[keycloak-user] ClientRole Import/Export , Get all ClientRoles of an User, Sharing Authorization

Hello, I have 3 questions. 1. How can I export and import client roles? (Background: I have a client and created some roles, policies, permission... Now when I export the client the authorization data was not included, but I could export them separately. For client roles I could not find a way of exporting them separate. Some of the client roles are normal roles other are composite roles.) 2. How do I get all client roles of an user? (Background: When I look at the OIDC access token of an user, obviously somehow all client roles can be fetched for an specific user. I need to walk trough all client roles of an user. For realmRoles there exists an endpoint in Admin REST api, but for client roles only one to recieve the client roles of one specific client regarding the user. Is there some efficient way of getting an array of client roles or something similar?) 3. Can I restrict role-mapping rights of a user to some of the client roles? (Background: I want to enable an user to map existing client roles to other users. Give an user the right to share roles to others can be done this way [1]. But how can I ristrict this rights to only sharing particular roles? Is this possible? For instance we have 5 roles admin, share_resource1, access_resource1, share_resource2, access_resource2. A user with the role admin shall be able to map each of this roles to other user, user with share_resource1 shall only be able to map the role access_resource1 but non else, analog for resource2.) Thanks in advance for any response. Regards Lasse [1] https://lists.jboss.org/pipermail/keycloak-user/2017-November/012192.html