Unable to perform granted actions for a user in two groups

Hello, my company is using Sonarqube 7.9.2 LTS, and we have a problem with permissions. We are using AAD plugin to log in and create new users, then manually assign them to additional groups if they require elevated privilege. We do NOT synchronize group membership from Active Directory.

One such group we have created is “architects”, which has all permissions except Administer. Here is a list of groups from our test instance:
GET /api/permissions/groups

{"id":"5","name":"architects","description":"Able to administer projects, but not the system itself","permissions":["gateadmin","profileadmin","provisioning","scan"]},
{"id":"1","name":"sonar-administrators","description":"System administrators","permissions":["admin","applicationcreator","gateadmin","portfoliocreator","profileadmin","provisioning","scan"]}
{"id":"2","name":"sonar-users","description":"Any new users created will automatically join this group","permissions":[]}]}

And a screenshot of the permission templates configuration page:

However, none of the users assigned to “architects” are able to Administer issues, even though their group has those permissions.

Here is an example from one of our architects, showing they have both the assigned “architects” role plus the default “sonar-users” role.
GET /api/users/groups?login=${USERID}&selected=selected

{"id":5,"name":"architects","description":"Able to administer projects, but not the system itself","selected":true,"default":false},
{"id":2,"name":"sonar-users","description":"Any new users created will automatically join this group","selected":true,"default":true}]}

I have tried deleting and recreating the group, plus removing and adding users, but that did not fix the issue.

Has anyone faced this issue and have any suggestions? Is there any more information that may help you?

Here is an example: if I log into our test instance as the admin, I see the Resolve options:

If I log into our test instance as an architect (using AAD integration), I only see Confirm:

Hi @swfinch1277,

Is this Permission Template correctly applied to the project(s)? For instance, is it the default one? And if it is, does the project you’re showing an issue of have any permission overrides (go to the project, Administration > Permission)? Or perhaps has another permission template applied?

Hi, @Wouter_Admiraal, thanks for the response!

I have confirmed that our test instance only has one permissions template named “Default template” and marked as default.

On one of the projects, I see that none of the checkboxes are marked for anything but administrator. Does this mean no overrides, or no permissions?

Given what I understood, I went to Administration > Projects > Management, and Bulk Applied the Default Permissions Template to all projects. Now, architects are getting the correct permissions!

So, I guess I only need to know if future projects will automatically get the default permissions template? I looked at the most recent projects and they had the same issue- architects were configured same as sonar-users, which is not what is configured in the default template.

Good to know you at least found a way to get it working again.

The permission template should get automatically applied to any new project. It’s odd this doesn’t seem to be the case for you. I don’t know if you can create a test project, and delete it again afterwards, just to double check if the template got applied correctly? And, what method are you usually using for creating a project? Via the UI, or via some automated process using SonarQube’s API?

We auto-provision projects in Sonarqube when they are scanned for the first time via Jenkins. Maven plugin for Java, CLI for Angular/TS and Python.

We do have some new projects coming up, I will make a note to see if the problem continues.

Thank you for the prompt help!