I’m trying to restrict a user, User1, who has the realm-admin role, from being able to reset the password of another specific user, User2.
I was able to achieve this restriction using the Fine-Grained Admin Permissions (FGAP) feature by creating the appropriate permissions and policies. However, this only works if I remove the realm-admin role from User1 and instead assign the following sub-roles explicitly by removing manage-users role:
- view-users
- impersonation
- manage-authorization
- query-users
- view-realm
- query-clients
- view-events
- manage-identity-providers
- query-groups
- view-clients
- view-identity-providers
- manage-realm
- query-realms
- view-authorization
- manage-events
- manage-clients
- create-client
It appears that if manage-users is assigned to User1, it bypasses FGAP with “manage“ scope on “User“ resource, allowing them to reset passwords regardless of the policies in place.
Is this expected behavior?
What would be the recommended approach to restrict a user with the realm-admin role from resetting the password of a specific user like User2?