Creating a realm for which I don't have any access rights


I’m currently working on a case for which I’ve been tasked with implementing some sort of “reseller” user.
In this concept, a reseller is a user which can create-realms (very trivial) for a “customer”.
However, what I don’t want is this reseller to be able to manage anything on this new realm; except for an initial “admin”-user.
The way I thought this could play out was:

  1. Reseller creates customer realm
  2. By default, this already gives reseller the right to manage this realm so, an initial Admin-User can be created within this customer realm
  3. Reseller deletes all role-mappings for the “customer-realm” client

But this is only possible if the reseller has user management rights, right? But I don’t want to have the ability to remap the management roles for “customer-realm”.
The main idea I try to pursue is safe-guarding customers under a reseller in case a reseller account get compromised by a hacker of sorts.

Mind you that I don’t have an issue with a hacker creating a fake customer as this would not be registered in various other parts of my system and thus pose zero to no threats.

Has anyone ever done such a thing or am I a madman whom is overlooking 35 things that could expose the customers under a reseller regardless of my flawed attempt of increasing security?