-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Component/s: Directory - Groups - Add / remove users
-
Severity 3 - Minor
Groups that are used to sync users from an identity providers should be read-only within an Organization's directory, meaning users cannot be added or removed via the Atlassian User Interface or via the REST API.
This is achieved when using a product REST API endpoint used for group modification:
- Confluence Cloud - Add member to group: https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-userbygroupid-post
- Jira Cloud - Add user to group: https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-groups/#api-rest-api-2-group-user-post
Steps to Reproduce
- Configure user provisioning with an identity provider
- Create a group within the identity provider that will be used to sync users to Atlassian
- Using either the Confluence or Jira REST API endpoints to add a user to groups, add an existing user on your site to a SCIM synced group.
Expected Results
User receives an error indicating the group is not modifiable, similar to the message below:
{
"errorMessages": [
"An error occurred: com.atlassian.idp.client.exceptions.BadRequestException: {\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:Error\"],\"status\":\"400\",\"detail\":\"Group not modifiable\",\"errorType\":\"InvalidSchema\",\"message\":\"Group not modifiable\"}"
],
"errors": {}
}
Actual Results
The user is added to the group.
Workaround
Currently there is no known workaround for this behavior.