This issue usually happens when upgrading from WSO2 IS 7.1.0 → 7.2.0 without applying the full permission-migration steps.
WSO2 IS 7.2.0 introduces new internal role-management permissions, and existing users (including the admin user) won’t receive them automatically. As a result, SCIM operations like assigning roles return 403.

A fresh installation works because the new default roles are created with the correct permissions.
An upgraded setup needs the migration steps that update internal permissions and system roles.

These permission-migration steps are included in WSO2’s official upgrade process, but the automation/scripts required for this are only available through WSO2 subscription support. If you’re a subscriber, open a support ticket. Otherwise, you’ll need to contact WSO2 to obtain the migration utilities.

Official reference: WSO2 IS Upgrade Guide.