[keycloak-user] Doubts regarding fine grained permission on groups

[Rafael Weingärtner]

Hello Keycloak community,
We seem to have stumbled across a feature that we do not fully understand
(after reading and re-reading, and testing). Could somebody help to clarify
the design of this feature?

When enabling fine grained group permissions, we see the option to assign
the scope "manage" to users in specific groups. According to our
understand, this scope would allow us to create the "role" of users
("group-admins") to manage (update user information, reset credentials,
enable/disable) other users in the same group; users with this "role" would
also not be able to see the other users in the realm that are not assigned
to the group where they have this special permissions. Therefore, the
actions of creating and removing users would still be restricted to the
manage-users permission that can be set to "user-managers" in the whole
realm.

During our tests, we noticed the the users that receive the "manage" scope
permission in a group are able to delete users of the group. Is this the
expected behavior? After noticing this, we also thought that they would
then be able to create users in the group (if they can remove, why not
enabling them to create as well?); however, these users are not able to
create other users in the group that they have permission to manage (even
when assigning explicitly the group to the user being created). Is this a
bug? Or something that is not completely documented?

-- 
Rafael Weingärtner