Policy use case: not sure how to use policies

I’m using Keycloak 21.0.1 using the --features=admin-fine-grained-authz flag enabled.
I have the following use case:

I have several groups in a realm:

  • group1

  • group2

and so on.

Users can be part of any group, but users who are part of the *-admin group should be able to view/manage users from the parent group only.
Now, I understand that this can be done using Permissions and Policies but I don’t quite understand how these should be configured to work properly.

What I did so far:

  • create a user and add it to group1-admin
  • give this user the following roles:
    • realm-management: query-users
    • realm-management: manage-users

(I would expect the above to be not really needed, since I could assign a “user-manager” role and create a policy)

When the user logs in to the admin console for the specific realm (/admin/my-realm/console/), he has access to ALL the users in the realm, including the one from other groups (group-2, etc.).

Then, I create a Group Policy in the realm-management client (Authorization → Policies) that specifies only users for group-1 group: is-group-1 policy.

That is the part I’m not sure I understand: where shall I use this policy to make sure that only users from group-1 are visible when the user logs in?
I tried to create a “Permission” bound to the “Users” resource and assigned the policy is-group-1 policy but user from group1 is still able to see users from other groups.