Health check: Duplicate user accounts
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Purpose
The Duplicate user accounts health check runs once a week to scan all user directories connected to Jira for duplicate user accounts. An account is considered as duplicate if another active account with the same username exists in another user directory, or if a user has multiple accounts but their only active account is not in the directory with the highest priority.
When multiple external directories are connected, and a user with multiple accounts attempts to authenticate, Jira will search the directories in the specified order and validate the login attempt against the first active account it finds.
If that person leaves your organization, deleting only the top-priority instance of the account (even if it’s inactive) does not completely prevent them from logging in to Jira. This is a potential security risk because if the user attempts to log in again, Jira will fall back to another active account with the same username.
The health check fails every time duplicate accounts are found and Jira displays a notification to remind you that some action may be required in order to maintain the security of your system.
Health check results
| Icon | Result | What this means |
|---|---|---|
 | All user accounts are unique or duplicate accounts are explicitly allowed. | The health check passed successfully for one or more of the following reasons:
|
 | We found one or more duplicate user accounts in the connected user directories. | The health check failed for one or all of the following reasons:
|
Resolution
To resolve any issues arising from duplicate accounts, determine which accounts were marked as duplicates, and then choose one of the methods described below to fix the issue.
As of release 8.19.0, the Jira Server platform REST API api/2/user/duplicated resource provides additional count and list methods that you can use to get the total number of duplicate user accounts or the full list of such accounts:
Please be mindful that even after deleting the duplicate user accounts, the health check will still show as failing as it runs only once a week. If you'd like a quicker update, please restart JIRA for a faster update.
- REST API requests have their cache holding information about the number of duplicate users and their detailed list valid for 10 minutes.
- Health check status stores its cache record only about the number of duplicated users, and it is valid for 7 days. So every time we check the health check status, we will see the same information until the mentioned 7 days have passed or until we restart the node.
- Nodes are not replicating changes to this cache between them.
Delete or deactivate duplicate accounts
If a user has multiple active accounts across multiple user directories, deactivate or delete the duplicates in the appropriate directory:
Searching for users will only show the users in the top-level directory. Please change the order of directories if you need to delete users from the Jira internal user directory.
If an unwanted duplicate user account exists in the Jira internal user directory, delete or deactivate the account from the User management system settings page. See Create edit or remove a user.
If the Jira internal user directory is the top-level directory, notify the user whose account you want to delete that they should start using their password from the external directory.
- If an unwanted duplicate user account exists in a read-only external user directory, delete or deactivate the account in that external user directory. See Create edit or remove a user.
- You cannot delete a user from within Jira if you are using External User Management (However, you can deactivate the user).
- If your Jira instance is configured to use an external Atlassian Crowd user directory, the user will be deactivated in Jira if they are deactivated in Crowd.
- Jira does not deactivate users who are configured and deactivated/disabled in an external Microsoft Active Directory or LDAP-based user directory, with the exception of Jira users configured with "delegated LDAP authentication".
For Delegated LDAP authentication, temporarily disable the option "Update User attributes on Login" if you are Unable to delete delegated directory user.
The responses returned by the count and list methods are stored in the duplicate users cache for 10 minutes. The cache is flushed automatically every time a directory is added, deleted, enabled, disabled, reordered, or synchronized.
Jira System Administrators can also flush the cache manually by adding the flush=true query string parameter to the resource URL. For example:
curl -X GET "<BASE_URL>/rest/api/2/user/duplicated/list?flush=true" \
-u "<USERNAME>:<PASSWORD>"The same can be achieved through the browser:
- Login to Jira as system administrator.
- Once logged in change the url to "<BASE_URL>/rest/api/2/user/duplicated/list?flush=true"
Explicitly allow some duplicate accounts
Some accounts may be duplicated on purpose. For example, duplicate Jira System Administrator accounts may exist in the Jira internal user directory to maintain administrative access to Jira in case any of the external directories fail.
You can configure the health check to ignore some duplicates by listing the usernames under the jira.security.duplicated.user.accounts advanced setting. Separate each entry with an ampersand. For example: jdoe&ssmith&fperez .
For more information, see Configuring advanced settings.
- Login to Jira as a system administrator
- Go to ⚙️ → System → General Configuration → Advanced Settings → find jira.security.duplicated.user.accounts and add all the duplicate usernames, separate each entry with an ampersand(&). For example: Tuser&admin
