Skip to content

[Bug] Tenant Admin receives 403 Forbidden when updating Identity section in Carbon Console #4711

New issue
New issue
Open
Open
[Bug] Tenant Admin receives 403 Forbidden when updating Identity section in Carbon Console#4711
Labels
4.7.0Label for General Availability Release of APIM 4.7.0BugFixingTracks the bugs to be fixed for APIMType/Bugjdk21
Milestone
4.7.0-M2
@ashiduDissanayake

Description

@ashiduDissanayake
ashiduDissanayake
opened on Feb 23, 2026

Description

Description
In WSO2 API Manager 4.7.0, there appears to be a permission regression for Tenant Administrators using the Carbon Management Console. When a Super Admin updates the Resident Identity Provider settings, the request succeeds. However, when a Tenant Admin (e.g., admin@wso2.com) attempts to update their tenant's Resident Identity Provider settings, the backend rejects the POST request with a 403 Forbidden error.Other cases such as users adding,Resident service provider updating as well.
Image

Steps to Reproduce

  1. Start the WSO2 APIM 4.7.0 server.
  2. Create a new tenant (e.g., wso2.com).
  3. Log into the Carbon Management Console (https://localhost:9443/carbon) using the Tenant Admin credentials (e.g., admin@wso2.com).
  4. On the left sidebar, navigate to Main -> Identity -> Identity Providers -> Resident.
  5. Expand any accordion (e.g., Account Management Policies -> User Self Registration) and toggle a setting.
  6. Scroll to the bottom and click Update.

Version

WSO2 API Manger 4.7.0-m1

Environment Details (with versions)

OS: Ubuntu 24
DB: MySQL 8.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    4.7.0Label for General Availability Release of APIM 4.7.0BugFixingTracks the bugs to be fixed for APIMType/Bugjdk21

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions