[keycloak-user] Configure authorization to only allow subset of user management actions?

I've got a client application that wants to be able to remotely trigger the password reset flow for some users. I see the execute-actions-email endpoint on the user resource but it looks like the only permission check present looks to see if that client has full management access for that user or not. I don't want to allow the possibility of the client managing other aspects of the user. Is there any way I can restrict this client to only trigger the update password action or would I be better off adding my own RealmResourceProvider for this?