KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Symptoms

One or more of the following is observed:

• At least one user cannot login
• Unattended activities running as the user will fail
• The user's password cannot be reset
• The user sees an HTTP 500 - Internal Server Error in the browser when trying to reach https://<sitename>/suite/tempo and https://<sitename>/suite/portal:

The following error is observed in the application server log:

ERROR com.appiancorp.ap2.PortalActionsUtil - Could not initialize group navigation information for page
PrivilegeException[null=>null]: Insufficient permission
 ...
ERROR com.appiancorp.ap2.PortalAction - Couldn't get model information for requested dashboard
PrivilegeException[null=>null]: Insufficient permission
...
The user [username] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

• Basic Users are able to login but System Administrators are unable to. The following error is observed in the application server log:

ERROR com.appiancorp.security.auth.AppianAuthenticationFailureHandler - Authentication failed. username=Error while trying to authenticate the token: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDetails[ts=****, entryPoint=PORTAL, clientIpAddress=*.*.*.*, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=
https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
org.springframework.security.authentication.AuthenticationServiceException: Error while trying to authenticate the token: org.springframework.security.aut
hentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDe
tails[ts=2020-10-06 21:01:16.614, entryPoint=PORTAL, clientIpAddress=34.231.2.11, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53
7.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
...
Caused by: com.appiancorp.suiteapi.common.exceptions.AppianRuntimeException: com.appiancorp.security.authz.AuthorizationException: The user [****] does not have sufficient privileges to perform the requested action. (APNX-1-4188-003)

Cause

One or more of the following:

1. The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
2. The user is not actually part of any role in the system (Application Users).
3. The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.
4. The affected System Administrators are not a part of the Designers System Group. This may happen if the default membership rule that adds System Administrators to this group is deleted.

Action

Each step below corresponds to the same numbered cause above:

1. To refresh the group membership, perform the following:
   1. Add or remove that user to or from any group.
   2. Have that user log out and log back in to Appian.
2. Permanently add that user to the Application Users group if they are a basic user or the Designer System group if they are a designer/administrator.
3. If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.
4. Ensure that System Administrators who are unable to login are part of the Designers System Group and that the default membership rule for this group is present.

Affected Versions

This article applies to all versions of Appian.