Permission denied - account console

i set up a realm and added some users.
i can login to my personal apps, and i can login to account console. however the account console says forbidden:

this only happens for users in the new realm. for users in the master realm, i can login and modify anything in the account console.
users in the realm have the following role mapping (manage-account, manage-account-links, view profile)

the account-console-dedicated scope of the account-console client also has these scopes set.
in the realm settings the “user-managed access” is turned on.

keycloak is running on debian behind an apache reverse proxy.
i have read this: 401 Unauthorized going into v2 Account Console
and this: Forbidden access to account console with Identity provider account user

but still do not get it to work.
any help really appreciated.
thanks thomas