Let's say I'm using one realm mycomp
in Keycloak to handle all users (+ master
realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management
permissions like manage-users
or view-users
to any user in 3 ways:
- assign directly
- by creating composite role for CS
- by creating group with and adding there CS
The problem is that giving manage-users
rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?