[keycloak-user] how to create a user with restricted manager-user rights/role for a group

Hi, I need to create a group in master realm, where any user in this group can do manage-users  for any other user belong to the group. users in this group will not be able to manage any other user (example the master realm's admin user). I need this kind of facility to work around the issue of every growing access token mentioned in https://issues.jboss.org/browse/KEYCLOAK-1268 My idea is to have a seperate group in  master realm  who will have view-users, create-realm and manage-user permissions. (but they should be able to manage other co users in this group alone).Once a new realm is created, the user who created becomes the default admin in the newly provisioned realm, after creating the realm  the logged in user will appoint a  new user (beloning to the new realm) as the admin and relinquish his own rights to be the admin of the new realm.. (thus, keeping his own auth token size at bay)... But since the user who created the realm belongs to mater realm and has manage-user access, i would like to ensure that this user does not inadvently/or intentionally  mess up the master realm's admin users access. Can some one guide on how to setup a group which has restricted manage-user access (i.e. perform manage users for group members alone).. Regards,Madhu