Hello all, I have a use case scenario with indulges fine grain permission settings for an admin of a particular realm that should create a client and create a user with restrictions like he must not play with the client ‘realm-management’ and that he must not map realm-admin to himself. The problem is I can achieve to restict the realm admin to manage one client or restrict him to map only said roles but then he cannot create client or create user himself because he requires more coarse role like ‘manage-users’ or ‘manage-clients’. And once I give the realm admin these two roles then he could do everything in the realm and this is the problem. So in short, 1. I want to have a realm-admin that can create users and clients in his dedicated realm 2. Also I want to make sure that he doesn’t have access to play around with realm-management client and that he doesn’t have access to map roles to himself or other users with something like ‘manage-user, manage-realm, manage, manage-clients’ Cheers, __________________________________________________________________________________________________________________________ Besuchen Sie LOGIN MASTER<https://login-master.com/> – Die Lösung für die Benutzerverwaltung für das Web. __________________________________________________________________________________________________________________________ Hasebullah A Ansari Master of Engineering in IT, Heidelberg IT Specialist / Java Entwickler Syntlogo GmbH Mercedesstraße 1 D-71063 Sindelfingen Email: hasebullah.ansari@syntlogo.de<mailto:hasebullah.ansari@syntlogo.de> Website: www.syntlogo.de<http://www.syntlogo.de/> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflichst, diesen Umstand unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Jede nicht genehmigte Weiterverbreitung oder Vervielfältigung ist nicht gestattet. Da wir Echtheit und Vollständigkeit des Nachrichteninhalts nicht garantieren können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird daher ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly, we cannot accept liability therefore. Stuttgart HRB 245317, Geschäftsführer Dr. G. Baruzzi, USt-ID: DE 219566705 __________________________________________________________________________________________________________________________