Overview ✨
The AI User role is designed for AI feature access, but it does not include the permission required to complete MFA setup. As a result, the user interface may not show a clear error, even though the MFA setup request is being rejected. This behavior can affect all Liongard instances where a user has been assigned only the AI User role.
A user with only the AI User role may also have little or no visibility into environments, systems, or assets. AI responses are limited to the data the user is already allowed to access.
Symptoms
Users may see one or both of the following behaviors on the MFA setup screen.
Phone number or SMS verification
User enters a phone number and selects a country.
Selecting Continue to Verification does not move the process forward.
The page appears unresponsive or frozen.
No error message is shown.
No verification code is sent.
Authenticator app or QR code
The page shows Could not fetch QR code, please refresh the page.
Refreshing the page does not resolve the issue.
The Unable to scan the QR code? option does not generate a manual setup key.
The manual entry area remains blank.
Common pattern
The issue continues after refreshing the page.
The issue continues after clearing browser cache and cookies.
The issue continues across multiple browsers.
Root cause
MFA enrollment requires the Edit Account Settings permission. The AI User role does not include this permission. Because of that, the MFA setup request is denied by the platform.
The user interface does not clearly display this permission problem. Instead, the MFA enrollment flow appears to fail silently. The issue is permission-related, not a browser problem, network problem, or service outage.
Enabling company-wide MFA enforcement does not bypass this permission requirement. The same permission check still applies during enrollment.
How to confirm the issue
If you need to verify the cause, use your browser's developer tools.
Open the MFA setup page.
Open browser developer tools.
Check the Console tab for a failed request.
Check the Network tab and locate the MFA setup request.
Review the response details.
Affected users commonly show a failed request to /api/v1/authentication/mfa/setup/ with a 403 response indicating that the required permission is missing.
{"error": "User does not have the required permission: Edit Account Settings"}Example :
If users with broader access can complete MFA setup successfully while AI User-
only accounts cannot, that strongly supports a role-permission cause.
Role and permission summary
Role or group | Includes Edit Account Settings | Notes |
AI User | No | Intended for AI feature access only |
User Administrators | No | Does not satisfy MFA enrollment requirement in this case |
Reader | Yes | Recommended minimum-privilege option |
Global System Integrators | Yes | Includes broader access |
Global Environment Managers | Yes | Includes broader access |
Global Administrators | Yes | Full administrative access |
Resolution
Assign the user an additional role that includes the required permission. In most cases, Reader is the best option because it is the minimum-privilege role that allows MFA enrollment and gives the user enough visibility for AI features to work properly.
Why Reader is recommended?
The AI User role alone does not provide enough access for meaningful AI-assisted results. Pairing AI User with Reader supports both MFA enrollment and the minimum visibility needed for AI features to return useful information.
Recommendations for Admins
Do not assign the AI User role by itself.
Pair AI User with at least Reader for users who need AI functionality.
Review onboarding and user provisioning workflows to ensure users intended for AI access also receive the correct visibility role.
Enable MFA according to your security requirements, but do not expect global MFA enforcement to override missing permissions.
FAQ's
Why does the page fail without showing a clear error?
Why does the page fail without showing a clear error?
The MFA setup request is denied because the user lacks the required permission. In this case, the interface does not present the permission error clearly, so the page may appear stuck or incomplete instead.
Is the AI User role enough for normal AI feature use?
Is the AI User role enough for normal AI feature use?
No. The AI User role is meant to work with another role that provides visibility into environments and assets. Without that additional access, AI results may be limited or unavailable.
Does enabling MFA for the whole company fix this issue?
Does enabling MFA for the whole company fix this issue?
No. Company-wide MFA enforcement does not bypass the permission required for the user to enroll MFA.
What is the minimum role recommended to resolve this?
What is the minimum role recommended to resolve this?
Reader is the recommended minimum-privilege role because it includes the needed permission and provides the basic visibility required for AI-assisted workflows.
