Grant admin access to multiple realms for a user not in master realm

Greetings,

I have discovered that it is possible to grant users in the master realm administrative client roles for other realms in the <realm-name>-realm client roles.

Is it possible to give a user that is not in the master realm those roles? Or is it only possible from the master realm?

The use case that I am trying to achieve is that users in one realm (let’s call it administrators) will each have full admin permissions on two realms (for example cs-dept-realm and cs-dept-realm-test). I am reluctant to add those users to the master realm, as I have read a few posts here and on the mailing list that this is a bad/insecure practice. Am I worried over nothing? Is there another way to achieve the same result?

Thank you for your kind time and attention,

M

It‘s only possible from the special master realm.
A realm is the level of isolation, there is no cross-realm for anything. The only exception is the master realm.

Thank you for your kind response. Do you think that it is a bad practice to do this from the master realm? I found a few mentions of it being insecure, but I couldn’t find an explanation of why. If I correctly grant client roles, I can’t see why it would be bad.

The master realm is for managing and administration purposes of Keycloak itself. It‘s not intended to be used in a functional way.