Issue with creating the Tenant in Identity

Camunda 8 Topics
2

Based on the information I found, this is a Problem related to user permissions in Keycloak. The “Forbidden” error you’re encountering when trying to create tenants in Camunda Identity is typically caused by insufficient permissions for your Keycloak user.

Here are the key steps to resolve this issue:

1. Check User Roles in Keycloak

The most common cause is that your Keycloak user doesn’t have the necessary Camunda roles assigned. Even though you mentioned the user has “full access,” you need to ensure:

  • The user has the correct Camunda-specific roles assigned in Keycloak
  • You’re working in the correct Keycloak realm (not the master realm)
  • The user is assigned to appropriate groups with tenant management permissions

Troubleshooting tip: Try using the default “demo” user to create a tenant first. If this works, it confirms the issue is with your user’s role assignments.

2. Resource Authorizations Configuration

Since you’re using multi-tenancy, you may need to configure resource authorizations:

  • Ensure resource authorizations are enabled via environment variables
  • Verify that your user or their group has explicit permissions for tenant resources
  • This feature is only supported when using Keycloak as the Identity Provider

3. Verify Multi-Tenancy Configuration

Double-check that:

  • MULTITENANCY_ENABLED is set to true in all relevant Camunda components
  • Identity is configured with an external database (which you mentioned is working)
  • All components are properly configured for multi-tenancy

4. Check Logs for More Details

Review both Keycloak and Camunda Identity logs for more specific error messages that might indicate exactly which permission is missing.

Recommended Next Steps:

  1. First, try creating a tenant with the default “demo” user to confirm the setup works
  2. Then, check your custom user’s role assignments in Keycloak and ensure they match the demo user’s permissions
  3. If using resource authorizations, verify the user has explicit tenant management permissions

Relevant Documentation:

Could you please try these steps and let me know:

  1. Can you create a tenant using the demo user?
  2. What specific roles are assigned to your custom user in Keycloak?
  3. Are you using resource authorizations, and if so, how are they configured?