[keycloak-user] Configure authorization to only allow subset of user management actions?

[Jared Blashka]

I've got a client application that wants to be able to remotely trigger the
password reset flow for some users. I see the execute-actions-email
endpoint on the user resource but it looks like the only permission check
present looks to see if that client has full management access for that
user or not. I don't want to allow the possibility of the client managing
other aspects of the user. Is there any way I can restrict this client to
only trigger the update password action or would I be better off adding my
own RealmResourceProvider for this?