[keycloak-dev] Restrict admins to only allow granting roles they are privileged to

[Stian Thorgersen]

I propose we add a check when an admin wants to grant a role. For a admin to be allowed to grant a role the admin either has to have the admin/realm-admin role or have the role itself. This prevents admins from adding more privileges to themselves than they already have and would also be a way to allow admins that can only manage roles for specific applications.

This should be a simple fix. In the future I think we may need to re-design how we map permissions for Keycloak. I'm really not that happy with the realm apps and such, it's messy and not flexible enough.