If the user logs in and sees error code 2004, this is likely due to large token size and requires additional configuration. We can see this if the user belongs to hundreds of groups.

• For LDAP, the group search query may need to be refined.
• For OIDC, the identity provider may allow a way to filter the response in the group claim

Tanzu Mission Control Self-Managed(TMC-SM) v1.4.

If the user logs in and sees error code 3012, this is likely because TMC-SM does not recognize the user as being in the “tmc:admin” group (or whatever group name is configured in “idpGroupRoles.admin” value).

• Often, OIDC identity providers such as Entra ID will return the group UUID instead of the group name by default

Run this command to see which groups TMC-SM sees the user in:

$ kubectl -n tmc-local get secret --no-headers -o custom-columns=":metadata.name" \

  | grep pinniped-storage-access-token \

  | xargs -i kubectl -n tmc-local get secret {} -ojsonpath='{.data.pinniped-storage-data}' | base64 -d | jq .

https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-mission-control-self-managed/1-4/authentication-with-ad-or-openldap-1.html