Here is my steps:

• grant query-users and query-clients roles to a user say realmAdmin
• create a policy allowing user realmAdmin and set logic to Positive
• create two permissions with the previously created policy
  • user type resource: map-roles, view for any user
  • client type resource: grant map-roles, view, map-roles-client-scope, map-roles-composite of a specific client, say FooClient, which has a client role let's say foo
• login as realmAdmin
  • I can see the FooClient in Clients, and its roles
  • go to user management, and enter the management page of a user. Go to role mapping tab, and click assign role. It show no roles for this user. I assume it should show all roles related to client FooClient. I even tried creating a role type resource in permission and grant Map-role-composite, Map-role, Map-role-client-scope to all roles, and it does not help.

Originally posted by @fMeow in #37133 (reply in thread)