Set email API fails when user belongs to SSO authentication policy under Google Workspace

XMLWordPrintable

    • Severity 3 - Minor

      Issue Summary

      The user management API to update the email address fails when:

      • The organisation connects to Google Workspace as IDP
      • The user belongs to the SSO enabled authentication policy under the Google Workspace IDP.

      Steps to Reproduce

      1. Delete the User provisioning record using the User provisioning API to make the user mutable.
        The User provisioning REST API Delete user in SCIM DB
      2. Call the user management API to update the email address
      3. The User management REST API - Set email

      Expected Results

      The email of the target account is updated.

      Actual Results

      The API fails with Error 403 - externalDirectory.google: The property/action is restricted because the user is managed by an external Google directory. 

      % curl --request PUT \
  --url 'https://api.atlassian.com/users/xxxxx/manage/email' \
  --header 'Authorization: Bearer xxxxx' \
  --header 'Content-Type: application/json' \
  --data '{
  "email": "xxxxx@atlassian.com"

{"key":"forbidden.action","context":{
"allowed":false,
"reason":{"key":"externalDirectory.google"}},
"errorKey":"forbidden.action",
"errorDetail":{"allowed":false,
"reason":{"key":"externalDirectory.google"}}}

      Workaround

      Temporarily move the user from SSO enabled authentication policy to another policy that SSO is not enabled. 

            Assignee:
            Unassigned
            Reporter:
            Kaz Nobutani
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: