Hi - We're wanting to use keycloak as our IdP but aren't fully able to allow users to register since we need to use an existing application to do this. I need to be able to allow the legacy application to do the following within the realm: * Create user * Reset user password I'm wanting to avoid giving the application permissions to assign roles, etc that it ought not be able to. Fine grained permissions looked promising but it appears that approach won't work since there's no fine-grained 'create user' type permission (that I can tell). As such, I'm stuck using the all powerful 'manage-users' role of the realm-management client. Any ideas for alternative approaches to explore? Afraid I might be swimming upstream here and need to just bite off user registration the correct way... Thanks! Josh