User unable to login with you do not have permission error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When a user tries to log in to error, the error message "You do not have a permission to log in. If you think this is incorrect, please contact your Jira application administrator." is displayed. Additionally, you may observe an error in the atlassian-jira-security.log stating:

1 USERNAME tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

(Auto-migrated image: description temporarily unavailable)

Environment

Any version of Jira

Cause

Cause 1

The affected user is not part of the "Application Access" group. In Jira 6.4 and earlier, this is granted by the 'Jira Users' global permission. In Jira 7 and higher, this is controlled by Application Access.

Cause 2

You have modified your <Jira Install>/atlassian-jira/WEB-INF/seraph-config.xml file, most likely to implement some form of SSO (eg. Crowd SSO, etc)

Cause 3

The Affected user login fails due to authentication/authorization issues.

Cause 4

The Affected user login fails with Error: "User exists but has no unique key mapping"

Solution

Cause 1

Jira 6.4.x and earlier versions:

  1. Log in to your Jira application as a user with the 'Jira Administrators' global permission.

  2. Choose ⚙ > System. Select Global Permissions to open the Global Permissions page, which lists all Jira applications global permissions. You could also use the keyboard shortcut: g + g + start typing global permissions.

  3. Check whether the user (or a group that the user is in) has Global Permissions as "Jira applications Users". If the user, or a group that the user is in, does not have the "Jira applications" global permission, the user will not be able to log in and the above error will be displayed.

(Auto-migrated image: description temporarily unavailable)

Jira 7.x and higher versions:

  1. Log in to your Jira application as a user with the 'Jira Administrators' global permission.

  2. Choose ⚙ > Applications > Application Access. In Jira 7, the ability for users to login to the main Jira portal site is no longer managed in the global permissions section. Instead this is controlled here on the application access page. The concept is the same as previous versions of Jira. User accounts still need to be members of the group that grant them access to either Jira Software, Jira Core, or Jira Service Management (for Agents) in order to login. The difference here is largely in the location of this.

  3. Check whether the group that the user is in has Application Access to the appropriate Jira Application. If the group that the user is in, does not have the any application access, the user will not be able to log in and the above error will be displayed.

(Auto-migrated image: description temporarily unavailable)

Cause 2

Revert the changes you have made to <Jira Install>/atlassian-jira/WEB-INF/seraph-config.xml and restart Jira for it to take effect.

Cause 3

Please follow below steps to ENABLE DEBUG for the mentioned packages related to User login:

  1. Please set com.atlassian.jira.login & com.atlassian.jira.login.security to DEBUG in Administration > System > Troubleshooting and Support > Logging and Profiling.

  2. Have the user (attempt to) login.

  3. Set those log levels back to the WARN so they don't spam the logs.

How to Read Those Logs

When the extra debugging is enabled, more information will be written to atlassian-jira-security.log. This may contain information such as the following:

1 2 3 2014-07-25 17:34:55,755 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login login : 'captain.planet' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie. 2014-07-25 17:34:55,769 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login The user 'captain.planet' has FAILED authentication. Failure count equals 1 2014-07-25 17:34:55,770 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@276896a0[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@3a851475[lastLoginTime=1406072369469,previousLoginTime=1405985220323,loginCount=577,currentFailedLoginCount=1,totalFailedLoginCount=101,lastFailedLoginTime=1406273695756,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=3],userName=captain.planet,deniedReasons=[]]

In this example, the user's password is incorrect when accessing Active Directory.

1 2 2014-07-25 17:34:27,731 http-bio-8080-exec-25 anonymous 1054x18680x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login The user 'captain.planet' is required to answer a CAPTCHA elevated security check. Failure count equals 5 2014-07-25 17:34:27,734 http-bio-8080-exec-25 anonymous 1054x18680x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@fe6b7cc[reason=AUTHENTICATION_DENIED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@6ce6b718[lastLoginTime=1406072369469,previousLoginTime=1405985220323,loginCount=577,currentFailedLoginCount=5,totalFailedLoginCount=100,lastFailedLoginTime=1406273667718,elevatedSecurityCheckRequired=true,maxAuthenticationAttemptsAllowed=3],userName=captain.planet,deniedReasons=[com.atlassian.jira.bc.security.login.CaptchaChallengeRequired@3e3ce520[reasonCode=CAPTCHA_CHALLENGE,reasonSpecificProperties={login-url=https://teamwonderland.example.com/login.jsp}]]]

In this example, they failed to enter the CAPTCHA.

The logs will show a reason, that may come with a reason code. They are as follows:

AUTHENTICATION_DENIED

The user is not allowed to even attempt a login.

  • Check if there is a reason code, for exampleCAPTCHA_CHALLENGE indicates they failed the CAPTCHA.

  • Check the account is active (in both Jira and Active Directory).

AUTHENTICATED_FAILED

The user could not be authenticated.

  • Check their login/password.

    In some cases a password reset resolved the issue.

  • For LDAP users, this could happen when the user is created in Active Directory/LDAP with the setting to change the password on the first login and then the users login to Jira before logging into a different system or Windows and change their password. The resolution would be to request the user to login to another system and change their password or ensure they do not need to reset their password on next login.

  • In Active Directory, the LDAP server is not listed in the Log On To list for the particular user (User Properties > Account > Log On To...). When this option is set for an AD account, it populates the userWorkstations attribute.

    If a specific group of users are having this error consistently, it could be caused by the ldap.user.dn External LDAP users fail to authenticate to Jira server

AUTHORISATION_FAILED

The user could not be authorized.

  • Check they are members of the Jira applications Users Global Permission as per the above.

OK

The login was OK.

  • No action required

Cause 4

Updated on April 10, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryEnvironmentCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community