When editing the permissions for a user, it is currently always possible in the UI to add capabilities.
But if the users doesn't have any access to a certain site, the API request for adding the capability does nothing, but still returns success.
This is somehow unexpected, as the API should throw an exception if adding a capability isn't possible. And also the UI shouldn't show the capability selection in that case.
Throwing an exception can easily be added here:
https://github.com/matomo-org/matomo/blob/d17b842d09fa3726f2fee7c203601d6895d14bad/plugins/UsersManager/API.php#L1206-L1226
Hiding the selection box can be achieved by adding something like v-if="userRole !== 'noaccess'"
here:
https://github.com/matomo-org/matomo/blob/1dd8569ba0279843b9e7b96f5712d34605530fbe/plugins/UsersManager/vue/src/CapabilitiesEdit/CapabilitiesEdit.vue#L37-L46
@tsteur this one should be quite easy to fix. Let me know if I should quickly set up a PR to fix that.