Error "Cannot edit group memberships, as external user management is enabled" in Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After restoring a backup from Jira Cloud to Jira Server when trying to edit existing users, the following error is shown "Cannot edit group memberships, as external user management is enabled, please contact your Jira administrators."

Environment

Any Jira version.

Diagnosis

  1. This issue resembles the problem described in the knowledge base article Unable to create or edit users and groups. In this case, external user management is already disabled, and no external directory exists.

  2. In the database, check the permissions available to the internal directory. 

    1. Run the query this query against the database.

      1 SELECT * FROM cwd_directory_operation WHERE directory_id = 1;

    2. Under normal circumstances, the following 12 rows would appear. However, in this case, nothing is returned.

      1. CREATE_GROUP, CREATE_ROLE, CREATE_USER, DELETE_GROUP, DELETE_ROLE, DELETE_ USER, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_ROLE, UPDATE_ROLE_ATTRIBUTE, UPDATE_USER, UPDATE_USER_ATTRIBUTE.

  3. The following error shows up in the application logs.

    1 2 3 4 2022-09-19 10:31:59,121+0000 http-nio-8080-exec-21 ERROR anonymous 631x686x1 xsessionidx xipaddressx /login.jsp [c.a.j.security.login.LoginStoreImpl] com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'. com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'. [...] Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'.

Cause

Due to JRACLOUD-80978 - "Back up for server" export is missing internal directory operations, the Jira Cloud export is missing necessary directory operation permissions.

Solution

  1. Navigate to ⚙️ (gear icon) > User management > User directories.

  2. Click the edit button next to Jira Internal Directory.

  3. Without making any changes, click Save and test. This will trigger a backend operation on the database, recreating all the operations in the table.

  4. If you return to your DB and rerun the SQL command, you should see the operation values listed and be able to edit user directories and manage users as expected.

Updated on March 11, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community