Resolve user and groups synchronization error
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Some workarounds presented here perform direct modifications on the entities.xml file. Before proceeding with such edits, be aware of such implications. Make sure to always store a backup copy of the original file.
When performing site imports to the cloud environment, it sometimes fails with an unclear message. The following message appears when there are possible inconsistencies with user-related information on the backup file.
Error importing data: cloud.atlassian.logmon.laas.api.PrivacySafeException: Privacy-safe boxing of a com.atlassian.jira.bc.dataimport.identity.UsersImportService$WrappingCrowdException
Currently, we have a feature request to improve the error message: JRACLOUD-79502 - Improve user sync error message.
Environment
This message applies for site imports
From Cloud to Cloud
Or Server to Cloud
Diagnosis
The only way to identify that this error occurred when performing the site import is when the process finishes. However, there are a few checks you can perform to identify the possible causes of this. We’ll detail a list of them in the next section.
Possible causes and solutions
Since there is more than one possible situation for this error to come up, we’ll divide them into two categories, depending on where we are importing data from, server or cloud.
No matter what direction you'll follow, make sure to always review the imported groups. One should make this review on the Product access on the User Management page - https://admin.atlassian.com/s/<cloud-id>/apps - where <cloud-id> is the identification of your cloud site.
Server to Cloud
You may see this error if:
Users have forbidden characters in their email
Duplicated user in the same directory
User with forbidden characters in their email
Cause
Users whose emails have different characters from a word character - for example, dots “.", dashes "-”, or underscores "_” on both the username and domain parts will cause the import to fail in the verification phase. See a few examples below:
first.last@domain.com | |
first.last@domain_test.com | |
first-last@domain-test.com | |
first_last@domain.test.other.com | |
username@test-other-domain.com | |
<first>last@domain.com | |
john-doe@domain.123 | |
user_name@domain.p |
When importing users to the cloud the following REGEX is used to validate e-mail addresses:
/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$
Diagnosis
Perform a test validation of users email addresses using the following query on the database:
select email_address,user_name from cwd_user where email_address !~ '/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$';
You may need to adjust the syntax depending on the type of database you have.
This query will return the email address and username of the impacted users, which are the ones that don’t match the email validation criteria.
Resolution
Edit the emails that contain any forbidden characters.
If that’s not possible, contact support so that we can disable this verification step for your destination site.
We’re keeping track of this on
Duplicated user in the same directory
Cause
In the Jira server environment, it’s possible to have more than one user with the same e-mail address. This is usually not a problem, but when importing a backup from the server into the cloud, the import will fail due to email uniqueness being a constraint in the cloud environment.
Diagnosis
To search for possible duplicates within the directories, you can use the query below:
select lower_email_address,directory_id,count(*) from cwd_user group by 1,2 having count(lower_email_address) > 1;
You may need to adjust the syntax depending on the type of database you have.
This query will list the email address, directory ID, and the number of occurrences of each one of the impacted users.
If you have more than one active directory in the Jira server, please be aware of the bug:
While performing a site import, all users that don’t belong to the preferred directory will be imported as inactive users and will not have the current content association.
Resolution
If possible, ensure that all users in the server database have unique emails.
Cloud to Cloud
You may see this error if:
User already exists in the cloud
Insufficient license seats for a specific product
User already exists in the cloud
Cause
When performing a site import/restoration, the process fails to delete some existing users. This tends to happen for users that exist both on the source and destination instances, especially the default add-on users.
Diagnosis
To validate if the users already exist in the destination cloud environment, first, you need to export a user list from the “User Management” (UM) following the instructions on Export users from a site. The same steps need to be followed for the source instance as well.
Having both lists, you can compare them to see if any of the users on the source instance are already on the destination instance.
Resolution
One option is to remove all users from the backup file if you’re sure that all of them are already on the destination site. See the below instructions for each operating system as an example of how to achieve that.
Linux Distributions
sed -i '/<User id="/d' entities.xml
sed -i '/<Group id="/d' entities.xml
sed -i '/<Membership id="/d' entities.xml
sed -i '/<GroupAttribute id="/d' entities.xml
MacOS
sed -i '' '/<User id="/d' entities.xml
sed -i '' '/<Group id="/d' entities.xml
sed -i '' '/<Membership id="/d' entities.xml
sed -i '' '/<GroupAttribute id="/d' entities.xml
Windows Distributions
On Windows machine created a folder with name backup in the C drive (C:\backup)
Copy the backup file and PowerShell script modifybackup.ps1 file to C:\backup folder
Then browse to C:\backup and right-click on modifybackup.ps1 and click "Run with PowerShell".
Once the script completes execution you will find a file data.zip in the location C:\backup.
Use this data.zip file to import to the cloud.
If you decide to remove specifics users, you may need to adapt the commands and script above.
We’re keeping track of this on
Insufficient license seats for a specific product
Cause
When Cloud instances are on an annual plan, triggering an import will validate the number of active users in the backup and compare it with the number of license seats on the Cloud instance. If the number of active users is bigger than the number of license seats, it will fail the import validation.
If an import is triggered with the Overwrite users option, it will compare the number of active users in the backup with the number of license seats.
If an import is triggered with the Merge users option, it will compare the number of active users in the backup + the number of existing active users in the instance with the number of license seats.
Diagnosis
Check on both source and destination instances in which plan they’re currently on.
Resolution
If you will migrate with the Overwrite users option:
You can manually deactivate some users in the backup (or in the source instance before generating the export) so that the number of active users is lower than the number of license seats that you have for the cloud site. And then activate the users back through the UI once the site import has completed.
If you will migrate with the Merge users option:
If the number of existing active users in the Cloud site is already bigger than the number of license seats available, it will be necessary to initially deactivate some users in the instance, then change some users to inactive in the backup file making the number of active users in the backup + the number of active users in the instance to be lower than the number of license seats for the instance.
You can deactivate the users in the entities.xml file, using the following sed command, make sure there are a minimal amount of users active in the Cloud instance, otherwise, it will be necessary to deactivate those as well.
Linux Distributions
sed -i '/<User id="/s/active="1/active="0/' entities.xml
MacOS
sed -i '' '/<User id="/s/active="1/active="0/' entities.xml
Windows Distributions
((Get-Content -path C:\Users\Administrator\Downloads\entities.xml -Raw) -replace 'active="1" createdDate=','active="0" createdDate=') | Set-Content -Path C:\Users\Administrator\Downloads\entities.xml
We’re keeping track of this on
Still need help?
Have you checked all the listed suggestions but couldn’t address the error message, please engage with our support team for further assistance.