Let certain PDC users edit PDC users

[bickelj]

At the moment, only administrators of the Keycloak instance overall can edit users. It would follow the principle of least privilege and be less confusing to grant users in the PDC Keycloak realm the ability to edit users in that same realm. The (somewhat finer-than-present but somewhat course-grained) capability is present without any changes to the Keycloak instance, see docs.

To avoid having too many fine-grained groups/privileges I assume that (for now) we can let the pdc-admin group (see #907) mean "edit users in Keycloak" in addition to "see all the things in PDC." Keycloak is part of the PDC, after all, and at a high level an administrator of PDC should be able to do user management.

[bickelj]

@slifty mentioned in #907 that he prefers to separate the roles. I am OK with that, but I'll flip the question around: why wouldn't an administrator of the PDC application be able to add or remove users?

[slifty]

OK I better understand what's going on now (to make sure I get it: before we had a superadmin of ALL of keycloak, this is a more narrow admin of just editing users).

Makes sense to me; initially I had thought it would make sense to decouple but I didn't realize that we were talking about this more granular set of abilities.

[bickelj]

@slifty Yes, this is a "less privilege than all of keycloak but some privilege within keycloak" level of access. To your earlier point, I agree that it could make sense in future to split the roles out if needed: pdc-data-admin from pdc-user-admin, perhaps pdc-super-admin that has both, etc., we could go nuts, but for today this gets us a little closer to where we ant to be.

[bickelj]

Before closing this I think it makes sense for someone other than me (cough @slifty) to visit https://auth.philanthropydatacommons.org/admin/pdc/console/ to confirm it works.

[slifty]

@bickelj w00t! I logged in and was able to view the users list / admin interfaces!