When a group is assigned to a user, the transaction is stopped and the user is not added to the group with the following error.
user is not authorized to perform this action
Madrid and above.
This can be caused by the AssignableByRoleAccessHandler.
If any of the roles present in the group are scoped roles and for such roles
1) If the user assigning the group does not have the assignable by role of any of the roles and its sub roles.
2) If the roles in the group or any of the roles or its sub roles has the assignable by field empty.
To resolve this
1) Make the sure the user assigning the role is a member of the assignable by role.
2) Make sure that the assignable by role is not empty for every role in the group and its sub roles.