Use recovery mode to restore access

Recovery mode works by creating a virtual user directory with a temporary admin account (recovery_admin). You set the password for this admin account when applying the system property.  Users can continue to log in and access Jira while it is in recovery mode.

To recover administrator user rights:

1. Stop a Jira node.

2. Add the following startup parameter according to the steps from the Setting properties and options on startup KB article, based on the method that's being used to start Jira:

   -Datlassian.recovery.password=<your-password>

   The following is generally applied in the setenv.sh or setenv.bat file (depending on your operating system type) in the <jira_install>/bin directory. Note: <your-password> in the command above is used as a placeholder only, replace <your-password> with the password of your choice:

   JVM_SUPPORT_RECOMMENDED_ARGS="-Datlassian.recovery.password=<your-password>"

   If this parameter already has arguments and you would like to add a new line to set this password, you can use the following syntax:

   JVM_SUPPORT_RECOMMENDED_ARGS="$JVM_SUPPORT_RECOMMENDED_ARGS -Datlassian.recovery.password=<your-password>"

   Note: When you run Jira in recovery mode, the login form won't accept recovery admin credentials if two-step verification is enabled. To disable two step verification and revert to legacy login form, use the JVM flag below.
   

   -Datlassian.authentication.legacy.mode=true

   
   

3. Start your Jira node.  You may need to start Jira manually with the start-jira.sh or start-jira.bin scripts in the <jira_install>/bin directory. 
   1. In a multi-node Jira architecture, repeat steps 1-3 to enable recovery mode for each node as needed.
4. Log into Jira with the username recovery_admin or the randomly generated ID available on the login page, and the temporary password you specified in the system property. 
   1. NOTE: In case you get "Invalid username or password" check the syntax from step 2, for example no space between two parameters or missing quotes.
   2. NOTE: For most recent Jira versions, the username will be a randomly generated ID that will be available on the login page banner that mentions the recovery_mode.
   3. NOTE: When you have CROWD SSO enabled it may be needed to temporarily disable this to log in with recovery_admin. To leave only Jira Internal Directory authentication, please see: Disabling a Directory via the JIRA database
   4. NOTE: You will be presented with the Welcome screen to create or import new projects. Don't be alarmed - this does not indicate an empty instance.
5. Reset the password for your existing admin account, or create a new account and add it to the appropriate administrator group. 
6. Confirm that you can successfully log in with your new account.
7. Stop your Jira node.
8. Remove the -Datlassian.recovery.password parameter to exit recovery mode.
   Note: Remove -Datlassian.authentication.legacy.mode=true to switch back to two-step verification login form.
9. Start your Jira again normally.
   1. In a multi-node Jira architecture, repeat steps 7-9 for each node where recovery mode was enabled.

Import from Cloud

After restoring a Cloud backup on Jira Server/Data Center, the Jira administrator might not have SYSTEM_ADMIN permission. The cause of this issue is still unknown but it's likely related to an inconsistency between the global permission management between Jira Cloud and Jira Server/DC.

• After logged into Jira using the recovery_admin credentials, navigate to Jira Administration   > System > Global Permissions.

• You should see the Jira System Administrators permission now, but no group associated with it.
• At the bottom of the page, in the "Add Permission" section, grant the Jira System Administrators permission to the system-administrators group.
• Save the change.
• Logout, and Login with one of the users who are inside the system-administrators group, and the SYSTEM_ADMIN permission should be regained.
  
• Reference: Jira System Administrators global permission is missing from Jira after restoring a backup from Jira Cloud

Common causes of loss of access

As an administrator, you may find yourself locked out of Jira because:

• You've imported a site from Cloud, and it does not contain a system administrator account.
• You've forgotten the password to the administrator account, and don't have access to the email address associated with it.
• You're using an external directory or Jira for user management, have disabled the built-in user management, and your external directory is not currently available. 
• You need to make a change to the configuration of an external user directory in Jira while that directory is not available. 

Good to know:

• If you cannot edit groups or users, please refer to Cannot edit group memberships, as external user management is enabled, please contact your Jira administrators for more information.
• Remove the system property as soon as you have restored admin access. 
• Don't leave Jira in recovery mode or use the recovery_admin account as a regular administrator account.  
• Your temporary password should be unique. Don't use an existing password or the one you intend to use for your admin account.
• Be sure to confirm there are active users with the Jira System Administrators global permission, or else you won't be able to manage some system features in Jira.
• Be sure to set the password for your Jira Administrator user before you log out of the recovery_admin account:
  Go to > User management > Users > click on the username > in the top right corner of the User's profile, click on the Action drop-down button, choose Set Password, type in a temporary password, and then again to confirm > Update. Once your Jira Administrator password has been set, you can log out of the recovery_admin account and back in with your Jira Administrator user.
• Any additional authentication methods like SAML SSO will not be available in recovery mode