Hello, I came across a requirement where we needed to allow a certain set of users to perform a limited set of admin tasks like realm creation, user creation etc. IIUC this is directly achievable by allocating those users to `create-realm` role in the `master` realm. However the requirement demands that the users should not be in the `master` realm itself. So the user model is something like the following. 0. super users - Ops, and other super admins that take care of the most privileged tasks like IdP federation, auth flows, etc - limited set of users in the `master` realm 1. organization root users - users who act as admins for their realm and are able to create other realms and add users to them, basically organization admins (ex: `org1` realm) 2. realm specific users - users confined to their own realms (ex: `deptx` realm) In this model, `organization root users` should be able to create realms but should not be part of the `master` realm itself. From the code I can see that this requirement is not something possible as org.keycloak.services.resources.admin.permissions.MgmtPermissions#canCreateRealm() checks the following. 1. Is current realm the administrative realm 2. Does current user has `create-realm` role However, is there a way to mark *multiple* realms other than `master` as administrative realms so that those realms could have a realm role named `create-realm` to be assigned to the above mentioned `organization root users`? Regards, Chamila Blog: medium.com/@chamilad