Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

User sync doesn't sync groups associated with the user in AEM 6.3


Level 2

I'm trying to setup user synchronization in aem 6.3. I have one author and 2 publish instances.

I followed this below document and set up the user synchronization between publishers. I have a self registration component. User submits the form data and I create the user and add to the group(which was already created using useradmin console) which has necessary permissions. I also activated the tunnel service to get to author(verified in author communities console).

User Synchronization

The problem is Users are syncing with the profile. But the user group doesn't gets updated. So in the other publisher user is not part of that group. Please let me know if I'm missing anything to configure, appreciate your help.

5 Replies


Level 1

Were you able to fix this issue ? I have the same issue after Upgrading aem to 6.4


Level 3

Hi Karthik, were you able to figure out the root cause?

I also have same issue.

Please share your findings, thanks in advance.


Employee Advisor


Some troubleshooting tips:

- Check if all the tests are passed on libs/granite/operations/content/diagnosis/tool.html/syncdiagnostics

- Check the socialpubsync queue on Author. Clear pending items.


- Check the socialpubsync-reverse-queue on both Publishers. Clear pending items.


- Make sure usersync-admin user has correct permissions on both publishers.

The user that is set up in the "Adobe Granite Distribution – Encrypted Password Transport Secret Provider" must have the following permissions on all publishers:

jcr:read, rep:write on /home

jcr:all on /home/users and /home/groups

rep:write on /etc/packages/sling/distribution jcr:read on /libs/sling/distribution rep:write on /var jcr:read, rep:write on /var/eventing jcr:read, rep:write on /var/sling/distribution

- Put debug log on following classes and check the logs.

Log Level -> Debug

Log File -> logs/usersync.log





Level 3


We raised a daycare ticket for this issue, there was a property value missing in "Diff Observer Factory"


This was introduced in 6.3, thanks for looking into this.



Thanks for the update Sawan.

What you mention is a match to product issue GRANITE-25203.

To add more details to this, usually the issue occurs with an error like this during user sync:

javax.jcr.nodetype.ConstraintViolationException: OakConstraint0025: Authorizable property rep:password may not be removed.

The issue can be resolved with the following steps:

1. Make sure that communities-user-admin and usersync-admin are members of administrators group on the publish instances.

2. Edit the configurations per the details below on the publish instances via the /system/console/configMgr UI:

Configuration #1:


Set property with value of (.serviceName=com.adobe.granite.distribution.core) including the parentheses.

Configuration #2


Set property with value of (.serviceName=com.adobe.granite.distribution.core) including the parentheses.