Wow. didn't think of the other use cases that you listed. Yes it's definitely something that happens in the real world and would be great if KeyCloak has these features. No complains from me if we can do what I suggested as a starting point for obvious selfish reasons :)

I have raised a Jira case for this. https://issues.jboss.org/browse/KEYCLOAK-292

Keycloak early champion community members, please vote for this feature.

BTW, thanks Stian, Bill and the Keycloak team for your fantastic work. Keycloak is so simple to use and implement and that is amazing when you think the complex problems it is solving. Wishing keycloak all the best. 


On Wed, Feb 12, 2014 at 9:11 PM, Stian Thorgersen <stian@redhat.com> wrote:
This is not possible at the moment. It's something that I'd imagine would be needed, and at a more fine-grained control. I can imagine scenarios such as:

* Devs that are allowed to create/edit apps, but not manage users
* Devs that can create clients, but not applications
* Managers that are allowed to view user details, but not reset passwords, etc.
* Admins that can do everything for a single realm, or for all realms

We don't have anything planned at the moment though, and what you're proposing could be a sensible starting point. Please create a JIRA ;)

----- Original Message -----
> From: "Travis De Silva" <traviskds@gmail.com>
> To: keycloak-user@lists.jboss.org
> Sent: Wednesday, 12 February, 2014 6:48:09 AM
> Subject: [keycloak-user] Realm Level Admin
>
> I have not been able to figure out if we can have Realm level admins. My use
> case is:
>
> We have keycloak application wide super admins. They can create new realms,
> go into any realm and create users, applications etc. Just how the default
> admin user operates now.
>
> Then within a Realm, for example lets say Demo realm, can we have a different
> admin user (e.g demo realm admin) who can perform all the tasks but only
> within that Realm. That user will not be able to view the other realms (i.e
> it should not display the realm selection drop down and also should not be
> able to create new realms.
>
> Thoughts? I am happy to raise a feature request in Jira if this is currently
> not possible and doable in a future release as I believe this feature will
> increase user adoption, especially for applications that are built with
> multi-tenancy functionality.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user