Currently, OpenAM lets you assign privilege as follows :
1. login to admin console
2. click a realm from [Access Control] tab
3. click [Subjects] -> [Group] -> click "New..." and create a group
4. click [Privileges] tab and you will see newly created group. Click that group and assign privileges.
When you give privilege "Read and write access to all realm and policy properties", then that subject would get all access to realm and policies. Unfortunately, you cannot limit the privilege to just managing subjects, but not auth chains. This RFE is to enhance OpenAM to have more fine grained privilege.