Giving KeyCloak users Admin privileges in Grafana with OIDC

I manage a production Kubernetes cluster which is increasingly relying on Grafana dashboarding and instrumentation. Initially, we integrated Grafana with our KeyCloak instance using the following excerpt in grafana.ini:

[auth.generic_oauth]
allow_sign_up = true
api_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/userinfo
auth_url = https://keycloak.example/auth/realms/kube-cluster/protocol/openid-connect/auth
client_id = grafana
client_secret = <my secret>
enabled = true
name = KeyCloak
scopes = openid profile email
token_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/token

Provided the we had a client ID and secret from Grafana, this was a relatively easy configuration - the problem was that by default an OIDC user had no privileges. They could view a dashboard, but they couldn't create or import a dashboard, or (more importantly), they couldn't use the "Explore" tab to drive Loki.