[keycloak-user] Admin User Impersonation Restriction

[Prado, Renann]

Hello.

I'm currently doing a research to see if keycloak fits our use cases and
the impersonation
feature is important for the case when we want to do support and see what
the users
sees for some reason.

Of course Impersonation is nice, yet it can be very risky if impersonation
permission
is given to wrong people.

I was doing some tests (locally) and I found out that by having only the
client roles of
view view-users and impersonation, I was able to impersonate the admin user.

I'm using docker to runs my tests, so basically I was able to impersonate
the user that is
created via the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables.

My question is: is it possible to restrict impersonation to certain users
based on attributes, roles,
or something else? Or is the impersonation always possible to be done on
all the users within the realm
as long as the user has permission to do impersonation?

As I understand the master realm shouldn't be used for anything other than
administration, correct?
Then what would be the best way to "slice" your realms, per product (e.g.
web app)?

We also want to use keycloak to provide SSO for us, which I suppose only
works in the realm level.
So if we create one realm per application, then we cannot really do SSO.

Thanks

-- 
Best regards,
*Renann Prado*