-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Component/s: Directory - User Management REST API
-
Severity 3 - Minor
Issue Summary
For synced accounts, many profile fields — including Full name, Email, Job title, Department, and Organization — are restricted from editing locally and should only be updated via user provisioning. However, these restricted fields can currently be modified via the User management REST API if the account's verification status changes to Unverified.
Steps to Reproduce
- Sync an account via user provisioning (SCIM, Google Workspaces integration, or Azure AD sync for nested groups integration)
- Make a change that updates the account's status to Unverified.
- Current research seems to indicate that this may occur intermittently when the account's email is updated via user provisioning.
- Call Get user management permissions against the synced account.
- Call Set email against the synced account to update its email.
- Call Update profile against the synced account to update the name value.
Expected Results
Step 3: Get user management permissions
The response body matches the below:
{
"email.set": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"lifecycle.enablement": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"lifecycle.delete": {
"allowed": false
},
"profile": {
"name": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"nickname": {
"allowed": true
},
"zoneinfo": {
"allowed": true
},
"locale": {
"allowed": true
},
"extended_profile.phone_number": {
"allowed": true
},
"extended_profile.job_title": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.organization": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.department": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.location": {
"allowed": true
},
"extended_profile.team_type": {
"allowed": true
}
},
"profile.write": {
"name": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"nickname": {
"allowed": true
},
"zoneinfo": {
"allowed": true
},
"locale": {
"allowed": true
},
"extended_profile.phone_number": {
"allowed": true
},
"extended_profile.job_title": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.organization": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.department": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"extended_profile.location": {
"allowed": true
},
"extended_profile.team_type": {
"allowed": true
}
},
"profile.read": {
"allowed": true
},
"linkedAccounts.read": {
"allowed": true
},
"apiToken.read": {
"allowed": true
},
"apiToken.create": {
"allowed": false,
"reason": {
"key": "myselfOnly"
}
},
"apiToken.delete": {
"allowed": true
},
"avatar": {
"allowed": true
},
"privacy.set": {
"allowed": false,
"reason": {
"key": "myselfOnly"
}
},
"session.read": {
"allowed": true
},
"session.delete": {
"allowed": true
},
"refreshToken.delete": {
"allowed": true
}
}
- Note: It is expected that lifecycle.delete will return "allowed": true if the account_status is inactive.
Step 4: Set email
The email update attempt fails with the below response body:
{
"key": "forbidden.action",
"context": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
},
"errorKey": "forbidden.action",
"errorDetail": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
}
}
Step 5: Update profile
The profile update attempt fails with the below response body:
{
"key": "forbidden.fieldMutation",
"context": {
"name": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
}
},
"errorKey": "forbidden.field-mutation",
"errorDetail": {
"name": {
"allowed": false,
"reason": {
"key": "externalDirectory.scim"
}
}
}
}
Actual Results
Step 3: Get user management permissions
The response body matches the below:
{
"email.set": {
"allowed": true
},
"lifecycle.enablement": {
"allowed": true
},
"lifecycle.delete": {
"allowed": false
},
"profile": {
"name": {
"allowed": true
},
"nickname": {
"allowed": true
},
"zoneinfo": {
"allowed": true
},
"locale": {
"allowed": true
},
"extended_profile.phone_number": {
"allowed": true
},
"extended_profile.job_title": {
"allowed": true
},
"extended_profile.organization": {
"allowed": true
},
"extended_profile.department": {
"allowed": true
},
"extended_profile.location": {
"allowed": true
},
"extended_profile.team_type": {
"allowed": true
}
},
"profile.write": {
"name": {
"allowed": true
},
"nickname": {
"allowed": true
},
"zoneinfo": {
"allowed": true
},
"locale": {
"allowed": true
},
"extended_profile.phone_number": {
"allowed": true
},
"extended_profile.job_title": {
"allowed": true
},
"extended_profile.organization": {
"allowed": true
},
"extended_profile.department": {
"allowed": true
},
"extended_profile.location": {
"allowed": true
},
"extended_profile.team_type": {
"allowed": true
}
},
"profile.read": {
"allowed": true
},
"linkedAccounts.read": {
"allowed": true
},
"apiToken.read": {
"allowed": true
},
"apiToken.create": {
"allowed": false,
"reason": {
"key": "myselfOnly"
}
},
"apiToken.delete": {
"allowed": true
},
"avatar": {
"allowed": true
},
"privacy.set": {
"allowed": false,
"reason": {
"key": "myselfOnly"
}
},
"session.read": {
"allowed": true
},
"session.delete": {
"allowed": true
},
"refreshToken.delete": {
"allowed": true
}
}
Step 4: Set email
The account's email is updated successfully.
Step 5: Update profile
The account's Full name (name attribute) is updated successfully.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
- causes
-
ACE-5504 Loading...
- is action for
-