Health check: Duplicate user accounts

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.

Purpose

The Duplicate user accounts health check runs once a week to scan all user directories connected to Jira for duplicate user accounts. An account is considered as duplicate if another active account with the same username exists in another user directory, or if a user has multiple accounts but their only active account is not in the directory with the highest priority.

When multiple external directories are connected, and a user with multiple accounts attempts to authenticate, Jira will search the directories in the specified order and validate the login attempt against the first active account it finds.

If that person leaves your organization, deleting only the top-priority instance of the account (even if it’s inactive) does not completely prevent them from logging in to Jira. This is a potential security risk because if the user attempts to log in again, Jira will fall back to another active account with the same username.

The health check fails every time duplicate accounts are found and Jira displays a notification to remind you that some action may be required in order to maintain the security of your system.

Health check results

IconResultWhat this means
(tick)All user accounts are unique or duplicate accounts are explicitly allowed.

The health check passed successfully for one or more of the following reasons:

  • None of the connected user directories contain duplicate user accounts.
  • Jira is not connected to any external user directories.
  • All duplicate user accounts have been explicitly allowed.
(warning)We found one or more duplicate user accounts in the connected user directories.

The health check failed for one or all of the following reasons:

  • At least one active account with the same name exists in another user directory.
  • At least one user has multiple accounts but their only active account is not in the directory with the highest priority.

Resolution

To resolve any issues arising from duplicate accounts, determine which accounts were marked as duplicates, and then choose one of the methods described below to fix the issue.

As of release 8.19.0, the Jira Server platform REST API api/2/user/duplicated  resource provides additional count and list methods that you can use to get the total number of duplicate user accounts or the full list of such accounts:

Get the total number of duplicate user accounts...

You can get the total number of duplicate user accounts by calling the count method, where <BASE_URL> is the URL of your Jira instance and <USERNAME>:<PASSWORD> are your Jira username and password:

curl -X GET "<BASE_URL>/rest/api/2/user/duplicated/count" \
  -u "<USERNAME>:<PASSWORD>"

The response is a dictionary with a count property that stores the total number of duplicate user accounts.

{
  "count": 1
}
Get a detailed list of duplicate accounts...

You can get a list of all the duplicate user accounts by calling the list method, where <BASE_URL> is the URL of your Jira instance and <USERNAME>:<PASSWORD> are your Jira username and password:

curl -X GET "<BASE_URL>/rest/api/2/user/duplicated/list" \
  -u "<USERNAME>:<PASSWORD>"

The response is a dictionary listing each duplicate user account as a separate property that stores an array of objects. Each object in the array contains the user directory ID, the directory name, and a boolean flag indicating whether the account is active.

{
  "johndoe": [
    {
      "directoryId": 1,
      "directoryName": "Jira Internal Directory",
      "userActive": true
    },
    {
      "directoryId": 10000,
      "directoryName": "Crowd Server",
      "userActive": true
    }
  ]
}

Please be mindful that even after deleting the duplicate user accounts, the health check will still show as failing as it runs only once a week. If you'd like a quicker update, please restart JIRA for a faster update.

  • REST API requests have their cache holding information about the number of duplicate users and their detailed list valid for 10 minutes.
  • Health check status stores its cache record only about the number of duplicated users, and it is valid for 7 days. So every time we check the health check status, we will see the same information until the mentioned 7 days have passed or until we restart the node.
  • Nodes are not replicating changes to this cache between them.

Delete or deactivate duplicate accounts

If a user has multiple active accounts across multiple user directories, deactivate or delete the duplicates in the appropriate directory:

Searching for users will only show the users in the top-level directory. Please change the order of directories if you need to delete users from the Jira internal user directory. 


  • If an unwanted duplicate user account exists in the Jira internal user directory, delete or deactivate the account from the User management system settings page. See Create edit or remove a user.

    If the Jira internal user directory is the top-level directory, notify the user whose account you want to delete that they should start using their password from the external directory.

  • If an unwanted duplicate user account exists in a read-only external user directory, delete or deactivate the account in that external user directory. See Create edit or remove a user.
    • You cannot delete a user from within Jira if you are using External User Management (However, you can deactivate the user). 
    • If your Jira instance is configured to use an external Atlassian Crowd user directory, the user will be deactivated in Jira if they are deactivated in Crowd.
    • Jira does not deactivate users who are configured and deactivated/disabled in an external Microsoft Active Directory or LDAP-based user directory, with the exception of Jira users configured with "delegated LDAP authentication". 
    • For Delegated LDAP authentication, temporarily disable the option "Update User attributes on Login" if you are Unable to delete delegated directory user.


The responses returned by the count and list methods are stored in the duplicate users cache for 10 minutes. The cache is flushed automatically every time a directory is added, deleted, enabled, disabled, reordered, or synchronized.

Jira System Administrators can also flush the cache manually by adding the flush=true query string parameter to the resource URL. For example:

curl -X GET "<BASE_URL>/rest/api/2/user/duplicated/list?flush=true" \
  -u "<USERNAME>:<PASSWORD>"

Explicitly allow some duplicate accounts

Some accounts may be duplicated on purpose. For example, duplicate Jira System Administrator accounts may exist in the Jira internal user directory to maintain administrative access to Jira in case any of the external directories fail.

You can configure the health check to ignore some duplicates by listing the usernames under the jira.security.duplicated.user.accounts advanced setting. Separate each entry with an ampersand. For example: jdoe&ssmith&fperez .

For more information, see Configuring advanced settings.

Description
ProductJira, Jira Software, Jira Service Desk

Last modified on Mar 28, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.