We are developing a keycloak(5.0.0) based solution where our clients can create their account with us and manage their own users - and only their users.

Initially with thought that we could use realms for this. Every client gets their own realm. After initial testing we deemed it might not be a good solution as after creating ~500 realms the application becomes unresponsive(https://issues.jboss.org/browse/KEYCLOAK-4593).

We decided to try using Groups to emulate a tenant. Our objective is to create during an external process(keycloak REST API) a group with an admin user. Can't find currently a way how to restrict this administrator to be able to only manage their own group(creating subgroups, managing users, and giving them roles).

I've noticed several emails mentioning these features but I fail to find actual examples to make this work.

• http://lists.jboss.org/pipermail/keycloak-user/2017-June/010882.html
• http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html

The second link shows exactly what we would like to achieve.

Current alternative I can see is to implement a facade(client or separate web app) which would restrict visibility and access to other groups.

Are there other alternatives?