[keycloak-user] realm-management policies not affecting admin-console

[Nils Wild]

Hi,

i think i got somthing wrong how policies are supposed to work in 
Keycloak 4.1.0.Final

I tried to configure a support group that has access to a certain group 
of customers but not all so i created a new_user_group and a 
support_group (this group has real-management roles to view and manage 
users so i can see those admin-console menus) and added policies, such 
that the support_group can only see and manage that group and users of 
that new_user_group but not those of old_user_group. Unfortunatly after 
logging in with a user of support_group i can see all users and groups 
not only those of the new_user_group when clicking "view all users".

I already used the Authorization Evaluator of the realm-management 
client. The funny thing is that if i choose the new user of the 
support_group and the old_user_group resource with view scope it 
correctly determines that access should be denied.

Am I missing something? Maybe the problem is that the new_support_group 
does have realm-management roles like view-users? But if i remove those 
roles i am not able to see any menu.

Nils