=== Master Realm Access Control The `master` realm in {{book.project.name}} is a special realm and treated differently than other realms. Users in the {{book.project.name}} `master` realm can be granted permission to manage zero or more realms that are deployed on the {{book.project.name}} server. When a realm is created, {{book.project.name}} automatically creates various roles that grant fine-grain permissions to access that new realm. Access to The Admin Console and Admin REST endpoints can be controlled by mapping these roles to users in the `master` realm. It's possible to create multiple super users, as well as users that can only manage specific realms. ==== Global Roles There are two realm-level roles in the `master` realm. These are: * admin * create-realm Users with the `admin` role are super users and have full access to manage any realm on the server. Users with the `create-realm` role are allowed to create new realms. They will be granted full access to any new realm they create. ==== Realm Specific Roles Admin users within the `master` realm can be granted management privileges to one or more other realms in the system. Each realm in {{book.project.name}} is represented by a client in the `master` realm. The name of the client is `-realm`. These clients each have client-level roles defined which define varying level of access to manage an individual realm. The roles available are: * view-realm * view-users * view-clients * view-events * manage-realm * manage-users * create-client * manage-clients * manage-events * view-identity-providers * manage-identity-providers * impersonation Assign the roles you want to your users and they will only be able to use that specific part of the administration console. IMPORTANT: Admins with the `manage-users` role will only be able to assign admin roles to users that they themselves have. So, if an admin has the `manage-users` role but doesn't have the `manage-realm` role, they will not be able to assign this role.