Realm admin permissions added has been added to master.
A quick overview on how it works:
When a realm is created an application is created in the keycloak-admin realm. The
application name is '<realm name>-realm'. This application represents the
roles associated with the realm, and let's you add role mappings to users as well as
scope mappings to apps/clients. A realm app has the following roles:
* manage-realm
* manage-users
* manage-applications
* manage-clients
These roles are all read/write. In the future I imagine we can add some view only roles
(view-realm, view-users, view-applications, view-clients). I didn't add it this time
around as it would require a fair amount of changes to admin console (everything is forms
with buttons at the moment, so would have to add read only views).
When listing realms the admin console will only return the realms where the user has one
or more of the above roles. The admin console will also change the menu depending on what
roles the user has (for example a user that only has 'manage-clients' and
'manage-users' will not see 'settings' and 'applications').
There's a realm role called 'admin' as well. This is a composite role and when
creating a new realm all roles for the new realm are added to it. Only users with this
role is allowed to create, import or delete realms.
To create a new realm, with a user that has only 'manage-users' and
'manage-clients' access to this new realm, do the following:
1. Create a new realm called 'test'
2. Navigate to users for 'keycloak-admin' realm
(
http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
3. Create new user called 'test' (enable + reset creds)
4. Click on 'Role mappings'
5. In 'Applications' drop-down select 'test-realm'
6. Select 'manage-users' and 'manage-clients' and click the right-arrow to
add mapping
7. Log out of admin console, and login as 'test'
The pages in the admin console themselves haven't been disabled, only the menu to
navigate there. You can try opening for example:
http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
http://localhost:8081/auth/admin/index.html#/realms/test/applications