https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/249963#M71091 <P>Hi Folks,</P><P>&nbsp;</P><P>just to let you know, since I found no KB Articel for this issue. Policy Push from Panorama respectively local Commit on the Firewalls ended in strange Error Message according Group Assignment to Policy.</P><P>&nbsp;</P><P>vsys1<BR />Error: Failed to add group to id manager<BR />Error: Failed to parse security policy<BR />(Module: device)<BR />Commit failed</P><P>&nbsp;</P><P>Cure comes with CLI Command:&nbsp;"debug user-id reset user-id-manager type user-group"</P><P>-&gt; configure<BR />-&gt; commit force</P><P>&nbsp;</P><P>Works like a charme!</P> Wed, 13 Feb 2019 14:48:44 GMT enssenje 2019-02-13T14:48:44Z https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/249963#M71091 <P>Hi Folks,</P><P>&nbsp;</P><P>just to let you know, since I found no KB Articel for this issue. Policy Push from Panorama respectively local Commit on the Firewalls ended in strange Error Message according Group Assignment to Policy.</P><P>&nbsp;</P><P>vsys1<BR />Error: Failed to add group to id manager<BR />Error: Failed to parse security policy<BR />(Module: device)<BR />Commit failed</P><P>&nbsp;</P><P>Cure comes with CLI Command:&nbsp;"debug user-id reset user-id-manager type user-group"</P><P>-&gt; configure<BR />-&gt; commit force</P><P>&nbsp;</P><P>Works like a charme!</P> Wed, 13 Feb 2019 14:48:44 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/249963#M71091 enssenje 2019-02-13T14:48:44Z https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/426557#M94511 <P>This can work for most commit issues as well (from my experience). I would like to add a note on what I was seeing here to maybe help others. I have "Group Mapping Settings" pushed from Panorama to my devices globally, sadly the "Groups Included List" does not work properly when pushed to devices. I have to go in and override the mappings on each device removing the include groups and adding them back in the override.<BR /><BR />A commit force does work from the local device but when pushing the Template and Group Config you still get:<BR /><BR /></P><UL><LI><DIV><STRONG>Details:</STRONG></DIV></LI><LI><STRONG>. </STRONG>vsys1</LI><LI><STRONG>. </STRONG>Error: Failed to add group to id manager</LI><LI><STRONG>. </STRONG>Error: Failed to parse security policy</LI><LI><STRONG>. </STRONG>(Module: device)</LI><LI><STRONG>. </STRONG>Commit failed<BR /><BR /></LI></UL><P>This is where the override comes in to fix this on the Panorama push. The issue here is the firewall(s) don't have the group mapped that is being used in the security policy. Again this is because Panorama does not properly populate the included groups in the Group Mapping config.</P><P>&nbsp;</P> Thu, 12 Aug 2021 16:19:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/426557#M94511 TBardIPsoft 2021-08-12T16:19:34Z https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/1235225#M124882 <P>Another possibility is too many Groups from Group Mapping or Users in the Groups.&nbsp; Most firewalls have a limit of 10,000 Groups.&nbsp; Anymore than that and we've got to limit that with filters.&nbsp; Confirm with</P> <P><EM>show user group-mapping statistics </EM></P> Fri, 01 Aug 2025 16:58:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-stopped-working-failed-to-add-group-to-id-manager/m-p/1235225#M124882 tcleghorn 2025-08-01T16:58:09Z