Users & roles
Keycloak owns realm membership + role assignments (TW-014). User CRUD lives in the Keycloak admin console; we deep-link rather than re-implement.
- Keycloak admin console
Realm users, roles, groups, RBAC. Requires the realm-admin role on your Keycloak account.
- My Keycloak account
Reset MFA, manage signed-in devices, rotate password.
Self-serve tenant onboarding (TW-064) will provision users through the admin service API directly; that surface will land here as a second list once it ships.