We upgraded Camunda Self‑Managed from 8.7 to 8.8. After the migration:
-
Users that already existed in 8.7 can access Operate and Tasklist normally.
-
New users created after the upgrade (created in Keycloak Admin Console) can authenticate, but when they open Operate/Tasklist they get 403 Forbidden.
To troubleshoot, we checked the “current user / permissions” JSON returned by the platform.
Old (working) user shows roles/tenants:
-
authorizedComponents: ["*"] -
tenants: [{ tenantId: "<default>", name: "Default" }] -
groups: ["cm-team"] -
roles: ["operate", "tasklist", "identity", "zeebe", ...]
New (failing) user shows nothing:
-
authorizedComponents: [] -
tenants: [] -
groups: [] -
roles: []
We also tried assigning the new user to the Default tenant in Management Identity / Identity UI, but after logout/login the JSON is still empty and Operate/Tasklist still return 403.
In Management Identity we can see the list of roles (Operate, Tasklist, Zeebe, etc.), but they are not reflected in the effective permissions for the new user.
Question : In 8.8, is there a required change in how new Keycloak users are provisioned/mapped to Identity tenants/roles compared to 8.7?
Environment (can add details):
-
Camunda: 8.8 Self‑Managed (upgraded from 8.7)
-
Identity: enabled (Management Identity UI available)
-
Error: 403 in Operate/Tasklist for newly created users
-
Multitenant enabled
-
external database is used
Hints: Use the Ask AI feature in 