New assignee brakes workflow

We added a condition to a workflow to allow only specific users to have specific statuses.
e.g. developers can have status Dev. In Progress only while QA can have QA In Progress only.

The problem is that it is possible to change assignee directly from view w/o going trough workflow and it is possible to change assignee of the ticket with status QA ready to a developer and get a ticket with incorrect assignee - status state.

Is there a way to run a validation when assignee changes?

Another alternative we consider is to create a connect app and monitor issue update and run validation and show the user notification that the change is not allowed.
Is it possible to subscribe to assignee changed or issue updated event on the open issue view form Atlassian Connect App?

Instead of using a Validator, you could use workflow properties to restrict who can be assigned to an issue per status. See Use workflow properties | Atlassian Support

An app could listen to assignee changes but the event is triggered after the change is completed, and listeners cannot show messages to the user.

Another option is to not have the “assignee” field on your default edit screen, and only include it on your view screen configuration.

Then assign a separate screen for the transition that allows it to be edited, this allows you to enforce workflow rules on changes to the field (you can even have an “assign” transition that is just for changing the assignee)

Thank you for the information.
Setting property to permit only a specific group to a status i think solves the problem to allow only specific assignee.

However, I still need to use validator and transition screen when transition from one status to another since i need to do 2 actions at the same time. Change a status (main goal) and change assignee. If I do not show transition screen I will not be able to change status since the current assignee is not allowed at the new status.

I need to have assignee on the default screen so that team of developers can reassign tickets form/to each other w/o any additional views.

“you can even have an “assign” transition that is just for changing the assignee” - what is assign transition?

Yes, you need to have the assignee field on the transition screen. But you don’t need a validator, Jira will automatically filter the allowed users for the transition’s destination status.

If I do not have a transition screen and just change status using view button then status is changed and user is not validated. Is there a way to run validation in this case?

Another thing when such validation works, there is a message: “User ‘5e15ee5e61d95d0d9aa66f2e’ cannot be assigned issues.” Is there a way to make a more user friendly message?

So there is in fact validation by Jira, with this non-user-friendly message.
I guess you should reach out to Atlassian about the message - it should be showing the user’s “display name” instead of the accountId.
So what happens if you don’t have a transition screen (I didn’t test it myself)? Don’t you get an error message from Jira anyway? Or does the issue end up unassigned if the current assignee was not allowed in the new Status?
And then, why would you have a transition without a screen that allows the user to change the assignee, if the current assignee needs to be changed?

So, i was testing it for a while and it is very flaky. Some times it works some times it does not.

The simplest example. Status on create is “Open”. I allowed only specific group of users to have Open status. When I create an issue and choose “forbidden” user an issue is created with Open status and user that is forbidden to have Open status.

Other example is when on transition screen i choose forbidden user first time submit it shows an error while clicking second time submit it is saved w/o error. I end up with forbidden user on a status.