-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
Severity 3 - Minor
Issue Summary
The user management API to update the email address fails when:
- The organisation connects to Google Workspace as IDP
- The user belongs to the SSO enabled authentication policy under the Google Workspace IDP.
Steps to Reproduce
- Delete the User provisioning record using the User provisioning API to make the user mutable.
The User provisioning REST API Delete user in SCIM DB - Call the user management API to update the email address
- The User management REST API - Set email
Expected Results
The email of the target account is updated.
Actual Results
The API fails with Error 403 - externalDirectory.google: The property/action is restricted because the user is managed by an external Google directory.
% curl --request PUT \
--url 'https://api.atlassian.com/users/xxxxx/manage/email' \
--header 'Authorization: Bearer xxxxx' \
--header 'Content-Type: application/json' \
--data '{
"email": "xxxxx@atlassian.com"
{"key":"forbidden.action","context":{
"allowed":false,
"reason":{"key":"externalDirectory.google"}},
"errorKey":"forbidden.action",
"errorDetail":{"allowed":false,
"reason":{"key":"externalDirectory.google"}}}
Workaround
Temporarily move the user from SSO enabled authentication policy to another policy that SSO is not enabled.
[AX-201] Set email API fails when user belongs to SSO authentication policy under Google Workspace
| Component/s | Original: User Management Public APIs [ 56701 ] | |
| Component/s | New: Directory - User Management REST API [ 80166 ] | |
| Key |
Original:
|
New:
|
| Support reference count | Original: 1 | |
| Symptom Severity | Original: Minor [ 16130 ] | New: Severity 3 - Minor [ 14432 ] |
| Project | Original: Identity [ 16810 ] | New: Admin Experience [ 24210 ] |
| Resolution | New: Not a bug [ 12 ] | |
| Status | Original: Needs Triage [ 10030 ] | New: Closed [ 6 ] |
| Support reference count | New: 1 |
تتنشط