Unable to add role to group via UI or API: "Roles can only be used with a single group."

[nate3D]

Describe the bug I have a ldaplogin role that I am trying to assign to a second top-level group. When trying to add the role assignment via editing the Group, I get back simply an empty error popup and 400 via the API. The Role assignment is not persisted. Using the API browser, I can see a response of "Roles can only be used with a single group." I can't find any reference to this being the case in the documentation online.

To Reproduce Steps to reproduce the behavior:

1. Create a new Role, i.e. ldaplogin
2. Create two new groups, i.e. Group 1, Group 2
3. Assign ldaplogin to Group 1 and save.
4. Assign ldaplogin to Group 2 and save, it will show an empty error popup and the role assignment will not persist.

Expected behavior The group is updated as expected with the new Role assignment, or an error message with corresponding documentation on how to properly structure Role <-> Group assignment hierarchy.

Screenshots If applicable, add screenshots to help explain your problem.

Logs

{"log":"{\"action\": \"model_updated\", \"auth_via\": \"session\", \"client_ip\": \"192.168.1.1\", \"context\": {\"http_request\": {\"args\": {}, \"method\": \"PATCH\", \"path\": \"/api/v3/core/groups/424b2708-de62-48a7-9cf6-804e1eca833d/\", \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0\"}, \"model\": {\"app\": \"authentik_core\", \"model_name\": \"group\", \"name\": \"XXXXXXXXX\", \"pk\": \"424b2708de6248a79cf6804e1eca833d\"}}, \"domain_url\": \"XXXXXXXXXXXXX\", \"event\": \"Created Event\", \"host\": \"XXXXXXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 149885, \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"schema_name\": \"public\", \"timestamp\": \"2024-08-19T21:07:46.267545\", \"user\": {\"email\": \"XXXXXXXXXXXX@gmail.com\", \"pk\": 4, \"username\": \"akadmin\"}}\n","stream":"stderr","time":"2024-08-19T21:07:46.26776123Z"}
{"log":"{\"auth_via\": \"session\", \"domain_url\": \"XXXXXX\", \"event\": \"Task published\", \"host\": \"XXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.root.celery\", \"pid\": 149885, \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"schema_name\": \"public\", \"task_id\": \"4f204638a0d44028826b74043e1015ce\", \"task_name\": \"authentik.events.tasks.event_notification_handler\", \"timestamp\": \"2024-08-19T21:07:46.288043\"}\n","stream":"stderr","time":"2024-08-19T21:07:46.288182613Z"}
{"log":"{\"auth_via\": \"session\", \"domain_url\": \"XXXXXXXXXXX\", \"event\": \"/api/v3/core/groups/424b2708-de62-48a7-9cf6-804e1eca833d/\", \"host\": \"XXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.asgi\", \"method\": \"PATCH\", \"pid\": 149885, \"remote\": \"192.168.1.1\", \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"runtime\": 75, \"schema_name\": \"public\", \"scheme\": \"https\", \"status\": 400, \"timestamp\": \"2024-08-19T21:07:46.292933\", \"user\": \"akadmin\", \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0\"}\n","stream":"stderr","time":"2024-08-19T21:07:46.293110429Z"}

Version and Deployment (please complete the following information):

• authentik version: 2024.6.3
• Deployment: docker-compose (below)

  
  version: '3'

services: authentik-db: image: postgres:latest environment: PGDATA: /var/lib/postgresql/data/pgdata POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} healthcheck: test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_USER}" ] start_period: 20s interval: 30s retries: 5 timeout: 5s networks:

• db_net restart: unless-stopped volumes:

• db_data:/var/lib/postgresql/data

  authentik-redis: image: redis:latest command: --save 60 1 --loglevel warning networks:

• core-net restart: unless-stopped healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes:

• redis_data:/data

  authentik: image: ghcr.io/goauthentik/server:latest command: server depends_on: authentik-db: condition: service_healthy authentik-redis: condition: service_started volumes:

• authentik_media:/media
• authentik_templates:/templates environment: AUTHENTIK_POSTGRESQLHOST: authentik-db AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQLPASSWORD: ${POSTGRES_PASSWORD} AUTHENTIK_POSTGRESQLUSER: ${POSTGRES_USER} AUTHENTIK_REDISHOST: authentik-redis AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_EMAILHOST: smtp.gmail.com AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAILUSERNAME: ${GMAIL_SMTP_USERNAME} AUTHENTIK_EMAILPASSWORD: ${GMAIL_SMTP_APP_PASSWORD} AUTHENTIK_EMAILUSE_TLS: "true" AUTHENTIK_EMAIL__FROM: XXXXXXXXXX networks:
• core-net
• db_net restart: unless-stopped labels:
• "traefik.enable=true"
• "traefik.http.routers.authentik.rule=Host(XXXXXXXXXX) || Host(XXXXXXXXXX)"
• "traefik.http.routers.authentik.entrypoints=websecure"
• "traefik.http.routers.authentik.tls.certresolver=tlsresolver"
• "traefik.http.routers.authentik.tls=true"
• "traefik.http.services.authentik.loadbalancer.server.port=9000"

• "traefik.http.routers.authentik.middlewares=my-geoblock@docker"

  authentik-worker: image: ghcr.io/goauthentik/server:latest command: worker depends_on: authentik-db: condition: service_healthy authentik-redis: condition: service_started volumes:

• /var/run/docker.sock:/var/run/docker.sock
• authentik_media:/media
• authentik_templates:/templates
• authentik_certs:/certs environment: AUTHENTIK_POSTGRESQLHOST: authentik-db AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQLPASSWORD: ${POSTGRES_PASSWORD} AUTHENTIK_POSTGRESQLUSER: ${POSTGRES_USER} AUTHENTIK_REDISHOST: authentik-redis AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_EMAILHOST: smtp.gmail.com AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAILUSERNAME: ${GMAIL_SMTP_USERNAME} AUTHENTIK_EMAILPASSWORD: ${GMAIL_SMTP_APP_PASSWORD} AUTHENTIK_EMAILUSE_TLS: "true" AUTHENTIK_EMAIL__FROM: XXXXXXXXXX user: root networks:
• core-net
• db_net restart: unless-stopped

networks: db_net: driver: bridge core-net: external: true

volumes: db_data: null redis_data: null search_data: null authentik_media: null authentik_templates: null authentik_certs: null

**Additional context**
I have a workaround in that I created a new `ldaplogin` group and set it as the parent for the groups I'd like to have access that permission. While doing so, I did come across that I had previously set more than one group with the same permission so it seems this has been a newer change or a regression of some sort? I see as well that in 2024.8 this might all be a mute point with the LDAP search assignment changing. 

[Mase3206]

Same issue here. I previously had one role assigned to multiple groups, but I wanted to adjust some of them and only encountered this error when I tried to re-assign any role (the same or a different one) to any group.

[BeryJu]

This needs to be updated in the docs but for the time being this is indeed a limitation