You do not have the necessary role (['admin']) to access this resource

Just upgraded from 3.0.2 to 3.1 (to get me some email tags :wink:).

Mortal users doing a self-enrollment via ENROLL TOKEN menu get an “(2) Authentication failure. You do not have the necessary role ([‘admin’]) to access this resource” alert. Yet the enrollment screen is fully presented, or so it seems. There is an ENROLL TOKEN button and whatever token – TOTP, U2F, etc – is correctly enrolled. But something in the initial rendering of the page is causing this error to pop. (I’m guessing?)

Policies present for enrollment_wizard, enable, disable, setpin, enrollpin, enrollU2F, enrollTOTP, etc. Saw setdescription was added in 3.1, so enabled that as well. All worked without incident in 3.0.2.

I do see these in DEBUG log, maybe related?

[2019-09-19 04:16:13,978][14411][139967355782912][DEBUG][privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded
[2019-09-19 04:16:13,978][14411][139967355782912][DEBUG][privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded

I think this refers to a change in the CA connector.
In 3.0 a normal user was able to fetch CAs, so that he could choose, which kind of certificate he would enroll. This changed in 3.1.
You probably have old, cached templates in your browser, which still try to fetch CAs in the enrollment process. Close the browser, empty the cache, restart it…

Please also assure, that you run the migration scripts depending on your installation method.

My browser was restarted – FF had an update anyway – and I also cleared the cache after the update, but the problem persists. However you are on the right track because other browsers that I had not accessed from previously run clean. As long as it is just me and not Joe User, I can live with it. Thanks.