User Management and Permissions Errors
This page shows how to resolve common user management, role, and provisioning errors on self-hosted Appsmith Enterprise.
Can't access Users or Roles pages after CE to EE upgrade
Cause
After upgrading from Community Edition to Business/Enterprise, the user attempting to reach the Users and Roles pages is not recognized as an instance administrator, so the User Management settings are not available to them.
Solution
- Add the administrator's email to the
APPSMITH_ADMIN_EMAILSenvironment variable in yourdocker.envfile (Docker) orvalues.yamlfile (Kubernetes). - Restart the instance for the change to take effect.
- Verify your running version by appending
/infoto your instance URL in the browser.
Custom role not restricting page or app access
Cause
The user still has a default role (such as App Viewer) assigned in addition to the custom role. Default roles like App Viewer grant access to all pages in an app, which overrides the narrower access defined in your custom role. Restricting a custom role to one page does not remove access granted by another assigned role.
Solution
- Go to Admin Settings > Users and review every role assigned to the user, not just the custom role.
- Remove the broad default role (for example, App Viewer) from the user, and rely on the custom role with View permission for only the intended pages.
- Ensure the View permission is also enabled at the application level, not only at the page level.
- For more details on building roles, see Custom Roles and Permissions.
User can log in but sees no apps or workspaces
Cause
After accepting an invite and logging in, the user lands on an empty home screen with no application or workspace visible, even though a role and group appear to be assigned. This points to a misconfiguration in the user's current role/group assignment that needs to be inspected per user.
Solution
- Ask an instance administrator to review the user's current configuration under Admin Settings > Users.
- Confirm the role granting access is actually assigned and that View is enabled at the application level.
- If the issue persists, collect the backend server logs covering the time range when the access was configured (
docker logs <container>for Docker, orkubectl logs <pod>for Kubernetes) and share them with support for further investigation.
Permission denied on query execute despite a working role
Cause
The user can view the application but fails on the execute endpoint. This error indicates the user lacks access to the environment the query runs against, even when the same role works for other users.
Solution
- Have the workspace administrator grant the user access to the affected environment.
- If the role is expected to already allow execution, collect the full server logs (
docker logs <container>orkubectl logs <pod>) and share them with support to identify the missing grant.
Users can create workspaces when they shouldn't
Cause
The Default Role for All Users initially includes permission to create new workspaces, and this role applies to every user across the instance. As a result, ordinary app users may unexpectedly be able to create workspaces, and a new workspace plus a default app can be auto-created when a user signs up.
Solution
- Go to Admin Settings > Roles and toggle Default Roles to show the default roles.
- Open the Default Role for All Users and remove the workspace-creation permission (under the workspace/Others permissions).
- Any workspaces already auto-created for existing users must be deleted manually.
- For step-by-step guidance, see Configure default permissions and Default Roles for All Users.