Current scenario

In case you have an Atlassian Access subscription, you can create a SCIM integration to provision your users from your external Identity Provider. During the implementation phase, it's common to end up with duplicated accounts, as the mapping for SAML and SCIM can be different, and it's commonly needed to remove one account from the directory (on Atlassian side), to troubleshoot the duplication issue.

Currently, the only way to perform this action is using the Deactivate a user REST API, which would delete the account from the directory, and deactivate it on Atlassian side. Then, Org admins are able to re-activate the account if needed. However, there isn't an easy way to perform this task on the UI, requiring admins to either rely on the API, or engage Atlassian Support to assist on the issue.

Currently, if we want to Unlink Groups created in Atlassian via IDP (SCIM), we need to remove the SCIM/User Provisioning Configuration from the Organisation.

The following API deletes the group from Atlassian instead on Unlinking it

curl --request DELETE \
  --url 'https://api.atlassian.com/scim/directory/dir/Groups/gid' \
  --header 'Authorization: Bearer <access_token>'

Proposed Solution

Provide to Org admins the ability to remove accounts and groups (make mutable) from the directory on the Organisation UI, rather than requiring them to use the REST API or delete the SCIM configuration.
– Provide the ability to remove a user from the SCIM directory without having to deactivate their account.
– Provide the ability to unlink the site or organization group from the SCIM directory.