Symptoms
The error below is displayed when trying to create a new Service Desk Agent on JIRA Service Desk 2.0.2+:
The following error appears in the atlassian-jira.log:
2014-09-15 16:19:02,151 http-bio-8080-exec-21 ERROR johnsmith 978x1726x2 myhd5s 192.168.10.121 /rest/servicedesk/1/servicedesk/create-welcome-project [internal.user.group.ServiceDeskUserGroupManager] Could not add user: johnsmith to group: service-desk-agents com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Group 'service-desk-agents' does not exist in the directory of the user and cannot be added.
Diagnosis
- JIRA is connected to an LDAP Directory with Read Only permissions as per the Connecting to an LDAP Directory
- JIRA is connected to Crowd for user management
Cause
When a user creates a Service Desk they are automatically added as an agent. This involves adding that user to the group service-desk-agents.
The error is happening because the group service-desk-agents does not exist in the directory in which the user creating the Service Desk is authenticated (e.g. in the error above the error happened for the username johnsmith). JIRA also does not have permission to add the user creating the Service Desk to the service-desk-agents group because of the Read Only setting.
Workaround
There are two possible workarounds for this error:
Change the User Directory LDAP Permissions for the user facing the error to Read Only With Local Groups.
Add the group service-desk-agents in the Crowd or LDAP server.
In JIRA the attribute below must be added to the the service-desk-agents group:synch.created.by.jira.service.desk synch.created.by.jira.service.desk You can run this query in the JIRA Database to identify the group id and directory id of the service-desk-agents group:
SELECT * FROM cwd_group WHERE group_name = 'service-desk-agents';
Use the id as <groupid>, and directory_id as <directoryID> in the following query:
INSERT INTO cwd_group_attributes(ID, group_id, directory_id, attribute_name, attribute_value, lower_attribute_value) VALUES (9999, <groupid>, <directoryID>, 'synch.created.by.jira.service.desk', 'synch.created.by.jira.service.desk', 'synch.created.by.jira.service.desk');
- Add the user creating the Service Desk and all the agent users to that group in the Crowd or LDAP server directly.
- Then navigate to
JIRA Administration >> Global Permissions, and add the service-desk-agents group, and give it the JIRA Service Desk agent access permission
8 Comments
Jesse Wagner
Very sloppy. Where is the bug? When will this be fixed?
Strahinja Kustudić
There is no way to add attributes to groups in Crowd and adding them to users separately doesn't work as well.
John Desha
Has anyone figured out how to make this work yet? Did it involve adding the group attribute to Crowd, or was there another way?
(I have a new support case open asking about the Crowd group attribute, just checking here while I wait)
Strahinja Kustudić
Only thing that needs to be done is that you have to create a group in Crowd which you will use for Service Desk agents, sync that group with JIRA and in the JIRA Global Permissions give that group JIRA Service Desk agent access.
John Desha
Thank you for that! It's working now.
John Desha
Well, almost working. While I'm showing up as an agent in the newly created service desk project, I can't add more agents. I added three users to the group in Crowd (and synchronized JIRA to the directory), but that didn't help.
The error message has a Learn More link, which takes you to this page: Troubleshooting issues with user management
That says to delete the group and let service desk create it again, but I'm assuming this won't work with Crowd. Is service desk able to create a local group now?
Strahinja Kustudić
Nope, service desk cannot create groups if JIRA is using Crowd. It's probably best to contact support, I didn't have any problems after I set global permissions.
scottb1978
I am still getting this error after I have created the active directory group service-desk-agents.
What else do I need to do?