Summary

Some Jira users cannot be assigned tickets or be added as watchers even though they have the right permissions in the project that the tickets belong to.

The purpose of this KB article is to provide a possible root cause for the examples of symptoms and errors thrown in the UI that are listed below:

Symptom 1 - Failure to assign some users to Jira issues

• The impacted user is already granted the Assignable User permission, which can be confirmed by using the permission helper
• However, the following happens to this user:

  • On the Issue Creation page, after manually adding the user to the assignee field and clicking on the Create button, the error below is thrown in the UI:

     User 'XXXXX' cannot be assigned issues

    

  • On the Issue Creation page, after clicking on the Create button, the error below is thrown in the UI if the assignee field was set to Automatic and the project is configured with a default assignee:

    The default assignee does NOT have ASSIGNABLE permission OR Unassigned issues are turned off.

    

  • On the issue view page, when trying to change the assignee field to another user after the issue was created, the error below is thrown in the UI:

    User 'XXXXX' cannot be assigned issues.

    

    
    

Symptom 2 - Failure to add some users as watchers to Jira issues

• The impacted user is already granted the Browse Projects permission, which can be confirmed by using the permission helper

• However, on the issue view page, when adding a user to the watching list, the error below is thrown in the UI:

  There was an error adding watcher
  The user "XXXXX" does not have permission to view this issue. This user will not be added to the watch list.

  

Environment

Jira Server/Data Center on any version from 8.19.1.

Diagnosis

Check if the impacted user verifies the 2 conditions below:

• Condition 1
  • The user is not granted Jira application access (no license)
  • This can be verified by going to the page ⚙ > User Management > Users, searching for the user, and checking the Applications column. If this column is empty, then this user does not have application access:
    
• Condition 2
  • The user is granted either the Jira Administrator or the Jira System Administrator global permission
  • This can be verified by going to the page ⚙ > User Management > Users, searching for the user, clicking on the user, and check if the label ADMIN is listed next to any group in the Group name section:
    

If you verified that the impacted user meets the 2 conditions above, then this KB article is relevant, and you can refer to the Cause section for the detailed root cause, and the Solution section for the workaround.

Cause

The reason why the user cannot be assigned tickets or added to the watching list of tickets is because the user is a Jira Administrator (or Jira System Administrator) user who does not have Jira application access (no license).

Because of the fix that was implemented for the vulnerability Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311, any user who is a Jira admin without application access will lose their right to perform any action in any Jira project. As a result, it will not be able to add them as watcher of tickets, nor to assign them tickets. This behavior is also reported in the bug ticket Unable to add user as watcher or assignee when the user is Jira-administrator and application access is removed.

Note that this restriction will only apply to Jira Admin users without application access. For any Jira user without Jira application access who is not a Jira Admin user, it will be possible to add them as watchers or to assign them Jira tickets (provided that they are granted the right project permission(s)).

Solution

The solution consists in:

• either granting the impacted user with Jira application access via a licence
• or removing the Jira Admin (or System Admin) global permission from the impacted user