[keycloak-user] Having multiple admin realms

[chamila]

Hello,

I came across a requirement where we needed to allow a certain set of users
to perform a limited set of admin tasks like realm creation, user creation
etc. IIUC this is directly achievable by allocating those users to
`create-realm` role in the `master` realm. However the requirement demands
that the users should not be in the `master` realm itself. So the user
model is something like the following.

0. super users - Ops, and other super admins that take care of the most
privileged tasks like IdP federation, auth flows, etc - limited set of
users in the `master` realm
1. organization root users - users who act as admins for their realm  and
are able to create other realms and add users to them, basically
organization admins (ex: `org1` realm)
2. realm specific users - users confined to their own realms (ex: `deptx`
realm)

In this model, `organization root users` should be able to create realms
but should not be part of the `master` realm itself. From the code I can
see that this requirement is not something possible as
org.keycloak.services.resources.admin.permissions.MgmtPermissions#canCreateRealm()
checks the following.

1. Is current realm the administrative realm
2. Does current user has `create-realm` role

However, is there a way to mark *multiple* realms other than `master` as
administrative realms so that those realms could have a realm role named
`create-realm` to be assigned to the above mentioned `organization root
users`?

Regards,
Chamila
Blog: medium.com/@chamilad