Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User can't close an issue

Jirong Hu
Jirong Hu February 4, 2015

I notice some inconsistency: when I query the Windows domain AD using the LDAP Browser, his id is not in jira-users and jira-developers, but inside the JIRA, his id has these groups. What could be wrong?

Thanks

Jirong

Answer
Watch
Like Be the first to like this
239 views

2 answers

0 votes
David Nickell
David Nickell February 4, 2015

We ran into a similar issue with a user that was an employee (lots of permissions) that went to work for a client with limited access to our JIRA instance.  The problem – the user still had all their old groups even though it was not reflected that way under user management.    The solution - I found the "orphaned"  relationship mappings in a table called CWD_Membership.  Once I deleted the relationships from the table the user's groups and permissions were corrected.  You may find some help at this link if your problem is similar: https://confluence.atlassian.com/pages/viewpage.action?pageId=281480970

 

Reply
0 votes
Tini Good
Tini Good
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2015

Are you sure those are the exact same groups?  Our JIRA uses jira-users and jira-developers groups, but those are local to the JIRA instance only, they don't replicate back to Active Directory.  So it is possible to have two groups with very similar names but different purposes. 

See JIRA Administration | User Management | User Directories.  Is your type "Read Only, with Local Groups" or "Read/Write"?

 

View More Comments
Jirong Hu
Jirong Hu February 4, 2015

Yes, they are the same group names. It's Read Only. I can see this kind of inconsistency with my id too, e.g, I can see my id in jira-developers in JIRA, but not in domain AD.

Like
Tini Good
Tini Good
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2015

You can't edit a read-only AD group in JIRA. "jira-users" and "jira-developers" are local JIRA groups that are created when JIRA is installed and configured, so it shouldn't be possible to have one set of user accounts in JIRA and another set in AD. Since they're local, they shouldn't show up in AD at all. Theoretically, maybe someone created AD groups with the exact same names, not realizing it was unnecessary? I know user accounts get deleted from our Active Directory, but JIRA is written so that it assumes user accounts are never deleted. This means that user accounts that no longer exist in AD will still exist in JIRA if they ever had a JIRA assigned, commented, etc. I'm waiting for the day that a collision occurs in JIRA when a new AD user account identically named to a previously deleted AD account is created. JIRA will probably assume it is the same user.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events