Cannot edit group memberships, as external user management is enabled, please contact your Jira administrators.

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms.

Summary

After restoring a backup from Jira Cloud to Jira Server when trying to edit existing users the following error is shown "Cannot edit group memberships, as external user management is enabled, please contact your Jira administrators.".

Environment

Jira 8.20.5

Diagnosis

  1. This issue resembles the issue described in the following knowledge base article. However external user management is already disabled and no external directory exist.
    1. Unable to create or edit users and groups.
  2. In the databases find out the permissions available on the internal directory you're trying to edit. This will be done through a db query and please run the command below against your Jira DB on the instance that's in trouble.
    1. Generally, this should return operations listed as in the screenshot below. This query may not return any results if you are facing this problem

      select * from cwd_directory_operation where directory_id = 1;

  3. The following error might be thrown in the application logs atlassian-jira.log during logging in of 'sysadmin' user

    2022-09-19 10:31:59,121+0000 http-nio-8080-exec-21 ERROR anonymous 631x686x1 16ynomm 172.29.210.85,172.50.0.2 /login.jsp [c.a.j.security.login.LoginStoreImpl] com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'.
    com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'.
    	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:335)
    	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:324)
    	at com.atlassian.jira.user.JiraDelegatingCrowdService.setUserAttribute(JiraDelegatingCrowdService.java:119)
    	at com.atlassian.jira.user.JiraCrowdService.setUserAttribute(JiraCrowdService.java:47)
    	at com.atlassian.jira.security.login.LoginStoreImpl.setLong(LoginStoreImpl.java:130)
    	at com.atlassian.jira.security.login.LoginStoreImpl.recordSuccessfulLoginAttempt(LoginStoreImpl.java:165)
    	at com.atlassian.jira.security.login.BulkLoginStore.recordSuccessfulLoginAttempt(BulkLoginStore.java:17)
    	at com.atlassian.jira.security.login.LoginStoreImpl.recordLoginAttempt(LoginStoreImpl.java:47)
    	at com.atlassian.jira.security.login.DelayedLoginStore.recordLoginAttempt(DelayedLoginStore.java:132)
    	at com.atlassian.jira.security.login.RecoveryLoginStore.recordLoginAttempt(RecoveryLoginStore.java:60)
    	at com.atlassian.jira.security.login.LoginManagerImpl.recordLoginAttempt(LoginManagerImpl.java:340)
    	at com.atlassian.jira.security.login.LoginManagerImpl.onLoginAttempt(LoginManagerImpl.java:222)
    	at com.atlassian.jira.security.login.JiraElevatedSecurityGuard.onSuccessfulLoginAttempt(JiraElevatedSecurityGuard.java:30)
    	... 13 filtered
    	at com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter.doFilter(TokenBasedAuthenticationFilter.java:82)
    	... 26 filtered
    	at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
    	... 5 filtered
    	at com.atlassian.plugins.authentication.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:70)
    	... 8 filtered
    	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
    	... 4 filtered
    	at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
    	... 3 filtered
    	at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
    	... 29 filtered
    	at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
    	... 25 filtered
    	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    	at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'sysadmin' in directory 'Jira Internal Directory'.
    	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.storeUserAttributes(ApplicationServiceGeneric.java:583)
    	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:333)
    	... 136 more



Cause

During the import the internal directory was corrupted. It is uncertain how it came to be, but the following Bug has been raised for this

JSWSERVER-21471 - Getting issue details... STATUS

Solution

  1. Navigate to User Management section under Jira Administration >> User Directories and click "Edit" button against the internal directory.
  2. There is no need to make any change there, just click the "Save and Test" button. This will trigger a backend operation on the database, recreating all the operations in the table.
  3. When you go back to your DB and run the SQL command again,  you should see the operation values listed and you should be able to edit user directories and manage users as normal.
select * from cwd_directory_operation where directory_id = 1;

Last modified on Nov 1, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.