Resolve user and groups synchronization error

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Some workarounds presented here perform direct modifications on the entities.xml file. Before proceeding with such edits, be aware of such implications. Make sure to always store a backup copy of the original file.


Summary

When performing site imports to the cloud environment, it sometimes fails with an unclear message. The following message appears when there are possible inconsistencies with user-related information on the backup file.

Error importing data: cloud.atlassian.logmon.laas.api.PrivacySafeException: Privacy-safe boxing of a com.atlassian.jira.bc.dataimport.identity.UsersImportService$WrappingCrowdException

Currently, we have a feature request to improve the error message: JRACLOUD-79502 - Improve user sync error message.

Environment

This message applies for site imports

  • From Cloud to Cloud

  • Or Server to Cloud

Diagnosis

The only way to identify that this error occurred when performing the site import is when the process finishes. However, there are a few checks you can perform to identify the possible causes of this. We’ll detail a list of them in the next section.

Possible causes and solutions

Since there is more than one possible situation for this error to come up, we’ll divide them into two categories, depending on where we are importing data from, server or cloud.

No matter what direction you'll follow, make sure to always review the imported groups. One should make this review on the Product access on the User Management page - https://admin.atlassian.com/s/<cloud-id>/apps - where <cloud-id> is the identification of your cloud site.



Server to Cloud

You may see this error if:

  • Users have forbidden characters in their email

  • Duplicated user in the same directory

User with forbidden characters in their email

Cause

Users whose emails have different characters from a word character - for example, dots “.", dashes "-”, or underscores "_” on both the username and domain parts will cause the import to fail in the verification phase. See a few examples below:

first.last@domain.com

(tick)

first.last@domain_test.com

(tick)

first-last@domain-test.com

(tick)

first_last@domain.test.other.com

(tick)

username@test-other-domain.com

(tick)

<first>last@domain.com

(error)

john-doe@domain.123

(error)

user_name@domain.p

(error)

When importing users to the cloud the following REGEX is used to validate e-mail addresses:

/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$


Diagnosis

Perform a test validation of users email addresses using the following query on the database:

select email_address,user_name from cwd_user where email_address !~ '/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$';

You may need to adjust the syntax depending on the type of database you have.


This query will return the email address and username of the impacted users, which are the ones that don’t match the email validation criteria.

Resolution

  1. Edit the emails that contain any forbidden characters.

  2. If that’s not possible, contact support so that we can disable this verification step for your destination site.



Duplicated user in the same directory

Cause

In the Jira server environment, it’s possible to have more than one user with the same e-mail address. This is usually not a problem, but when importing a backup from the server into the cloud, the import will fail due to email uniqueness being a constraint in the cloud environment.

Diagnosis

To search for possible duplicates within the directories, you can use the query below:

select lower_email_address,directory_id,count(*) from cwd_user group by 1,2 having count(lower_email_address) > 1;

You may need to adjust the syntax depending on the type of database you have.


This query will list the email address, directory ID, and the number of occurrences of each one of the impacted users.

If you have more than one active directory in the Jira server, please be aware of the bug:

While performing a site import, all users that don’t belong to the preferred directory will be imported as inactive users and will not have the current content association.


Resolution

If possible, ensure that all users in the server database have unique emails.

Cloud to Cloud

You may see this error if:

  • User already exists in the cloud

  • Insufficient license seats for a specific product

User already exists in the cloud

Cause

When performing a site import/restoration, the process fails to delete some existing users. This tends to happen for users that exist both on the source and destination instances, especially the default add-on users.

Diagnosis

To validate if the users already exist in the destination cloud environment, first, you need to export a user list from the “User Management” (UM) following the instructions on Export users from a site. The same steps need to be followed for the source instance as well.

Having both lists, you can compare them to see if any of the users on the source instance are already on the destination instance.

Resolution

One option is to remove all users from the backup file if you’re sure that all of them are already on the destination site. See the below instructions for each operating system as an example of how to achieve that.

Linux Distributions

sed -i '/<User id="/d' entities.xml
sed -i '/<Group id="/d' entities.xml
sed -i '/<Membership id="/d' entities.xml
sed -i '/<GroupAttribute id="/d' entities.xml

MacOS

sed -i '' '/<User id="/d' entities.xml
sed -i '' '/<Group id="/d' entities.xml
sed -i '' '/<Membership id="/d' entities.xml
sed -i '' '/<GroupAttribute id="/d' entities.xml

Windows Distributions

On Windows machine created a folder with name backup in the C drive (C:\backup)

Copy the backup file and PowerShell script modifybackup.ps1 file to C:\backup folder

Then browse to C:\backup and right-click on modifybackup.ps1 and click "Run with PowerShell".

Once the script completes execution you will find a file data.zip in the location C:\backup.

Use this data.zip file to import to the cloud.

If you decide to remove specifics users, you may need to adapt the commands and script above.


Insufficient license seats for a specific product

Cause

When Cloud instances are on an annual plan, triggering an import will validate the number of active users in the backup and compare it with the number of license seats on the Cloud instance. If the number of active users is bigger than the number of license seats, it will fail the import validation.

  • If an import is triggered with the Overwrite users option, it will compare the number of active users in the backup with the number of license seats.

  • If an import is triggered with the Merge users option, it will compare the number of active users in the backup + the number of existing active users in the instance with the number of license seats.

Diagnosis

Check on both source and destination instances in which plan they’re currently on.

Resolution

If you will migrate with the Overwrite users option:

  • You can manually deactivate some users in the backup (or in the source instance before generating the export) so that the number of active users is lower than the number of license seats that you have for the cloud site. And then activate the users back through the UI once the site import has completed.

If you will migrate with the Merge users option:

  • If the number of existing active users in the Cloud site is already bigger than the number of license seats available, it will be necessary to initially deactivate some users in the instance, then change some users to inactive in the backup file making the number of active users in the backup + the number of active users in the instance to be lower than the number of license seats for the instance.

You can deactivate the users in the entities.xml file, using the following sed command, make sure there are a minimal amount of users active in the Cloud instance, otherwise, it will be necessary to deactivate those as well.

Linux Distributions

sed -i '/<User id="/s/active="1/active="0/' entities.xml

MacOS

sed -i '' '/<User id="/s/active="1/active="0/' entities.xml

Windows Distributions

((Get-Content -path C:\Users\Administrator\Downloads\entities.xml -Raw) -replace 'active="1" createdDate=','active="0" createdDate=') | Set-Content -Path C:\Users\Administrator\Downloads\entities.xml

We’re keeping track of this on


Still need help?

Have you checked all the listed suggestions but couldn’t address the error message, please engage with our support team for further assistance.





Last modified on Jan 30, 2025

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.