We are running into a similar problem now. The issue is we would like to allow a non-admin client to "own" a group and be able to freely create and manage subgroups under it. With the current model, fine-grained permissions can be configured to allow this client to create subgroups, but since the child is created without fine-grained permissions enabled, and the client in question does not have realm-level privileges to configure fine-grained permissions globally, the newly created subgroup is effectively "lost" for that client -- they can see it as a subgroup when querying the parent, but they cannot query the subgroup, configure permissions on it, add/remove members, etc.

I understand that allowing inheritance would create additional complexity, but what about automatically cloning the parent's fine-grained permissions when creating subgroups? Wouldn't that be a sensible default? This would allow a client with permissions on parent create a child where they have the same permissions to start, without requiring them to have realm-level permission-management privileges.

@thw0rted imo this would be a possibility, but would create a lot of (maybe unnecessary) copies of the fine-grained permission settings. Also syncing changes on the parent would then again be complicated... and you would need a toggle during the creation of the subgroup whether you wanna create those settings or not.

Coming back to my intial idea and the feedback from @ssilvert it could be implemented like this:

• Add "inheritPermissionsFromParent" boolean flag on Group Entity. If set to true parent fine-grained permissions of this group are evaluated if the group itself does not have any for the scope requested
• During the evaluation of the permission on a subgroup, if the group does not have his own permissions configured for the scope requested, check for the parents if the flag is set (very pseudo code - just to demonstrate the idea):

const scope = 'manage_members'; // example
if (group.hasFineGrainedPermissionSettings(scope) {
  // evaluate group fine grained permission ...
} else if (group.inheritPermissionsFromParent()) {
  // check parents fine graind permissions
  let parent = group.getParent();
  while (parent != null) {
     if (parent.hasFineGrainedPermissionSettings(scope)) {
       // evaluate parent fine grained permission and return ...
     } else if (parent.inheritPermissionsFromParent()) {
       // check the grandparent
       parent = parent.getParent();
     } else {
       parent = null;
     }
  }
}
// return access denied

But as there is a discussion pending for Advanced Groups I am not sure if this topic is still that relevant...

Yes! This solution - an optional inheritance of the parents' permissions - would be great! We are dealing with a possibility to let some users administer a group, create subgroups and populate them, but the problem is that, everytime they create a child group, an admin needs to copy permissions there.

Seconding. Optional inheritance of the parents' permissions would indeed be great.

Optional inheritance would be absolutely essential for me as well.

This is still not supported as of keycloak 26.4. I opened a feature enhancement on it in #43865.