[keycloak-user] Fwd: Fine grain access to User Federation management

Hello, I have been trying to fine grain user federation out of the "manage-realm" role in order to allow a user to add a user storage (ldap or kerberos), without giving all the capabilities that manage-realm provides. My use case is that I would like to have admins, that are capable of configuring their own user storage, but unable to change how the clients authorization flows work. "manage-realm" will give capabilities like renaming the whole realm which would change how as well the authorization endpoints in that realm. After several attempts, trying to add a custom resource with the keycloak URI that returned the HTTP status forbidden 403 (/auth/admin/realms/{realm}/components?type=org.keycloak.storage.UserStorageProvider). I realized that this might not be an available feature, reading the full list of permission in the link below confirmed my doubts. https://www.keycloak.org/docs/7.0/server_admin/#_fine_grain_permissions Is what I am trying to accomplish somehow possible already? If not why I would like to understand why is user federation tied the "manage-realm" role? Perhaps my scenario does not make sense in the context of the Keycloak architecture. So far the only option I believe I have left, is to build a client with a service account that has the "manage-realm" role, then I can use the Keycloak REST API to manage the user storages, and create custom permissions towards my client endpoints, to authorize the users. The downside of this approach is that the events produces will be registered as coming from the service account in my client instead of the user himself. Best Regards Leonardo