Manage-users role enables assigning more privileged role to self


I’m seeing behavior in Keycloak 23.0.6 that seems to contradict the documentation where it states the following:
Admins with the manage-users role will only be able to assign admin roles to users that they themselves have. So, if an admin has the manage-users role but doesn’t have the manage-realm role, they will not be able to assign this role.

I’ve been testing this behavior out and found that if I assign ‘manage-users’ role to user SupportUser (where SupportUser has these roles:
view-users )

SupportUser is able to assign themselves higher permissioned roles like manage-realm. Keycloak 24.0.2 functions as I would expect (blocks a user from assigning a role greater than a role they themselves have). I wanted to check and see if this is a known issue with 23.0.6 that was in fact fixed OR if there is something wrong with our current 23.0.6 deployment. We will likely be upgrading anyways but I am hoping to get a definitive answer as to whether this was a bug.


The best resource to check if this is/was a bug is to check the issues and commits of the Keycloak project.