Master Admin Access Control You can create and manage multiple realms by logging into the master Keycloak admin console at /{keycloak-root}/admin/index.html Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm. Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the master realm. It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
Global Roles There are two realm roles in the master realm. These are: admin - This is the super-user role and grants permissions to all operations on all realms create-realm - This grants the user permission to create new realms. A user that creates a realm is granted all permissions to the newly created realm. To add these roles to a user select the master realm, then click on Users. Find the user you want to grant permissions to, open the user and click on Role Mappings. Under Realm Roles assign any of the above roles to the user by selecting it and clicking on the right-arrow.
Realm Specific Roles Each realm in Keycloak is represented by an application in the master realm. The name of the application is <realm name>-realm. This allows assigning access to users for individual realms. The roles available are: view-realm - View the realm configuration view-users - View users (including details for specific user) in the realm view-applications - View applications in the realm view-clients - View clients in the realm view-events - View events in the realm manage-realm - Modify the realm configuration (and delete the realm) manage-users - Create, modify and delete users in the realm manage-applications - Create, modify and delete applications in the realm create-clients - Create clients in the realm manage-clients - Create, modify and delete clients in the realm manage-events - Enable/disable events, clear logged events and manage event listeners Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration). To add these roles to a user select the master realm, then click on Users. Find the user you want to grant permissions to, open the user and click on Role Mappings. Under Application Roles select the application that represents the realm you're adding permissions to (<realm name>-realm), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.