Moving Asset Objects Fails with PermissioninsightException in Datacenter
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Moving Asset Objects to a different object type fails with a PermissionInsightException in the Datacenter for certain users.
Environment
Jira Service Management Server/Data Center on any version from 4.22 and above
.
Diagnosis
Users experiencing this issue are currently assigned with the role of Object Schema Managers for the affected schema.
There are multiple schemas configured within the instance that have the option to allow others to select objects from these schemas.For example, there are two schemas, A and B. In both schemas, the option to "Allow others to select objects" has been enabled. Specifically, within schema B, there exists an object type referred to as "ABC Object Type," which includes an attribute named "ABC Attribute." This attribute functions as an outbound reference to the "XYZ" object type located in schema A.
Cause
When users move the object from one object type to another, it's important to understand that the move operation must thoughtfully handle the inbound references. Essentially, the move operation will check if the object you are moving has any inbound references from other object types/schemas. If it does, it will kindly prompt the user to make a decision regarding whether to keep the reference based on configuration, remove the reference, or choose not to move the object at all.
In this scenario, when a user attempts to execute a move, Jira initially checks for any inbound references to the object from other object types or schemas. The cause of this issue/error is that, The user is unable to verify all inbound references originating from these object types or schemas, as they do not belong to any roles within the other schema.
Solution
In a large environment with multiple schemas, it can be challenging to identify the source of a reference. Please follow the steps below to resolve this issue.
Execute the SQL query provided below to locate a few OBJECT_IDs where the attribute is included.
SELECT * FROM "AO_8542F1_IFJ_OBJ_ATTR" WHERE "OBJECT_TYPE_ATTRIBUTE_ID"=<id>
Replace the OBJECT_TYPE_ATTRIBUTE_ID with the ID specified in the error message during the object move operation.
Please execute the following REST API call for few of the OBJECT_IDs listed in the output of the previous query. This will enable us to find the object type and schema associated with those objects.
GET https://jira-base-url/rest/insight/1.0/object/<Object_Id>
The above endpoint will display the object key, making it easier for you to identify the corresponding object type and the schema to which these objects belong.
Once you have identified the schema or object key, please ensure that you provide permission to the affected user to view the schema. Granting the minimum permission with access to the Object Schema Users Role will be sufficient.
Granting object schema permissions
- In the top navigation bar, select Assets > Object schemas.
- Open your object schema.
- In the top-right, select Object schema > Configure.
- Switch to the Roles tab.
- Assign users or groups to the roles. ie Object Schema Users