I am trying to restrict the user of the realm to the following actions:
- create / modify / delete users
- assign users to a group
- filter users by group
- have READ-ONLY view of the groups, not being able to modify or create.
I succeeded with all functionality but the last one. It seems that the only way to make user creation possible is to assign manage-users role to a user, which unfortunately also enables group modification.
I even tried to achieve it with fine-grained permissions (which work very nicely for group management), but the same problem appears: the only way to allow user creation is to assign “manage-users” role, which comes with the ability to modify groups, which I don’t want.
Am I missing something?!
Any help will be greatly appreciated!
I have the same question or problem:
I would like to have a user or group of users, let’s call them group-admins. These group-admins should view/manage members of an another group (only this group) let’s call them group-users. Everything works fine with fine-grained permissions, except the problem that group-admins cannot create new users without the realm-management/manage-users role, but with this they can see every user and every group. They can change each attribute of every user, even change e.g. the password of the realm-admin etc…
So I insist to have these group-admins without the manage-users role,
but then how can they create new users?
I would be interested in any alternative solutions! I am already thinking on implementing a separate back-end service (UserCreator) which has the manage-users role (and therefore can create users via admin-rest api), but authenticating with client secret. It just sounds complicated and I cannot believe there is no simpler solution for this problem in a well thought and mature system like Keycloak.
I am also surprised that no one has brought a simple solution for this problem in the past years.
I’m also experiencing this issue and would rather not make my own solution for user management. Would really love an update on this.