[keycloak-user] Testing realm-mangement fine grain access control

[M Foster]

Hello,

I am testing Keycloak for deployment and one of the scenarios for adoption
is the ability for some users to manage their own group membership. I've
read through the Server Admin guide and it says that this functionality
only available in a Technical Preview state.

I've enabled the tech preview mode and have enabled Permissions for a group
and now see the default scope names that appear under Groups > testgroup >
Permissions (view, manage, view-membership, view-members, manage-members,
manage-membership), which are part of the realm-management Authorization
section. This also creates a group resource "group.resource.<goup_UUID>.
I've created a User Policy for a single user and then attached that policy
to the Keycloak created permission
"manage.membership.permission.group.<group_UUID>" as well as the
"group.resource.<group_UUID>. I've also assigned this test admin user the
query-groups, query-users, and view-users realm-management client role, so
in theory if this user logs into the realm admin console, they should see
Groups and Users and be able to select a user and join them to the group in
the realm on which I enabled permssions and set the policy.

This all works, except the last bit: the "join" button is not visible in
the group tab of a user that I'd like to add to my test group.
Additionally, I can't manage the settings of any of the users. I have all
six permissions assigned to that User Policy, but still no go. Any ideas
what piece I'm missing?

Thanks.