Summary

The assign user list currently returns users with no application access. It checks the roles, groups and users associated to the permission but does not take in consideration of the application access. When attempting to assign the issue however, the ticket will not be assigned to the user with no application access however. So it mostly a bug with the user list.

Investigation Done

The 2 JIRA REST end point below returns users with no application access as assignable users.

/rest/api/latest/user/assignable/search?username=valkyrie_191089&projectKeys=TSD&issueKey=TSD-16&maxResults=50&startAt=0
/rest/api/2/user/permission/search?username=valkyrie_191089&issueKey=TSD-16&permissions=ASSIGNABLE_USER

I think fixing the above end points will fix the bug.

Note : This problem also happens to the V3 REST end points specified here.

Expected Results

The assignable user list should only return users with proper permission AND access.

Current Results

The assignable user list returns users without application access.

Workaround

One of our customers, Andrey, has provided a workaround.

As a workaround you can check if the user has the required application access via '/rest/api/2/user' and username= and expand=applicationRoles parameters and if there is an application access, then check the assignable permission with any of mentioned calls.