Shiro does not have support for this out of the box because it must make assumptions about your data model. There are so many different data models across applications, it would be fairly difficult to provide interface support for this in Shiro out of the box. That being said, there has been some discussion to come up with some extensions to Shiro to allow for the most common conventions. But this will take a while to discuss and design and may not make it in to 1.0.
So, since Shiro is mostly read-only to account for any data model, the way most people solve this problem is to have your Realm implementation point to a component that provides CRUD operations that is shared by other components in your architecture.
For example, if I had a UserManager which in turned talked to a UserDAO for CRUD operations, and I would have my Realm implementation use that same UserDAO for Shiro's lookup needs.
Then your UserManager would perform the create/update operations as necessary, and the Realm would do the read operations for security checks. So, it is usually not necessary for Shiro to provide Create/Update operations when 90% of most applications already provide that in some other way (UserManager/RoleManager, etc).
An application that I’m developing requires
administrators to be able to configure access control at run time from a UI.
I need to present them with a list of available users and groups so that they
can assign roles and privileges to the users and groups. Please correct
me if I’m wrong, but I don’t believe that shiro allows you to query
existing users and groups from a Realm. Any plans to add such a feature?