diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 6644ad4..fed3277 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -425,13 +425,21 @@ else
 fi
 
 if [ -n "$ADMIN_TENANT_USER_ID" ] && [ "$ADMIN_TENANT_USER_ID" != "null" ]; then
-  # Assign default:admin role (Management API access)
+  # Assign both 'user' (required base role) and 'default:admin' (Management API access)
+  ADMIN_USER_ROLE_ID=$(admin_api_get "/api/roles" | jq -r '.[] | select(.name == "user") | .id')
   ADMIN_ROLE_ID=$(admin_api_get "/api/roles" | jq -r '.[] | select(.name == "default:admin") | .id')
+  ROLE_IDS_JSON="[]"
+  if [ -n "$ADMIN_USER_ROLE_ID" ] && [ "$ADMIN_USER_ROLE_ID" != "null" ]; then
+    ROLE_IDS_JSON=$(echo "$ROLE_IDS_JSON" | jq ". + [\"$ADMIN_USER_ROLE_ID\"]")
+  fi
   if [ -n "$ADMIN_ROLE_ID" ] && [ "$ADMIN_ROLE_ID" != "null" ]; then
-    admin_api_post "/api/users/$ADMIN_TENANT_USER_ID/roles" "{\"roleIds\": [\"$ADMIN_ROLE_ID\"]}" >/dev/null 2>&1
-    log "Assigned default:admin role."
+    ROLE_IDS_JSON=$(echo "$ROLE_IDS_JSON" | jq ". + [\"$ADMIN_ROLE_ID\"]")
+  fi
+  if [ "$ROLE_IDS_JSON" != "[]" ]; then
+    admin_api_post "/api/users/$ADMIN_TENANT_USER_ID/roles" "{\"roleIds\": $ROLE_IDS_JSON}" >/dev/null 2>&1
+    log "Assigned admin tenant roles (user + default:admin)."
   else
-    log "WARNING: default:admin role not found"
+    log "WARNING: admin tenant roles not found"
   fi
 
   # Add to t-default organization with admin role