KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Elly Meng — Mon, 16 Nov 2020 14:00:45 GMT

Current Revision posted to Appian Knowledge Base by Elly Meng on 11/16/2020 2:00:45 PM

Symptoms

One or more of the following is observed:

At least one user cannot login
Unattended activities running as the user will fail
The user's password cannot be reset
The user sees an HTTP 500 - Internal Server Error in the browser when trying to reach https://<sitename>/suite/tempo and https://<sitename>/suite/portal:

The following error is observed in the application server log:

ERROR com.appiancorp.ap2.PortalActionsUtil - Could not initialize group navigation information for page
PrivilegeException[null=>null]: Insufficient permission
 ...
ERROR com.appiancorp.ap2.PortalAction - Couldn't get model information for requested dashboard
PrivilegeException[null=>null]: Insufficient permission
...
The user [username] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Basic Users are able to login but System Administrators are unable to. The following error is observed in the application server log:

ERROR com.appiancorp.security.auth.AppianAuthenticationFailureHandler - Authentication failed. username=Error while trying to authenticate the token: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDetails[ts=****, entryPoint=PORTAL, clientIpAddress=*.*.*.*, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=
https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
org.springframework.security.authentication.AuthenticationServiceException: Error while trying to authenticate the token: org.springframework.security.aut
hentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDe
tails[ts=2020-10-06 21:01:16.614, entryPoint=PORTAL, clientIpAddress=34.231.2.11, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53
7.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
...
Caused by: com.appiancorp.suiteapi.common.exceptions.AppianRuntimeException: com.appiancorp.security.authz.AuthorizationException: The user [****] does not have sufficient privileges to perform the requested action. (APNX-1-4188-003)

Cause

One or more of the following:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.
The affected System Administrators are not a part of the Designers System Group. This may happen if the default membership rule that adds System Administrators to this group is deleted.

Action

Each step below corresponds to the same numbered cause above:

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designer System group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.
Ensure that System Administrators who are unable to login are part of the Designers System Group and that the default membership rule for this group is present.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: November 2020

Tags: groups, administration, authentication, application design, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Elly Meng — Mon, 16 Nov 2020 13:51:28 GMT

Revision 8 posted to Appian Knowledge Base by Elly Meng on 11/16/2020 1:51:28 PM

Symptoms

At least one user cannot login
Unattended activities running as the user will fail
The user's password cannot be reset
The user sees an HTTP 500 - Internal Server Error in the browser when trying to reach https://<sitename>/suite/tempo and https://<sitename>/suite/portal:

The following error is observed in the application server log:

ERROR com.appiancorp.ap2.PortalActionsUtil - Could not initialize group navigation information for page
PrivilegeException[null=>null]: Insufficient permission
 ...
ERROR com.appiancorp.ap2.PortalAction - Couldn't get model information for requested dashboard
PrivilegeException[null=>null]: Insufficient permission
...
The user [username] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Basic Users are able to login but System Administrators are unable to. The following error is observed in the application server log:

ERROR com.appiancorp.security.auth.AppianAuthenticationFailureHandler - Authentication failed. username=Error while trying to authenticate the token: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDetails[ts=****, entryPoint=PORTAL, clientIpAddress=*.*.*.*, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=
https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
org.springframework.security.authentication.AuthenticationServiceException: Error while trying to authenticate the token: org.springframework.security.aut
hentication.UsernamePasswordAuthenticationToken@fc39b89a: Principal: ****; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDe
tails[ts=2020-10-06 21:01:16.614, entryPoint=PORTAL, clientIpAddress=34.231.2.11, clientUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53
7.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36, requestUrl=https://****.appiancloud.com:443/suite/auth?appian_environment=tempo]; Not granted any authorities
...
Caused by: com.appiancorp.suiteapi.common.exceptions.AppianRuntimeException: com.appiancorp.security.authz.AuthorizationException: The user [****] does not have sufficient privileges to perform the requested action. (APNX-1-4188-003)

Cause

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.
The affected System Administrators are not a part of the Designers System Group. This may happen if the default membership rule that adds System Administrators to this group is deleted.

Action

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designer System group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.
Ensure that System Administrators who are unable to login are part of the Designers System Group and that the default membership rule for this group is present.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: November 2020

Tags: groups, administration, application design, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Jordan Horwat — Fri, 21 Dec 2018 16:42:27 GMT

Revision 7 posted to Appian Knowledge Base by Jordan Horwat on 12/21/2018 4:42:27 PM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password.

Alternatively, the user sees an HTTP 500 - Internal Server Error in the browser when trying to reach https://<sitename>/suite/tempo and https://<sitename>/suite/portal:

The application server log will show the following error:

ERROR com.appiancorp.ap2.PortalActionsUtil - Could not initialize group navigation information for page
PrivilegeException[null=>null]: Insufficient permission
 ...
ERROR com.appiancorp.ap2.PortalAction - Couldn't get model information for requested dashboard
PrivilegeException[null=>null]: Insufficient permission
...
The user [username] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 2018

Tags: groups, administration, application design, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Parmida Borhani — Tue, 18 Sep 2018 01:31:45 GMT

Revision 6 posted to Appian Knowledge Base by Parmida Borhani on 9/18/2018 1:31:45 AM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password.

Alternatively, the user sees an HTTP 500 - Internal Server Error in the browser when trying to reach https://<sitename>/suite/tempo and https://<sitename>/suite/portal:

The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Tags: groups, administration, application design, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Parmida Borhani — Thu, 09 Aug 2018 02:12:06 GMT

Revision 5 posted to Appian Knowledge Base by Parmida Borhani on 8/9/2018 2:12:06 AM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password. The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 2018

Tags: groups, administration, application design, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role" error thrown in different scenarios

Parmida Borhani — Thu, 11 Jan 2018 16:45:18 GMT

Revision 4 posted to Appian Knowledge Base by Parmida Borhani on 1/11/2018 4:45:18 PM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password. The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

To refresh the group membership, perform the following:
1. Add or remove that user to or from any group.
2. Have that user log out and log back in to Appian.
Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 2018

Tags: groups, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role." error thrown in different scenarios

Nick Vigilante — Fri, 09 Jun 2017 09:50:39 GMT

Revision 3 posted to Appian Knowledge Base by Nick Vigilante on 6/9/2017 9:50:39 AM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password. The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

To refresh the group membership, perform the following:
1. Add that user to any group.
2. Have that user log out and log back in to Appian.
3. Remove that user from that group.
4. Have that user log out and log back in to Appian again.
Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.
If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2017

Tags: groups, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role." error thrown in different scenarios

Nick Vigilante — Fri, 09 Jun 2017 09:49:43 GMT

Revision 2 posted to Appian Knowledge Base by Nick Vigilante on 6/9/2017 9:49:43 AM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password. The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

The following are possible causes for this issue:

The user is deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.
The user is not actually part of any role in the system (Application Users).
The process assignment is being overridden by the swim lane settings, potentially causing an unintended user to start the process or run particular nodes in the process.

Action

1

To refresh the group membership, perform the following:

Add that user to any group.
Have that user log out and log back in to Appian.
Remove that user from that group.
Have that user log out and log back in to Appian again.

2

Permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.

3

If you believe there is a discrepancy between the user that the server log mentions and the user that the process model or node is intended to run as, check to see if the process model is contained in a swim lane. Swim lane assignment takes precedence and applies to all nodes within a process model unless the Override lane assignment for this node option is selected for a particular node. It is possible that the process or a node is configured to run as a particular user, but the assignment is being "overridden" by the assignment option in the swim lane.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2017

Tags: groups, users

KB-1130 "The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role." error thrown in different scenarios

Nick Vigilante — Fri, 24 Feb 2017 14:08:48 GMT

Revision 1 posted to Appian Knowledge Base by Nick Vigilante on 2/24/2017 2:08:48 PM

Symptoms

At least one user cannot login, or unattended activities running as the user will fail, or you are unable to reset a user's password. The application server log will show the following error:

com.appiancorp.security.authz.AuthorizationException: The user [xxxxx] does not have sufficient privileges to perform the requested action because they are not in any role. (APNX-1-4188-001)

Cause

This issue is caused by the user being deactivated before an upgrade and reactivated after the upgrade. This means that group membership needs to be refreshed.

Alternatively, the user is not actually part of any role in the system (Application Users).

Action

To refresh the group membership, temporarily add the user to a group and then remove that user from that group.

If that still doesn't fix that issue, permanently add that user to the Application Users group if they are a basic user or the Designers group if they are a designer/administrator.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: April 2016

Tags: groups, users