In the admin console the username field is never enabled for editing unless the editing user has the “view-realm” role.
Given a realm “test”
and the realm's “Edit username” option enabled
and a user “bob” with these realm-management roles: manage-users, query-groups, query-users, view-users
when bob opens the “Details” tab for any account in the realm's admin console
then the “Username” field is disabled.
Expected behavior: The “Username” field is enabled.
Known work-around: Grant the realm-management/view-realm role to bob.
But this work-around has the unwanted side effect of the admin console showing additional menu items (Realm Settings, Roles, User Federation, Authentication, Sessions) which are confusing for bob (because he is a user helpdesk guy knowing nothing about realms, OIDC, user federation etc).
Whether or not the field is editable is controlled by this expression (users.js, l. 391): $scope.editUsername = $scope.create || $scope.realm.editUsernameAllowed; But $scope.realm.editUsernameAllowed is always undefined if the editing user does not have the view-realm role.