Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

How can I remove a user from group "system-administrators"

Duy Anh Do
Contributor
July 17, 2026

Environment: Jira Cloud

I’ve found a hidden group named “system-administrators.” It does not appear in User management → Groups and is only returned by GET /rest/api/3/group/bulk.

What happens

  • I can add a user with POST /rest/api/3/group/user (using the group name or groupId).
  • I cannot remove the user with DELETE /rest/api/3/group/user (using the same groupId and accountId). This is the errorMessage:
    "An error occurred: com.atlassian.idp.client.exceptions.BadRequestException: {\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:Error\"],\"status\":\"400\",\"detail\":\"Group not modifiable\",\"errorType\":\"InvalidSchema\",\"message\":\"Group not modifiable\"}"
  • The group is not searchable or manageable in the admin UI.


How can I remove a user from this "system-administrators" group ? Currently when I add any user to this group, they can not be removed from this group unless I remove them totally from my environment

2 answers

1 vote
Alexandre Pezzini
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 17, 2026

The system-administrators group (and its variations like jira-system-administrators) is a protected system group. In Jira Cloud, certain groups are managed by the underlying Atlassian platform to ensure system stability and security.

1. Why you are seeing "Group not modifiable"

The error message "Group not modifiable" typically occurs because the group is considered a system-managed group. These groups often have restricted membership rules to prevent accidental lockout or unauthorized elevation of privileges.

In many cases, if a group is not visible in the standard Directory > Groups UI at admin.atlassian.com, it is because it is a legacy or internal system group that is not intended for manual modification via the standard Jira REST API (/rest/api/3/group/user).

2. How to Remove the User

Since the standard Jira API is returning a "not modifiable" error, you should try the Atlassian Administration (Organization) API instead. This API operates at a higher level than the Jira-specific API and is often required for managing protected groups.

The correct endpoint to try is:
DELETE /admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}

Steps to perform this:

  1. Get your Org ID: You can find this in the URL when you are at admin.atlassian.com.

  2. Use an Organization API Key: Note that this requires an Organization API Key (Bearer token), not a standard Jira API Token.

  3. Execute the call:

curl --request DELETE \ --url 'https://api.atlassian.com/admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}' \ --header 'Authorization: Bearer <ORG_API_KEY>' \ --header 'Accept: application/json'

3. Important Considerations

  • Managed Accounts: If the user is a "Managed User" (synced via SCIM/Azure AD/Okta), you may need to remove them from the group in your Identity Provider rather than in Jira.

  • Site Admin vs. Org Admin: Ensure you are performing these actions with Organization Admin privileges. Site-level administrators often lack the permissions to modify system-protected groups.

  • Hidden Groups: As a best practice, we recommend avoiding adding users to "hidden" groups found via the API, as these groups may be part of legacy configurations or internal Atlassian service accounts that can cause unexpected behavior if modified.

Verified Documentation

I hope this helps you resolve the issue with the stuck user membership!

0 votes
James Gamble
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 17, 2026

Hola Duy Anh,

@Alexandre Pezzini’s suggestion for the Organization API is worth trying. The Jira group endpoint and the Atlassian organization directory endpoint are separate APIs, so the failure from /rest/api/3/group/user doesn’t necessarily mean the organization-level request will fail.

Use this endpoint with an organization API key and organization-admin access:

`DELETE https://api.atlassian.com/admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}`

Atlassian documents the request here

There are two important limitations. If the membership is managed through SCIM, you’ll need to remove the user from the group in your identity provider. Also, Atlassian’s documentation doesn’t specifically confirm whether this endpoint can modify the hidden system-administrators group.

If the organization endpoint also returns Group not modifiable, I’d open an Atlassian Support case and include the group ID, account ID, the original POST request, the failed DELETE responses, and the approximate time the user was added. Since Jira allowed the membership to be added but provides no supported way to reverse it, Atlassian may need to remove it internally and investigate why the original request was accepted.

Until Atlassian confirms how this group is intended to work, I’d avoid adding anyone else to hidden groups returned through the API.

Thanks,

James

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events