components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java

@@ -33,6 +33,7 @@ import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermis
 import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermissions;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.core.ServerStartupObserver;
 
 import java.util.ArrayList;
@@ -60,6 +61,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
 
     @Override
     public void completedServerStartup() {
+        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
         APIPublisherDataHolder.getInstance().setServerStarted(true);
         currentAPIsStack = APIPublisherDataHolder.getInstance().getUnpublishedApis();
         Thread t = new Thread(() -> {
@@ -107,7 +109,14 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
                 log.error("failed to update scope role mapping.", e);
             }
 
-            updateScopeMetadataEntryWithDefaultScopes();
+            try {
+                PrivilegedCarbonContext.startTenantFlow();
+                PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
+                updateScopeMetadataEntryWithDefaultScopes();
+            } finally {
+                PrivilegedCarbonContext.endTenantFlow();
+            }
+
             log.info("Successfully published : [" + publishedAPIs + "]. " +
                     "and failed : [" + failedAPIsStack + "] " +
                     "Total successful count : [" + publishedAPIs.size() + "]. " +
@@ -126,7 +135,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
         log.info("Starting API publishing procedure");
     }
 
-    /**
+/**
      * Publish apis provided by the API stack, if failed while publishing, then failed API will be added to
      * the failed API stack
      *

components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java

@@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza
                 UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService()
                         .getTenantUserRealm(getTenantId());
                 String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username);
-                boolean isAuthorized = true;
+                boolean isAuthorized;
                 for (String groupPermission : groupPermissions) {
+                    isAuthorized = false;
                     for (String role : userRoles) {
-                        if (!userRealm.getAuthorizationManager().
+                        if (userRealm.getAuthorizationManager().
                                 isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) {
-                            isAuthorized = false;
+                            isAuthorized = true;
                             break;
                         }
                     }
+                    if (!isAuthorized) {
+                        return false;
+                    }
                 }
-                return isAuthorized;
+                return true;
             } catch (UserStoreException e) {
                 throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
-                        groupId + " for the user : " +
+                        groupId + " for the user : " + username, e);
-                        username, e);
             }
         }
     }