From 9f7e76f066d390a25cde7e3678197e8e51651be4 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 17 Nov 2018 09:51:06 +0100
Subject: [PATCH] Introduce realms in documentation

---
 README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index abcd781..cbf420b 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,25 @@ The usual instructions on how to setup an https proxy should be followed.
 Access is granting/denied based on realms. There are two reserved
 realms, all other realms can be used by the users:
 
-* ungleich-admin: realm??
+### Reserved realms
+
+Conceptually the realms "ungleich-admin" and "ungleich-auth" are
+reserved for higher priviliged applications.
+
+Usually there is only 1 entry in ungleich-admin that is used to
+bootstrap and manage ungleich-otp.
+
+All micro services that are trusted to authenticate another micro
+service should have an entry in the ungleich-auth realm, which allows
+them to verify a token of somebody else.
+
+
+| Name             | Capabilities                               |
+|------------------+--------------------------------------------|
+| ungleich-admin   | authenticate, create, delete, list, update |
+| ungleich-auth    | authenticate                               |
+| all other realms | NO ACCESS                                  |
+
 
 ## Status ##