Environment: Jira Cloud
I’ve found a hidden group named “system-administrators.” It does not appear in User management → Groups and is only returned by GET /rest/api/3/group/bulk.
What happens
POST /rest/api/3/group/user (using the group name or groupId).DELETE /rest/api/3/group/user (using the same groupId and accountId). This is the errorMessage:"An error occurred: com.atlassian.idp.client.exceptions.BadRequestException: {\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:Error\"],\"status\":\"400\",\"detail\":\"Group not modifiable\",\"errorType\":\"InvalidSchema\",\"message\":\"Group not modifiable\"}"
How can I remove a user from this "system-administrators" group ? Currently when I add any user to this group, they can not be removed from this group unless I remove them totally from my environment
The system-administrators group (and its variations like jira-system-administrators) is a protected system group. In Jira Cloud, certain groups are managed by the underlying Atlassian platform to ensure system stability and security.
The error message "Group not modifiable" typically occurs because the group is considered a system-managed group. These groups often have restricted membership rules to prevent accidental lockout or unauthorized elevation of privileges.
In many cases, if a group is not visible in the standard Directory > Groups UI at admin.atlassian.com, it is because it is a legacy or internal system group that is not intended for manual modification via the standard Jira REST API (/rest/api/3/group/user).
Since the standard Jira API is returning a "not modifiable" error, you should try the Atlassian Administration (Organization) API instead. This API operates at a higher level than the Jira-specific API and is often required for managing protected groups.
The correct endpoint to try is:DELETE /admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}
Steps to perform this:
Get your Org ID: You can find this in the URL when you are at admin.atlassian.com.
Use an Organization API Key: Note that this requires an Organization API Key (Bearer token), not a standard Jira API Token.
Execute the call:
curl --request DELETE \
--url 'https://api.atlassian.com/admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}' \
--header 'Authorization: Bearer <ORG_API_KEY>' \
--header 'Accept: application/json'Managed Accounts: If the user is a "Managed User" (synced via SCIM/Azure AD/Okta), you may need to remove them from the group in your Identity Provider rather than in Jira.
Site Admin vs. Org Admin: Ensure you are performing these actions with Organization Admin privileges. Site-level administrators often lack the permissions to modify system-protected groups.
Hidden Groups: As a best practice, we recommend avoiding adding users to "hidden" groups found via the API, as these groups may be part of legacy configurations or internal Atlassian service accounts that can cause unexpected behavior if modified.
Managing global permissions | Administering Jira applications Data Center 11.3 | Atlassian Documentation (Note: While this is a Server/DC doc, it explains the protected nature of the System Admin permission).
I hope this helps you resolve the issue with the stuck user membership!
Hola Duy Anh,
@Alexandre Pezzini’s suggestion for the Organization API is worth trying. The Jira group endpoint and the Atlassian organization directory endpoint are separate APIs, so the failure from /rest/api/3/group/user doesn’t necessarily mean the organization-level request will fail.
Use this endpoint with an organization API key and organization-admin access:
`DELETE https://api.atlassian.com/admin/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}`
Atlassian documents the request here.
There are two important limitations. If the membership is managed through SCIM, you’ll need to remove the user from the group in your identity provider. Also, Atlassian’s documentation doesn’t specifically confirm whether this endpoint can modify the hidden system-administrators group.
If the organization endpoint also returns Group not modifiable, I’d open an Atlassian Support case and include the group ID, account ID, the original POST request, the failed DELETE responses, and the approximate time the user was added. Since Jira allowed the membership to be added but provides no supported way to reverse it, Atlassian may need to remove it internally and investigate why the original request was accepted.
Until Atlassian confirms how this group is intended to work, I’d avoid adding anyone else to hidden groups returned through the API.
Thanks,
James
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.