality but the last one. It seems that the only way to make user creation possible is to assign manage-users role to a user, which unfortunately also enables group modification.

I even tried to achieve it with fine-grained permissions (which work very nicely for group management), but the same problem appears: the only way to allow user creation is to assign “manage-users” role, which comes with the ability to modify groups, which I don’t want.

Am I missing something?!
Any help will be greatly appreciated!



Hi all,
I have the same question or problem:
I would like to have a user or group of users, let’s call them group-admins. These group-admins should view/manage members of an another group (only this group) let’s call them group-users. Everything works fine with fine-grained permissions, except the problem that group-admins cannot create new users without the realm-management/manage-users role, but with this they can see every user and every group. They can change each attribute of every user, even change e.g. the password of the realm-admin etc…
So I insist to have these group-admins without the manage-users role,
but then how can they create new users?

I would be interested in any alternative solutions! I am already thinking on implementing a separate back-end service (UserCreator) which has the manage-users role (and therefore can create users via admin-rest api), but authenticating with client secret. It just sounds complicated and I cannot believe there is no simpler solution for this problem in a well thought and mature system like Keycloak.
I am also surprised that no one has brought a simple solution for this problem in the past years.

1 Like

I’m also experiencing this issue and would rather not make my own solution for user management. Would really love an update on this.

1 Like