[ID-8814] Set email API fails when user belongs to SSO authentication policy under Google Workspace - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Not a bug
Priority: Low
Component/s: User Management Public APIs
Labels:
None

Support reference count:
1
Symptom Severity:
Minor
Bug Fix Policy:
View Atlassian Cloud bug fix policy

Issue Summary

The user management API to update the email address fails when:

The organisation connects to Google Workspace as IDP
The user belongs to the SSO enabled authentication policy under the Google Workspace IDP.

Steps to Reproduce

Delete the User provisioning record using the User provisioning API to make the user mutable.
The User provisioning REST API Delete user in SCIM DB
Call the user management API to update the email address
The User management REST API - Set email

Expected Results

The email of the target account is updated.

Actual Results

The API fails with Error 403 - externalDirectory.google: The property/action is restricted because the user is managed by an external Google directory.

% curl --request PUT \
  --url 'https://api.atlassian.com/users/xxxxx/manage/email' \
  --header 'Authorization: Bearer xxxxx' \
  --header 'Content-Type: application/json' \
  --data '{
  "email": "xxxxx@atlassian.com"

{"key":"forbidden.action","context":{
"allowed":false,
"reason":{"key":"externalDirectory.google"}},
"errorKey":"forbidden.action",
"errorDetail":{"allowed":false,
"reason":{"key":"externalDirectory.google"}}}

Workaround

Temporarily move the user from SSO enabled authentication policy to another policy that SSO is not enabled.

Assignee:: Unassigned

Reporter:: Kaz Nobutani

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 02/Jan/2025 2:39 AM

Updated:: 13/Jan/2025 4:09 PM

Resolved:: 06/Jan/2025 4:56 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Forms

Activity

People

Dates