Uploaded image for project: 'Admin Experience'
  1. Admin Experience
  2. AX-82

It's possible to add users to SCIM locked groups via the REST API

    • Severity 3 - Minor

      Groups that are used to sync users from an identity providers should be read-only within an Organization's directory, meaning users cannot be added or removed via the Atlassian User Interface or via the REST API.

      This is achieved when using a product REST API endpoint used for group modification:

      Steps to Reproduce

      1. Configure user provisioning with an identity provider
      2. Create a group within the identity provider that will be used to sync users to Atlassian
      3. Using either the Confluence or Jira REST API endpoints to add a user to groups, add an existing user on your site to a SCIM synced group.

      Expected Results

      User receives an error indicating the group is not modifiable, similar to the message below:

      {
          "errorMessages": [
              "An error occurred: com.atlassian.idp.client.exceptions.BadRequestException: {\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:Error\"],\"status\":\"400\",\"detail\":\"Group not modifiable\",\"errorType\":\"InvalidSchema\",\"message\":\"Group not modifiable\"}"
          ],
          "errors": {}
      }

      Actual Results

      The user is added to the group.

      Workaround

      Currently there is no known workaround for this behavior.

            [AX-82] It's possible to add users to SCIM locked groups via the REST API

            Rodrigo B. made changes -
            Component/s Original: Directory - Groups - Add / remove users [ 66395 ]
            Component/s New: Directory - Groups - Add / remove users [ 80139 ]
            Key Original: ID-8869 New: AX-82
            Support reference count Original: 2
            Symptom Severity Original: Severity 2 - Major [ 14431 ] New: Severity 3 - Minor [ 14432 ]
            Project Original: Identity [ 16810 ] New: Admin Experience [ 24210 ]
            Matt Hogben made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1000592 ]
            Alireza Asadi made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Waiting for Release [ 12075 ] New: Closed [ 6 ]
            Grzegorz Zgudka made changes -
            Status Original: In Progress [ 3 ] New: Waiting for Release [ 12075 ]
            Grzegorz Zgudka made changes -
            Status Original: Long Term Backlog [ 12073 ] New: In Progress [ 3 ]
            Grzegorz Zgudka made changes -
            Assignee New: Alireza Asadi [ b3415ed2a66a ]
            Grzegorz Zgudka made changes -
            Remote Link Original: This issue links to "UAM-2620 (Jira)" [ 992045 ] New: This issue links to "UAM-2620 (Hello Jira)" [ 992045 ]
            SET Analytics Bot made changes -
            Support reference count Original: 1 New: 2
            Andrew Delaney made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 994209 ]
            SET Analytics Bot made changes -
            Support reference count New: 1

              b3415ed2a66a Alireza Asadi
              da47590cf79f Ishan Chaudhuri
              Affected customers:
              2 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: