Assigning a group to a user shows error "user is not authorized to perform this action"


Description

When a group is assigned to a user, the transaction is stopped and the user is not added to the group with the following error.

user is not authorized to perform this action

Release or Environment

Madrid and above.

Cause

This can be caused by the AssignableByRoleAccessHandler.

If any of the roles present in the group are scoped roles and for such roles

1) If the user assigning the group does not have the assignable by role of any of the roles and its sub roles.
2) If the roles in the group or any of the roles or its sub roles has the assignable by field empty.

Resolution

To resolve this

1) Make the sure the user assigning the role is a member of the assignable by role.
2) Make sure that the assignable by role is not empty for every role in the group and its sub roles.

Additional Information

KB0595637 - Property to display failing access handler on debug log