For delegating access to user management to a realm admin, server admin might create following permissions

Allow:

• view map-roles and manage all realm users
• view and map-roles from all clients

If a server administrator wants to prevent managing other realm administrators, it can be achieved by disallowing

• manage and map-roles for 'some_admin' (or group of admins)

Aforementioned setup allows to assign "manage-users" role to yourself and effectively get permission to manage 'some_admin', bypassing the intended restriction.

It doesn't make much sense to allow mapping admin roles to delegated realm admins. This issue is about changing the behavior to allow map admin roles for server admin, not delegated realm admins.