Fine-grained authorisation for user account attributes

[NicolasLiampotis]

Currently Keycloak supports the manage-account role to control whether the user can update their name and email information (self-service). We want to introduce additional roles to limit access to name and email separately, e.g. manage-account-name and manage-account-email.

This is useful if for a given Keycloak installation we don't want users to change the name released by their Identity Provider but at the same time allow them to change their email which be trusted following the email verification process.

[cgeorgilakis]

Manage account do extra things like giving access to being able to link Identity Provider. We can not simply replace this role.
I believe better choice is to keep this role and introduce manage-account-name and manage-account-email that will give access to a user to manage his email and name. This roles will be added to default roles in order to have same behiaviour as Keycloak vanilla.

[cgeorgilakis]

Updating multivalue attributes must be taken into account

[cgeorgilakis]

Another person have opened a github discussion for not being able to disable email change.

Moreover, a question in Keycloak forum exists without sufficient response. They propose to make 'email as username' equals to true and disable changing username. However, I believe that this will also blocks Idp email change and we want to set 'email as username' to false together with 'Duplicate email's in order to support some email to different users.
Moreover, a PR for requiring email to be verified before changing exists.

[cgeorgilakis]

We could also use User profile, which is Technology preview that give us the ability to disable user from editing email from account console. Need to be tested.

[cgeorgilakis]

Unfortunately, we can not configure permissions in main attributes (fe email) like in other attributes.

[cgeorgilakis]

PR : https://github.com/keycloak/keycloak/pull/12112/files