[keycloak-user] Struggling with roles via groups

Hi, currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. This is my scenario: Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned. Group „admins“, which the role „admin“ is assigned to. If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“ If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. What am I missing? Am I doing something wrong? Or is Keycloak not evaluating the roles correctly? Any help is appreciated! regards, - Niko