We should investigate following scenario and possibly mitigate it.

originally tested by @bickelj

1. Created users
2. Created two groups, test-group and test-group-admin
3. Created a permission to view, view members, manage on the test-group using a policy of checking whether a user is in the test-group-admin group.
4. Verified that the member of one user in test-group-admin was able to list test-group via curl .../admin/realms/the-realm/groups/[group-uuid]/members using a token from the-realm (rather than master realm token).
5. Found the call in Firefox dev tools that did the PUT /admin... from (3).
6. Made a call (using a master realm admin token) using cURL substituting the Organization X UUID in place of the Group test-users UUID to replace that permission. This call succeeded with 201 Created.
7. Tried to list the organization members like (4) above as the user, because (6) essentially said "members of the test-group-admin should be able to view organization X members". Got a 403 Forbidden 😞.
8. Looked in the Admin UI and the modified permission now shows up as applying to All groups 🤔.
9. Tried a call to list members of the test-group (I should not have permission to do this) using a realm token for the user in test-group-admin, basically a repeat of (4). This should not have worked because I used the Organization X UUID to replace the rule from (3). But it actually succeeded 😱. So by substituting Organization X UUID I accidentally elevated the privileges of test-group-admin users to be able to do all those things in the permissions to all groups! This does not seem good to me, how about to you?

Originally posted by @bickelj in #37133 (reply in thread)