[keycloak-user] Allow Client to Create User in Realm without Granting manage-users Role from realm-management

[Josh Harness]

Hi -

We're wanting to use keycloak as our IdP but aren't fully able to allow
users to register since we need to use an existing application to do this.
I need to be able to allow the legacy application to do the following
within the realm:

* Create user
* Reset user password

I'm wanting to avoid giving the application permissions to assign roles,
etc that it ought not be able to. Fine grained permissions looked promising
but it appears that approach won't work since there's no fine-grained
'create user' type permission (that I can tell). As such, I'm stuck using
the all powerful 'manage-users' role of the realm-management client.

Any ideas for alternative approaches to explore? Afraid I might be swimming
upstream here and need to just bite off user registration the correct way...

Thanks!

Josh