Issue with UpdateUser API - Missing `user.write` Permission on Self-Hosted Zitadel
π¬Self-hostedβUnsolvedπͺ²Bugs
Hi everyone 
I'm experiencing an issue with the UpdateUser API (
Context:
- Using Zitadel self-hosted via Helm in our dev environment
- Using a Personal Access Token (PAT) for authentication
- Local setup with Docker Compose works fine
- Dev environment (Helm) returns permission errors
The Problem:
According to the Zitadel V2 API docs, the
However, when I create a PAT in our Helm-deployed instance, I don't see an option to grant
What Works:
- Local Docker Compose setup: PAT can successfully call
- The PAT can call other endpoints like
What Doesn't Work:
- Dev environment (Helm): Same PAT setup fails on
- Possibly related to different Zitadel versions between Docker Compose and Helm?
Questions:
1. How do I explicitly grant
2. Are there differences in permission models between Zitadel versions?
3. Is there a specific Helm configuration needed to enable these permissions?
4. Should I be using a different authentication method (e.g., service account with specific roles)?
I'm experiencing an issue with the UpdateUser API (
PATCH /v2/users/{userId}Context:
- Using Zitadel self-hosted via Helm in our dev environment
- Using a Personal Access Token (PAT) for authentication
- Local setup with Docker Compose works fine
- Dev environment (Helm) returns permission errors
The Problem:
According to the Zitadel V2 API docs, the
UpdateUseruser.writeHowever, when I create a PAT in our Helm-deployed instance, I don't see an option to grant
user.writeWhat Works:
- Local Docker Compose setup: PAT can successfully call
PATCH /v2/users/{userId}- The PAT can call other endpoints like
POST /v2/users/humanWhat Doesn't Work:
- Dev environment (Helm): Same PAT setup fails on
PATCH /v2/users/{userId}- Possibly related to different Zitadel versions between Docker Compose and Helm?
Questions:
1. How do I explicitly grant
user.write2. Are there differences in permission models between Zitadel versions?
3. Is there a specific Helm configuration needed to enable these permissions?
4. Should I be using a different authentication method (e.g., service account with specific roles)?
