When creating a new tenant via the ABP Tenant Management API (POST /api/tenant-management/tenants) from an external application, the tenant and admin user are created successfully. However, after logging in as the newly created admin user, the user is unable to create additional users due to missing permissions or role assignment.
This suggests that role-to-user mapping is not being applied automatically during tenant creation when the API is called externally (e.g., from Postman, another service, or automated script), even though the same call works correctly when made via Swagger or ABP UI. here is the example payload we are passing from other abp application { "name": "Tenant30", "tenantType": 0, "editionId": "Basic", "activationState": 0, "adminEmailAddress": "itp@gmail.com", "adminPassword": "Password@123", "extraProperties": { "subscriptionPlan": 0, "contact": "09876543210", "adminName": "Vasudha Gurram", "tenantHostName": "T30", "adminEmail": "itp@gmail.com", "firstName": "Vasudha", "lastName": "Gurram", "description": null, "country": "India", "region": "HYD" } }
1 Answer(s)
-
0
When creating a new tenant via the ABP Tenant Management API, the admin user for the tenant should be assigned the default roles and permissions as part of the tenant seeding process. However, if the admin user cannot create additional users (receiving a 403 Forbidden error), it usually means the necessary permissions (such as "Identity.Users.Create") are not granted to the admin role or the admin user.
This issue can occur if:
- The permission seeding logic is not executed for tenants created via external API calls.
- The migration/seeding process does not assign the required permissions to the admin role for the new tenant.
Solution Steps
Check Permission Seeding Logic
- Ensure your data seeding logic (typically in your
DbMigrationServiceor similar) assigns all required permissions to the admin role for each tenant. - The seeding should run for every new tenant, regardless of how the tenant is created (UI, Swagger, or API).
Example logic:
- Ensure your data seeding logic (typically in your
foreach (var tenant in tenants) { using (_currentTenant.Change(tenant.Id)) { await SeedDataAsync(tenant); } }Verify Permission Assignment
- Confirm that the "admin" role in the new tenant has the necessary permissions (e.g.,
AbpIdentity.Users.Create). - You can check this in the database (
AbpPermissionGrantstable) or via the Permission Management UI.
- Confirm that the "admin" role in the new tenant has the necessary permissions (e.g.,
Update Seeding if Needed
- If you add new permissions after tenants are created, you must update your seeding logic to grant these permissions to existing tenants' admin roles.
- After updating, run your migrator or a custom script to apply the changes to all tenants.
Test Tenant Creation
- Create a new tenant via the API and verify that the admin user can create users.
- If not, check the logs for errors during the seeding process.
Reference Example
- See the discussion and code samples in the ABP support thread for handling permission seeding:
- https://abp.io/support/questions/1244
- See the discussion and code samples in the ABP support thread for handling permission seeding:
Additional Notes
- If you are using a custom tenant creation process, ensure you call the data seeder after tenant creation.
- If you use extra properties or custom logic, make sure it does not interfere with the default role/permission assignment.
Example: Granting Permissions in Seeder
await _permissionManager.SetForRoleAsync( roleId: adminRoleId, permissionName: "AbpIdentity.Users.Create", isGranted: true );This ensures the admin role has the required permission.
Sources:
- ABP Tenant Management Module Documentation
- ABP Support: New permission not granted to tenant admin users
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
