[keycloak-user] Remove permission to manage realm (but keep managing roles)

Hi, Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)? If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)... Thanks for help, Pavel