Current permissions is either view/manage on realm, client, user, etc. Often this is not sufficient and there's a need to limit permissions.
- Can manage one client
- Can configure one client (same as manage minus scope and mappers)
- View or Manage users of a specific group
- Manage membership of a specific group
- Can have just allow mapping of roles for a user
- Can limit which roles can be assigned to user, composite, or client scope.
- Can define policies that specify which users can/cannot be impersonated
- Other authz specific policies for view, manage of users and groups.
Fine grain policies are described using Authorization Service policies and permissions.