Caution on removing duplicated users and effect on them when changing directories order
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When Jira is setup with multiple directories, there are duplicated users in Jira (same user in more than one directory), moving directories or removing users from a directory can produce different effects in Jira. This article intends to indicate those effects and alternatives to avoid the undesired ones.
Solution
Changing directories order
When a user is set in multiple directories, changing the directories order is a risk for user login and permission. Summarizing Managing multiple directories article, and adding more details, the directory order affects:
Login (password): the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.
Login (active user): if the user is marked as inactive in the top directory, the login will be disabled.
Permissions: the application will look for group membership only in the first directory where the username appears, based on the directory order. Hence, if there are different groups set in different directories, changing directory order will modify the user permission (so the groups and any other permission that was defined according to groups - as roles, administration permissions, etc - will be affected).
In other words, the directory most in top in the order will dictate if the user is active, the user password and the permission related to it. To avoid it, you can:
Only keep duplicate users for the required ones (such as administrators and extremely necessary/key users). So, the order of the directory will not affect the user login or permission (the next section cover how to remove the users).
For the duplicate users (again if they are necessary) always review if the groups and user information are equally set in all directories.
Removing users
Initially let's define "removal" of users as:
Delete user from the Jira UI, or
Delete user from external directory (as an example when removing from LDAP or the search string is not able to find it anymore) that will be synchronized to Jira.
When there are duplicated users in any of the situations above , the duplicate user in the next directory will take place with its configuration and permissions. This can be particularly harmful when we have situations of users marked as inactive in one directory and active in the other, elevated permissions in one directory and not in the other, or avoid users logging in to Jira after its removal (when the user is removed from the top directory in the order, but is active in the others).
To avoid such situations, primarily we recommend deleting the user duplicates:
Set the directory to delete the user as the top in the order.
As a double-check, please ensure the user is correctly set in both directories and the directory show as top in the order is correct (the rest api below helps to list them).
1curl -X GET "<BASE_URL>/rest/api/2/user/duplicated/list?flush=true" -u "<USERNAME>:<PASSWORD>"Delete the user through the UI, REST API (the "DELETE /rest/api/latest/user"), or remove directly from external directory if it's an external directory.
Notice the same user (but from another directory) will take place.
⚠️ When Jira recognize the user as a duplicate taking place, the previous actions performed by the user (such as comments/assignments/reporter/etc) are kept, not information is lost.
If (and only if) the user to be deleted is on an external directory synchronizing to Jira (such as LDAP), and this directory is not the top in the order, deleting the user from the external directory and synchronizing to Jira is sufficient to its removal.
Last, if you need to keep all users from other directories, but also remove it from the top directory in the order, to avoid unnecessary access or elevated privileges when deleting the user, proceed with the same steps above however instead of delete the user deactivate it (if internal directories), or remove all groups assigned (hence freeing the license and removing the possibility of access of the user. If external directories).
Our references
Was this helpful?