Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authorization-services

Describe the bug

We are currently using a Keycloak image with KC_FEATURES=admin-fine-grained-authz:v1 enabled, as some of our realms rely on this feature. We are now migrating to Fine-Grained Admin Permissions v2 (FGAP v2) and have encountered an issue affecting realms that do not have any client configured with fine-grained permissions enabled.

When attempting to create a Group Policy for the Authorization Services of a client, using a service-account client with the following roles:

["manage-authorization", "view-users", "view-clients"]

the request works correctly when FGAP v1 is enabled.
However, once FGAP v1 is disabled, the same request fails unless we additionally grant the manage-clients role.

This behavior is unexpected, especially because the realm in question does not use fine-grained permissions for that client.

The api we call is:
/admin/realms/test-tenant/clients/59de9d5a-dffa-40f0-b59c-2576dc522bda/authz/resource-server/policy/group

Version

v26.4.2

Regression

• The issue is a regression

Expected behavior

The same roles (manage-authorization, view-users, view-clients) should allow creation of a group policy independent of FGAP V1 enabled on the instance or not.

Actual behavior

When FGAP V1 is disabled, it uses additionally the manage-clients role

How to Reproduce?

• Create a client with "authorization" enabled and service-account enabled.
• Assign to the service account the roles ["manage-authorization", "view-users", "view-clients"]
• Try to create a group policy over the api.
• Test with KC_FEATURES=admin-fine-grained-authz:v1 and without it.

Anything else?

No response