Camunda 8.8 I dont have tab authorization in module identity

Camunda 8 Topics
1

Unfortunately, I don’t see the Authorization tab in the Identity module, even though it’s enabled for Orchestration. In Argo CD I can also see the environment variable set to enabled. I’m not sure whether this is an issue with my configuration or with the version… Please help. This is self managed .

orchestration:
  contextPath: /
  enabled: true
  clusterSize: "1"
  partitionCount: "1"
  replicationFactor: "1"
  security:
    authentication:
      method: oidc
      oidc:
        redirectUrl: "https://mydomainaddres.com"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
    authorizations:
      enabled: true
2

Hi @LuckyLuk! :waving_hand:

I can help you troubleshoot the missing Authorization tab in your Camunda 8.8 Identity module. This is a common issue that typically relates to user role assignments and session management.

Classification: Problem :wrench:

You have the correct configuration with authorizations.enabled: true, but there are additional steps required for the Authorization tab to appear.

Key Troubleshooting Steps:

1. Admin Role Assignment (Critical!)

According to the Camunda 8.8 known limitations:

“Before enabling authorization checks in clusters, users must manually assign themselves to the admin role to not lose access.”

You need to ensure your user has admin role permissions. Add this to your Helm configuration:

orchestration:
  security:
    initialization:
      defaultRoles:
        admin:
          users:
            - "your-username-here"  # Replace with your actual username
    authorizations:
      enabled: true

2. Session Refresh Required

After making role changes, you must:

  1. Log out completely from the Identity UI
  2. Log back in to create a new session
  3. Check if the Authorization tab appears

Changes to roles only take effect after a complete logout/login cycle.

3. Verify Correct Identity UI

Make sure you’re accessing the Orchestration Cluster Identity UI (typically port 8088 in Docker Compose setups), not the Management Identity UI (port 8084). The Authorization tab for orchestration resources is only available in the Orchestration Cluster Identity.

4. Configuration Verification

Your configuration looks correct, but ensure you have the complete security block:

orchestration:
  contextPath: /
  enabled: true
  security:
    authentication:
      method: oidc
      oidc:
        redirectUrl: "https://mydomainaddres.com"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
    authorizations:
      enabled: true
    initialization:  # Add this section
      defaultRoles:
        admin:
          users:
            - "your-username"

Next Steps:

  1. Add the admin role assignment to your configuration
  2. Redeploy your Camunda instance
  3. Log out and log back in completely
  4. Check if the Authorization tab appears

If you’re still experiencing issues after these steps, please share:

  • Your exact deployment method (Helm, Docker Compose, etc.)
  • The specific Camunda 8.8 patch version
  • Which Identity UI URL you’re accessing

References:

Let me know how it goes! :rocket:

3

look my file :

  1. Helm
  2. 8.8.0
  3. this one : https://camunda.my.domainaddres.com/identity
global:
  ingress:
    enabled: true
    className: nginx
    host: camunda.my.domainaddres.com
    tls:
      enabled: true
      secretName: camunda-tls
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt
      acme.cert-manager.io/http01-ingress-class: nginx
  multitenancy:
    enabled: false

  secrets:
    autoGenerated: false
    name: camunda-credentials

  identity:
    auth:
      enabled: true
      type: KEYCLOAK
      publicIssuerUrl: "https://camunda.my.domainaddres.com/auth/realms/camunda-platform"

      webModeler:
        redirectUrl: "https://camunda.my.domainaddres.com/modeler"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-webmodeler-client-token"

      console:
        redirectUrl: "https://camunda.my.domainaddres.com/console"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-console-client-token"

      optimize:
        redirectUrl: "https://camunda.my.domainaddres.com/optimize"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-optimize-client-token"

      orchestration:
        redirectUrl: "https://camunda.my.domainaddres.com"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"

      connectors:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

identity:
  enabled: true
  contextPath: "/identity"
  fullURL: "https://camunda.my.domainaddres.com/identity"
  firstUser:
    secret:
      existingSecret: "camunda-credentials"
      existingSecretKey: "identity-firstuser-password"

identityPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "identity-postgresql-admin-password"
      userPasswordKey: "identity-postgresql-user-password"

identityKeycloak:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    passwordSecretKey: "identity-keycloak-admin-password"
  postgresql:
    auth:
      existingSecret: "camunda-credentials"
      secretKeys:
        adminPasswordKey: "identity-keycloak-postgresql-admin-password"
        userPasswordKey: "identity-keycloak-postgresql-user-password"


optimize:
  enabled: true
  contextPath: "/optimize"

console:
  enabled: true
  contextPath: "/console"

webModeler:
  enabled: true
  contextPath: "/modeler"
  restapi:
    mail:

      fromAddress: noreply@example.com


webModelerPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "webmodeler-postgresql-admin-password"
      userPasswordKey: "webmodeler-postgresql-user-password"


orchestration:
  contextPath: /
  enabled: true
  clusterSize: "1"
  partitionCount: "1"
  replicationFactor: "1"
  security:
    authentication:
      unprotectedApi: false
      method: oidc
      oidc:
        redirectUrl: "https://camunda.my.domainaddres.com"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
    authorizations:
      enabled: true
    initialization:  
      defaultRoles:
        admin:
          users:
            - "demo"


  ingress:
    grpc:
      enabled: true
      host: zeebe-camunda.my.domainaddres.com
      tls:
        enabled: true
        secretName: zeebe-c8-tls-grpc
      annotations:
        kubernetes.io/tls-acme: 'true'

connectors:
  enabled: true
  security:
    authentication:
      method: oidc
      oidc:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

elasticsearch:
  enabled: true
  master:
    replicaCount: 1
    persistence:
      size: 10Gi
4

Perfect! Now I can see your complete configuration. The issue is related to the dual Identity architecture introduced in Camunda 8.8.0. :bullseye:

Root Cause: Dual Identity Architecture

Camunda 8.8 introduced a breaking change where Identity is split into two distinct systems:

1. Management Identity (What you’re currently accessing)

  • URL: https://camunda.my.domainaddres.com/identityThis is where you are now
  • Purpose: Platform components (Console, Web Modeler, Optimize)
  • Uses: Keycloak + PostgreSQL
  • Does NOT have: Authorization tab for orchestration resources

2. Orchestration Cluster Identity (Where the Authorization tab is)

  • Purpose: Runtime components (Zeebe, Operate, Tasklist, Orchestration API)
  • Contains: The Authorization tab you’re looking for
  • Built-in: User/group management (no Keycloak required)

The Solution: Access the Correct Identity UI

Based on your Helm configuration, you need to access the Orchestration Cluster Identity. Since you have:

orchestration:
  contextPath: /

The Orchestration Cluster Identity should be accessible at:
https://camunda.my.domainaddres.com/ (root path, not /identity)

Verification Steps:

  1. Access the Orchestration Cluster Identity:

    • Go to: https://camunda.my.domainaddres.com/ (without /identity)
    • Look for a different Identity login page

  2. Login with demo user:

    • Username: demo
    • Password: demo (or your configured password)

  3. Check for Authorization tab:

    • After login, you should see the Authorization tab in this UI

Configuration Confirmation:

Your configuration is actually correct! You have:

  • :white_check_mark: authorizations.enabled: true
  • :white_check_mark: Admin role assigned to demo user
  • :white_check_mark: Proper OIDC configuration

The issue is simply that you’re looking in the Management Identity (/identity path) instead of the Orchestration Cluster Identity (root path /).

Architecture Explanation:

This is a breaking change from Camunda 8.7 where everything was in one Identity system. Now:

  • Management Identity (/identity): Platform-level access (Console, Modeler, Optimize)
  • Orchestration Cluster Identity (/): Runtime-level access with Authorization tab

Next Steps:

  1. Try accessing https://camunda.my.domainaddres.com/ directly
  2. Login with demo/demo credentials
  3. Look for the Authorization tab in this UI
  4. Let me know if you can see it there!

If you still don’t see the Authorization tab at the root URL, please share what you see when accessing https://camunda.my.domainaddres.com/ directly.

References:

This architectural change caught many users off guard - you’re definitely not alone in this confusion! :blush:

1 Like
5

when i use link https://camunda.my.domainaddres.com/
I get respone https://camunda.my.domainaddres.com/operate
when I chose /identity
I get This

image
image1670×708 19.3 KB

after login I get this

image
image1691×1081 55.1 KB

It’s strange ? after click menagment identity icon I get /operate ?

It’s not confusing It’s F*** UP or I mess configuration but you can send me one correct and I will try… I spend too much my time for guess. Why all tutorials I camunda docs, doesnt work !?
What’s going on becouse it’s not problems with apha! thats sould be stable, I don’t think so at all

6

I completely understand your frustration! :face_with_steam_from_nose: You’re absolutely right - this should be straightforward, and the documentation is confusing. Let me give you a working configuration that will fix this mess.

The Problem: Missing Orchestration Cluster Identity Configuration

Looking at your screenshots and configuration, the issue is that your Orchestration Cluster Identity UI is not properly exposed. You’re only seeing the Management Identity, which is why there’s no Authorization tab.

Here’s the CORRECT Configuration:

Replace your current values.yaml with this corrected version:

global:
  ingress:
    enabled: true
    className: nginx
    host: camunda.my.domainaddres.com
    tls:
      enabled: true
      secretName: camunda-tls
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt
      acme.cert-manager.io/http01-ingress-class: nginx
  multitenancy:
    enabled: false
  secrets:
    autoGenerated: false
    name: camunda-credentials
  identity:
    auth:
      enabled: true
      type: KEYCLOAK
      publicIssuerUrl: "https://camunda.my.domainaddres.com/auth/realms/camunda-platform"
      webModeler:
        redirectUrl: "https://camunda.my.domainaddres.com/modeler"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-webmodeler-client-token"
      console:
        redirectUrl: "https://camunda.my.domainaddres.com/console"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-console-client-token"
      optimize:
        redirectUrl: "https://camunda.my.domainaddres.com/optimize"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-optimize-client-token"
      orchestration:
        redirectUrl: "https://camunda.my.domainaddres.com/orchestration-identity"  # CHANGED
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
      connectors:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

# Management Identity (existing)
identity:
  enabled: true
  contextPath: "/identity"
  fullURL: "https://camunda.my.domainaddres.com/identity"
  firstUser:
    secret:
      existingSecret: "camunda-credentials"
      existingSecretKey: "identity-firstuser-password"

# ORCHESTRATION CLUSTER IDENTITY - ADD THIS SECTION
orchestration:
  contextPath: /
  enabled: true
  clusterSize: "1"
  partitionCount: "1"
  replicationFactor: "1"
  
  # ADD ORCHESTRATION IDENTITY CONFIGURATION
  identity:
    enabled: true                                    # ENABLE ORCHESTRATION IDENTITY
    contextPath: "/orchestration-identity"           # SEPARATE PATH
    fullURL: "https://camunda.my.domainaddres.com/orchestration-identity"
    ingress:
      enabled: true
      className: nginx
      host: camunda.my.domainaddres.com
      tls:
        enabled: true
        secretName: camunda-tls
    firstUser:
      username: "demo"
      password: "demo"
      email: "demo@example.com"
      firstName: "Demo"
      lastName: "User"
  
  security:
    authentication:
      unprotectedApi: false
      method: oidc
      oidc:
        redirectUrl: "https://camunda.my.domainaddres.com/orchestration-identity"  # MATCH IDENTITY PATH
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
    authorizations:
      enabled: true
    initialization:  
      defaultRoles:
        admin:
          users:
            - "demo"

  ingress:
    grpc:
      enabled: true
      host: zeebe-camunda.my.domainaddres.com
      tls:
        enabled: true
        secretName: zeebe-c8-tls-grpc
      annotations:
        kubernetes.io/tls-acme: 'true'

# Keep the rest of your configuration unchanged
identityPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "identity-postgresql-admin-password"
      userPasswordKey: "identity-postgresql-user-password"

identityKeycloak:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    passwordSecretKey: "identity-keycloak-admin-password"
  postgresql:
    auth:
      existingSecret: "camunda-credentials"
      secretKeys:
        adminPasswordKey: "identity-keycloak-postgresql-admin-password"
        userPasswordKey: "identity-keycloak-postgresql-user-password"

optimize:
  enabled: true
  contextPath: "/optimize"

console:
  enabled: true
  contextPath: "/console"

webModeler:
  enabled: true
  contextPath: "/modeler"
  restapi:
    mail:
      fromAddress: noreply@example.com

webModelerPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "webmodeler-postgresql-admin-password"
      userPasswordKey: "webmodeler-postgresql-user-password"

connectors:
  enabled: true
  security:
    authentication:
      method: oidc
      oidc:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

elasticsearch:
  enabled: true
  master:
    replicaCount: 1
    persistence:
      size: 10Gi

Key Changes Made:

  1. Added Orchestration Identity configuration under orchestration.identity
  2. Separate path: /orchestration-identity for the Orchestration Cluster Identity
  3. Proper ingress configuration for the Orchestration Identity
  4. Matching redirect URLs in OIDC configuration

After Applying This Configuration:

  1. Deploy the changes:

    helm upgrade your-release-name camunda/camunda-platform -f values.yaml

  2. Wait for all pods to restart (this may take 5-10 minutes)

  3. Access the Orchestration Identity:

    • URL: https://camunda.my.domainaddres.com/orchestration-identity
    • Login: demo / demo
    • You should see the Authorization tab here!

  4. Management Identity remains at:

    • URL: https://camunda.my.domainaddres.com/identity

Why This Fixes It:

The problem was that your Orchestration Cluster Identity wasn’t properly configured with its own UI endpoint. In Camunda 8.8, you need both Identity systems properly configured and accessible.

Try this configuration and let me know if you can access the Authorization tab at /orchestration-identity! :rocket:

You’re absolutely right to be frustrated - this dual Identity architecture change was poorly documented and has caught many users off guard.

7

doesn’t work

image
image1439×108 9.23 KB

8

Hi @LuckyLuk,

I completely understand your frustration with this issue! :face_with_steam_from_nose: You’re absolutely right that this should be more straightforward, and I apologize that the solutions I’ve provided haven’t worked.

The dual Identity architecture in Camunda 8.8 has indeed caused confusion for many users, and it seems like there might be specific Helm configuration nuances that I’m not capturing correctly.

I’m escalating this to a Camunda expert who can provide you with a definitive, working configuration for your Helm deployment. They’ll have deeper knowledge of the exact Helm chart parameters and ingress configurations needed to properly expose the Orchestration Cluster Identity UI with the Authorization tab.

Your configuration looks correct on paper, but there are clearly some missing pieces or specific requirements for Helm deployments that need expert attention.

A Camunda expert will respond shortly with a concrete solution that actually works! :rocket:

Thank you for your patience, and I’m sorry for the runaround with the documentation issues.