Adding new admin users?

[EricWilson-BluePrism]

Newb question. I've just deployed the basic docker image of ContextForge. I'm able to login using the default admin credentials, and I'm able to create a new user account. On that account, I checked the option to specify the user is an administrator, but when I try to login using that new account, I receive the following error response:

{"detail":"Insufficient permissions. Required: admin.dashboard"}

Where do I apply additional permissions/roles for a user as I don't see an option in the admin UI?

[brian-hussey]

Hi @EricWilson-BluePrism, welcome. The UI has not quite caught up for certain things like this.

There is definitely a defect here (I'm creating one now, I'll have details shortly).
In the mean time you can workaround this problem:

The workaround for the issue is to use the Swagger UI: https:///docs#/RBAC/list_roles_rbac_roles_get to get the id of the admin role and then the https:///docs#/RBAC/assign_role_to_user_rbac_users__user_email__roles_post with user_email equal to the new user's email and the payload:
{
"role_id": "",
"scope": "global",
"expires_at": "some expiration"
}

If you have a way to look at the database behind the scenes, what's missing is an entry in the user_roles table to link your newly generated user to the global administrator role - which in turn gives the catchall permission including admin.dashboard.

[brian-hussey]

I created defect: #2741 after reproducing the same problem.

[crivetimihai]

Hi @EricWilson-BluePrism, thanks for reporting this. Could you share your user role setup payload and the exact API/UI flow you used when creating the user? I’m going to verify user/role linkage behavior and close the gap if confirmed.

[EricWilson-BluePrism]

Hi @crivetimihai,

Apologies for the delayed response. I actually created the user account and assigned the admin role directly through the UI. I haven't tried it via the API yet.

Via the UI...

1. I logged in using the default admin account (admin@example.com)
2. In the navigation menu, I scrolled down to Users.
3. In User Management, I entered an email address, username, and password for a new user account. Then I checked the Administrator privileges checkbox.
4. Clicked the Create User button.
5. Received a green User created successfully! respond message in the UI.

Cheers,
Eric

[crivetimihai]

Hi @EricWilson-BluePrism, to expand on @brian-hussey's workaround — this is a known gap in the Admin UI. Creating a user and checking "administrator" in the UI does not automatically assign the platform_admin RBAC role.

Quick fix via API:

# 1. Get the platform_admin role ID
curl -H "Authorization: Bearer $TOKEN" https://your-server/rbac/roles
# Look for the role with name "platform_admin"

# 2. Assign platform_admin role to the new user
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  https://your-server/rbac/users/newuser@example.com/roles \
  -d '{
    "role_id": "<platform_admin role UUID>",
    "scope": "global"
  }'

The platform_admin role grants * (all permissions) at global scope, which includes admin.dashboard. The built-in roles are:

Role	Scope	Key Permissions
platform_admin	global	* (all)
team_admin	team	teams.*, tools.read/execute, resources.read
developer	team	tools.read/execute, resources.read
viewer	team	tools.read, resources.read (read-only)

This UI gap is tracked and will be addressed in an upcoming release.

Update: Opened #3501 to track this bug.

[crivetimihai]

Hi @EricWilson-BluePrism, following up — this bug has been fixed. Issue #3501 ([BUG][RBAC]: Admin UI 'administrator' checkbox does not reliably assign platform_admin RBAC role) is now closed.

If you're on the latest release, creating a user with the "administrator" checkbox in the Admin UI should correctly assign the platform_admin RBAC role, which includes the admin.dashboard permission.

If you're still on an older version, @brian-hussey's workaround via the Swagger UI remains the fix:

# 1. Get the platform_admin role ID
curl -s -H "Authorization: Bearer $TOKEN" https://your-server/rbac/roles \
  | jq '.[] | select(.name=="platform_admin") | .id'

# 2. Assign to user
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  "https://your-server/rbac/users/newuser@example.com/roles" \
  -d '{ "role_id": "<role-id-from-step-1>", "scope": "global" }'

This grants the * (all) permission set at global scope, which includes admin.dashboard.

[itxashancode]

I hit this exact issue when I first stood up ContextForge last year. The Admin UI’s “administrator” checkbox only sets a flag; it doesn’t actually grant the platform_admin RBAC role unless you’re on a release that includes fix #3501. Check your image tag - if it’s older than v0.12.0 (or whatever the fix landed in), you need to assign the role manually via the API.

First, grab the role ID:

curl -s -H "Authorization: Bearer $TOKEN" http://localhost:8000/api/v1/roles | jq '.[] | select(.name=="platform_admin") | .id'

Then attach it to your new user (replace USER_ID and ROLE_ID):

curl -X POST -H "Authorization: Bearer $TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"role_ids":["ROLE_ID"]}' \
 http://localhost:8000/api/v1/users/USER_ID/roles

After that, the new admin should log in without the `admin.d.d