Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

If a user has view-users, query-users, query-groups and manage-users roles but not view-realm (in realm-management), they are unable to see user lockout state in Admin UI.

This set of realm-management permissions is common for a user in a "customer support" role. One of the use cases for this persona is the ability to see and toggle user lockout state.

Version

26.0.0

Regression

[ ] The issue is a regression

Expected behavior

The user should be able to see:

!image

and toggle lockout state:
!image

Actual behavior

The lockout state and toggle is hidden from the user.

How to Reproduce?

1. create a realm
2. create a user1 in that realm with view-users, query-users, query-groups and manage-users roles
3. create a separate user2 with no other roles
4. configure brute force detection for a small number of failed logins to produce a temporary lockout
5. attempt to login as user2 to the account console with a bad password > than the failed login threshold
6. log into the new realm's security admin console using the user1 you created
7. find the user in the Users tab. see that you can't see the lockout state in the list.
8. click on the user. see that you can't see the lockout toggle in the form

Anything else?

Relevant code is in the EditUser.tsx form, where it looks in the realm to see if it has the bruteForceProtected flag enabled:
https://github.com/keycloak/keycloak/blob/26.0.0/js/apps/admin-ui/src/user/EditUser.tsx#L156

Which it doesn't when the user lacks view-realm, because the RealmAdminResource only allows a few realm attributes:
https://github.com/keycloak/keycloak/blob/26.0.0/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java#L381-L390