Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

After upgrading from Keycloak 26.3.x to 26.4.2, group administrators with Fine-Grained Admin Permissions configured via Group permissions (but no User permissions) encounter a 500 error when trying to view user detail pages in the Admin Console.

Error Message:

2025-10-27 11:18:45,198 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-227) Uncaught server error: org.keycloak.models.ModelIllegalStateException: Scope 'reset-password' is not defined for resource type 'Users'

at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.lambda$hasPermission$1(FineGrainedAdminPermissionEvaluator.java:106)
at java.base/java.util.Optional.orElseThrow(Optional.java:403)
at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:106)
at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:71)
at org.keycloak.services.resources.admin.fgap.UserPermissionsV2.canResetPassword(UserPermissionsV2.java:157)
at org.keycloak.services.resources.admin.fgap.UserPermissions.getAccess(UserPermissions.java:437)
at org.keycloak.services.resources.admin.UserResource.getUser(UserResource.java:359)
at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$getUser_c905e0bb512ebf5abf25843bdcaec6b073f8e01e.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)

Environment:
Keycloak Version: 26.4.2
Previous Working Version: 26.3
Feature: Fine-Grained Admin Permissions V2 enabled

Configuration:
Group administrators have the following setup:

Group Permission created with scopes:
view, view-members, manage-members, manage-membership for specific groups
Client roles assigned: query-users, query-groups from realm-management client
No User permission configured (intentionally, to restrict visibility to group members only)

Workaround:
Adding a User permission with view, manage, and map-roles scopes for "All Users" prevents the error, but this is not ideal as it grants visibility to all users in the realm rather than just group members.

Root Cause (suspected):
The reset-password scope was introduced as part of FGAP V2 improvements. The Admin Console UI now checks for this scope when loading user detail pages, but this check fails when administrators only have Group permissions without corresponding User permissions.

Version

26.4.2

Regression

[x] The issue is a regression

Expected behavior

Group admins should be able to view user details for members of their groups without requiring explicit User permissions, as they could in 26.3.x.

Actual behavior

The Admin Console throws a 500 error because it checks for the reset-password scope on the Users resource type, which doesn't exist when no User permission is configured.

How to Reproduce?

• Enable Fine-Grained Admin Permissions V2 in a realm
• Create a Group permission with view-members and manage-members scopes for a specific group
• Assign query-users and query-groups roles to a group admin user
• Do NOT create any User permission
• Log in as the group admin user
• Navigate to Users → select any user in their group
• Observe 500 error in browser and error in Keycloak logs

Anything else?

No response