Symptoms:

• Users are unable to add / edit / modify roles in TCSA UI.
• UI session gets expired after clicking on add/edit role and redirects to TCSA login page.
• Error:
  Issue with user group API failing/error "failed to process request, cause getRealmUserGroups : exception while reading user-groups from realm"

2.3

"Service Accounts Enabled" and "Realm Management" options for Clients in KeyCloak Admin Console are not enabled / configured. 

Users are recommended to verify below configurations in TCSA UI:

1. Ensure "Service Accounts Enabled" option is enabled (set to ON) for apiservice user. It is available in NGINX > Clients > apiservice > Apiservice > Settings tab in KeyCloak Admin Console. 

2. Open KeyCloak Admin Console, navigate to Clients tab > Service Account Roles > Service Account Roles > Client Roles, under Client Roles drop down, select "realm management" and add all "Available Roles" to "Assigned Roles" and "Effective Roles".

3. User should be successfully able to create or modify roles via API in TCSA UI now.