To highlight issue faced with role management when configuration for respective Clients is incorrect/disabled in TCSA KeyCloak Admin Console.

Unable to add or edit roles via API in TCSA UI. UI session gets expired after clicking on add/edit role and redirects to TCSA login page. Issue with user group API failing/error "failed to process request, cause getRealmUserGroups : exception while reading user-groups from realm" is observed as well. 

Required configuration for "Service Accounts Enabled" and "Realm Management" for Clients in KeyCloak Admin Console was not enabled/configured. 

Users are recommended to verify below configurations in TCSA UI:

1. Ensure "Service Accounts Enabled" option is enabled (set to ON) for apiservice user. It is available in NGINX->Clients->apiservice->Apiservice->Settings tab in KeyCloak Admin Console. 

2. Open KeyCloak Admin Console, navigate to Clients tab->Service Account Roles->Service Account Roles->Client Roles, under Client Roles drop down, select "realm management" and add all "Available Roles" to "Assigned Roles" and "Effective Roles".

3. User should be successfully able to create or modify roles via API in TCSA UI now.

Users are unable to add or modify roles in TCSA UI.