Is it possible to limit the available groups that a user with the manage-membership permission can assign to other users?
The scenario:
I have a keycloak
instance with one sub-realm
. There are multiple groups (companies)
that are allowed to open the security-admin-console for this realm. I have 3 additional groups: admin, poweruser, user. I want powerusers to be able to create new users and assign them -> only <- to the group (company) they themselves belong to. With the manage-membership permission they are able to assign new users to all groups, even the admin group.
Is such a restriction possible or do I have to change my underlying concept?
Thanks Marc