The Admin CLI tool or REST API can let the admin lookup for the users in a specific ROLE, for example:

./kcadm.sh get clients/\{clientid}/roles/\{role_name}/users -r <REALM>

or with rest api:

/admin/realms/\{realm}/clients/\{clientid}/roles/\{role_name}/users

This shows the users directly in that role "{role_name}", but since a Role can be composite and be associated with groups, a user can be in a Role implicitly by being in a Group or composite Role.

For example, it would be nice to have some additional parameters such as "composites", which is "false" by default

/admin/realms/{realm}(/client/{clientId})/roles/{rolename}/users?composites=true

 
So now with this, every user who belongs to `{rolename}` directly or indirectly ( through a composite role or because the user may belong to a group hierarchy which at some level has this role) will appear in the result of the api.

This is more relevant because in an environment with complex roles/groups, users rarely have roles directly assigned to them. The roles are usually assigned through groups hierarchy or other parent roles.

For the sake of auditing in companies with large numbers of users and roles, it becomes very important to be able to see all the users who are not only immediate members of roles or groups, but also are effective members in a role or group by membership in another role or group.