[keycloak-user] Doubts regarding fine grained permission on groups

Hello Keycloak community, We seem to have stumbled across a feature that we do not fully understand (after reading and re-reading, and testing). Could somebody help to clarify the design of this feature? When enabling fine grained group permissions, we see the option to assign the scope "manage" to users in specific groups. According to our understand, this scope would allow us to create the "role" of users ("group-admins") to manage (update user information, reset credentials, enable/disable) other users in the same group; users with this "role" would also not be able to see the other users in the realm that are not assigned to the group where they have this special permissions. Therefore, the actions of creating and removing users would still be restricted to the manage-users permission that can be set to "user-managers" in the whole realm. During our tests, we noticed the the users that receive the "manage" scope permission in a group are able to delete users of the group. Is this the expected behavior? After noticing this, we also thought that they would then be able to create users in the group (if they can remove, why not enabling them to create as well?); however, these users are not able to create other users in the group that they have permission to manage (even when assigning explicitly the group to the user being created). Is this a bug? Or something that is not completely documented? -- Rafael Weingärtner