-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Hi:
Our customer tena-sda.org upgraded to Crowd 4.4.1 and noticed the ability to change the user e-mail address has been removed from the REST API due to security reasons. The customer would like to see it back if possible, having an option on Crowd to disable/enable the feature as they were using the Crowd REST API on a dedicated web server for user management, and removing that ability from the REST API had a huge impact to their day to day management as they will now be forced to do it using the Crowd UI which they don't want.
[CWD-5792] REST API ability to change e-mails
Hi 5ca6434febe4, can you post the JSON you are sending to the Crowd API endpoint?
Best regards
Sebastian
-Dcrowd.email.change.by.external.apps=true not worked for us and we are using crowd Version: 5.3.1
Crowd version: 5.3.1, I am trying to update user details except email but still getting below error, what kind of design is this??
{ "reason": "APPLICATION_PERMISSION_DENIED",
"message": "External applications are not allowed to change user emails"
}
For me -Dcrowd.email.change.by.external.apps=true has not worked (crowd Version: 5.0.1)
The same error occurs when trying to activate/deactivate user, e.g. using the sample curl as described here https://confluence.atlassian.com/crowdkb/how-to-deactivate-activate-a-user-through-api-814197032.html gives error 403 {"reason":"APPLICATION_PERMISSION_DENIED","message":"External applications are not allowed to change user emails"}
Why it gives error on changing email, if the parameters have only name and active:
'{"name":"testuser", "active":"false"}'?
That is blocker for my API scripts for bulk-update users (crowd Version: 5.0.1)
I confirm that setting up JVM parameter -Dcrowd.email.change.by.external.apps=true is a working solution (Crowd DC 5.1.2).
This is a blocker for enabling Cloud Migrations, where we need to bulk/programmatically change the email addresses for users.
@tena-admin Yes it works, we changed this and we are now able to update with our IAM system the email addresses inside of Crowd via the Rest API.
Can Atlassian comment on whether the configuration parameter mentioned in previous comment is supported and can be used to allow external applications change a user's email address?
Same issue and resulting troubles here - Honeywell International Inc.
To all affected: I got the following JVM parameter which should suppress the new behavior
-Dcrowd.email.change.by.external.apps=true
I have not verified it yet.
Jan
Please add this feature back. We upgraded to Crowd 5.0.2 and seeing this issue:
<error><reason>APPLICATION_PERMISSION_DENIED</reason><message>External applications are not allowed to change user emails</message></error>
Same here for the Allianz Group, we want to see this feature to be back in the latest Rest API version to be able to update email addresses via the API.
The same here - we do respect that applications might require a separate permission, but disallowing this for all applications except the Crowd console is not a feasible solution. Running those changes via the Crowd console would impact the audit log as the application would need to abuse the Crowd console for doing the update of the email address.
Our use case is that email addresses of users get changed, e.g. because of marriage, and user data needs to be updated even before user authenticate in Crowd for the next time.
Another use case comes from GDPR where email addresses need to be removed as soon as there is no requirement for keeping that information. In case a user gets deactivated often the mailbox gets closed and there is no reason for having the email address available in any directory service. As matter of fact the user would not authenticate and the data gets stale in Crowd. The deactivation is just an example and there might be other reasons why an email address should be updated or deleted.
16e3e9eaf982 find rest calls details below
REST End Point: /rest/usermanagement/1/user?username=xxxxx
{ "name": "xxxxx", "first-name": "aaa", "last-name": "bbb", "display-name": "ccc" }