Unable to add role to group via UI or API: "Roles can only be used with a single group."

[nate3D]

Describe the bug
I have a ldaplogin role that I am trying to assign to a second top-level group. When trying to add the role assignment via editing the Group, I get back simply an empty error popup and 400 via the API. The Role assignment is not persisted. Using the API browser, I can see a response of "Roles can only be used with a single group." I can't find any reference to this being the case in the documentation online.

To Reproduce
Steps to reproduce the behavior:

1. Create a new Role, i.e. ldaplogin
2. Create two new groups, i.e. Group 1, Group 2
3. Assign ldaplogin to Group 1 and save.
4. Assign ldaplogin to Group 2 and save, it will show an empty error popup and the role assignment will not persist.

Expected behavior
The group is updated as expected with the new Role assignment, or an error message with corresponding documentation on how to properly structure Role <-> Group assignment hierarchy.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

{"log":"{\"action\": \"model_updated\", \"auth_via\": \"session\", \"client_ip\": \"192.168.1.1\", \"context\": {\"http_request\": {\"args\": {}, \"method\": \"PATCH\", \"path\": \"/api/v3/core/groups/424b2708-de62-48a7-9cf6-804e1eca833d/\", \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0\"}, \"model\": {\"app\": \"authentik_core\", \"model_name\": \"group\", \"name\": \"XXXXXXXXX\", \"pk\": \"424b2708de6248a79cf6804e1eca833d\"}}, \"domain_url\": \"XXXXXXXXXXXXX\", \"event\": \"Created Event\", \"host\": \"XXXXXXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.events.models\", \"pid\": 149885, \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"schema_name\": \"public\", \"timestamp\": \"2024-08-19T21:07:46.267545\", \"user\": {\"email\": \"XXXXXXXXXXXX@gmail.com\", \"pk\": 4, \"username\": \"akadmin\"}}\n","stream":"stderr","time":"2024-08-19T21:07:46.26776123Z"}
{"log":"{\"auth_via\": \"session\", \"domain_url\": \"XXXXXX\", \"event\": \"Task published\", \"host\": \"XXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.root.celery\", \"pid\": 149885, \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"schema_name\": \"public\", \"task_id\": \"4f204638a0d44028826b74043e1015ce\", \"task_name\": \"authentik.events.tasks.event_notification_handler\", \"timestamp\": \"2024-08-19T21:07:46.288043\"}\n","stream":"stderr","time":"2024-08-19T21:07:46.288182613Z"}
{"log":"{\"auth_via\": \"session\", \"domain_url\": \"XXXXXXXXXXX\", \"event\": \"/api/v3/core/groups/424b2708-de62-48a7-9cf6-804e1eca833d/\", \"host\": \"XXXXXXXXXXX\", \"level\": \"info\", \"logger\": \"authentik.asgi\", \"method\": \"PATCH\", \"pid\": 149885, \"remote\": \"192.168.1.1\", \"request_id\": \"7fedfc0c67f443889e0567b79bdac51c\", \"runtime\": 75, \"schema_name\": \"public\", \"scheme\": \"https\", \"status\": 400, \"timestamp\": \"2024-08-19T21:07:46.292933\", \"user\": \"akadmin\", \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0\"}\n","stream":"stderr","time":"2024-08-19T21:07:46.293110429Z"}

Version and Deployment (please complete the following information):

• authentik version: 2024.6.3
• Deployment: docker-compose (below)

version: '3'

services:
  authentik-db:
    image: postgres:latest
    environment:
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_USER}" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - db_net
    restart: unless-stopped
    volumes:
      - db_data:/var/lib/postgresql/data

  authentik-redis:
    image: redis:latest
    command: --save 60 1 --loglevel warning
    networks:
      - core-net
    restart: unless-stopped
    healthcheck:
      test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis_data:/data

  authentik:
    image: ghcr.io/goauthentik/server:latest
    command: server
    depends_on:
      authentik-db:
        condition: service_healthy
      authentik-redis:
        condition: service_started
    volumes:
      - authentik_media:/media
      - authentik_templates:/templates
    environment:
      AUTHENTIK_POSTGRESQL__HOST: authentik-db
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_EMAIL__HOST: smtp.gmail.com
      AUTHENTIK_EMAIL__PORT: 587
      AUTHENTIK_EMAIL__USERNAME: ${GMAIL_SMTP_USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${GMAIL_SMTP_APP_PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: "true"
      AUTHENTIK_EMAIL__FROM: XXXXXXXXXX
    networks:
      - core-net
      - db_net
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.rule=Host(`XXXXXXXXXX`) || Host(`XXXXXXXXXX`)"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.tls.certresolver=tlsresolver"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.http.routers.authentik.middlewares=my-geoblock@docker"

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    command: worker
    depends_on:
      authentik-db:
        condition: service_healthy
      authentik-redis:
        condition: service_started
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - authentik_media:/media
      - authentik_templates:/templates
      - authentik_certs:/certs
    environment:
      AUTHENTIK_POSTGRESQL__HOST: authentik-db
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_EMAIL__HOST: smtp.gmail.com
      AUTHENTIK_EMAIL__PORT: 587
      AUTHENTIK_EMAIL__USERNAME: ${GMAIL_SMTP_USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${GMAIL_SMTP_APP_PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: "true"
      AUTHENTIK_EMAIL__FROM: XXXXXXXXXX
    user: root
    networks:
      - core-net
      - db_net
    restart: unless-stopped

networks:
  db_net:
    driver: bridge
  core-net:
    external: true

volumes:
  db_data: null
  redis_data: null
  search_data: null
  authentik_media: null
  authentik_templates: null
  authentik_certs: null

Additional context
I have a workaround in that I created a new ldaplogin group and set it as the parent for the groups I'd like to have access that permission. While doing so, I did come across that I had previously set more than one group with the same permission so it seems this has been a newer change or a regression of some sort? I see as well that in 2024.8 this might all be a mute point with the LDAP search assignment changing.

[Mase3206]

Same issue here. I previously had one role assigned to multiple groups, but I wanted to adjust some of them and only encountered this error when I tried to re-assign any role (the same or a different one) to any group.

[BeryJu]

This needs to be updated in the docs but for the time being this is indeed a limitation

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[KH-Orange]

Any development updates on the initial issue?

[remram44]

I am running into this still. I don't understand the point of roles if they have to be duplicated for every group. Or is the idea to assign roles to users and not use groups?