I would like to disable/suspend a user via Rest Api.
I last try was to send the action = false to /rest/api/2/user but it only ends up with a 405 method put not allowed.
I am stuck is this problem for longer. I struggle a lot with Atlassian because every time I try to look for something I end up on a community/forum post because the documentation is not very helpful.
As far as I have gotten is getting the account Id, display name and email. But with that information I never found out where to send the request to disable the user.
As far as I am aware I have to disable the user instead of deleting it because otherwise information like who posted gets lost.
@Kurt Oeffner user management in Cloud applications is separate to the application and must be done through the Cloud Admin API, rather than the product API.
You can find more about user management using the Cloud Admin API here: https://developer.atlassian.com/cloud/admin/rest-apis/
Best regards,
Gareth
I recently discovered this API and played with it just a little. Didn't try disabling any users (ours are Managed, so I don't think it's even possible), but I did figure out how to format the authentication header, which might be helpful:
Authorization: Bearer YOURAPIKEY
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you @Gareth Cantrell, you are amazing!
I saw that page before but I didn't realize the base url and auth were different.
Got the new API key, verified my domain and got it working.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Darryl Lee
Please correct me if I understood incorrectly:
- the admin API edit/suspends the on the on the Atlassian directory
- If I suspend a user, it will loose access to all Atlassian product (Jira, confluence, bitbucket, trello etc..) from owned by us but also owed by other companies.
- I cannot manage an user if it is not in our managed domains, for example if it is a customer email.
It is correct?
Thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
How can I disable a user in confluence using rest api..??
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Krishna Prasad M, I recently looked into getting users' access removed from Confluence via the REST API, it isn't anything like most of the comments posted above, I struggled with getting users added to Confluence at first, but the way it is setup for our org is via being added to a Group. Just check on your org settings (if you have access to do so) and confirm whether it is indeed a group for you or not.
Anyway, this is the code I used for removing access from Confluence for a user:
# URL for removing a user from Atlassian groups
remove_user_from_groups_url = 'https://YOUR-DOMAIN.atlassian.net/rest/api/3/group/user'
# Authenticate with Atlassian API using email and API token
remove_user_from_groups_auth = HTTPBasicAuth(YOUR-atlassian-admin-email, YOUR-atlassian-api-TOKEN)
# Build the DELETE request
remove_user_from_groups_query = {
'groupId': group_id, # This is the ID of the group being removed from
'accountId': user_id # This is the ID of the user being removed
}
# Store the response
remove_user_from_groups_response = requests.delete(url=remove_user_from_groups_url, params=remove_user_from_groups_query, auth=remove_user_from_groups_auth)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @Jeshua - ah yeah, so Confluence Access is gated by groups listed under "Product Access" for your site, so assuming those are not managed groups (connected to your IdP), then your method is correct.
(So if you're removing user from all-users and confluence-users) that should remove their Confluence access.)
Anyways, now that I look at this again, there's been some interesting developments, and I wanted to provide some links:
Deactivate a user
/users/{account_id}/manage/lifecycle/disable
Deactivate the specified user account. The permission to make use of this resource is exposed by the lifecycle.enablement privilege. You can optionally set a message associated with the block. If none is supplied, a default message will be used.
You can use this API to programmatically click the "Deactivate account" button, like here:
So I messed with this, and there's some very specific requirements:
This is of limited use though, because if you've claimed your domain, most if not all of your accounts are probably Managed, so deactivation must happen in your IdP and you'll see this message:
The error message that comes back when I tried to deactivate that account with the API endpoint is:
{ "key":"forbidden.action",
"context":{"allowed":false,"reason":{
"key":"externalDirectory.scim"}
},
"errorKey":"forbidden.action",
"errorDetail":{
"allowed":false,"reason":{"key":"externalDirectory.scim"}
}
}
Which is INTERESTING to me, because while digging around for this, I found this other User Provisioning API
There's some very interesting looking APIs there, like:
Deactivate a user
/scim/directory/{directoryId}/Users/{userId}
Deactivates a user from the directory by their userId, along with its group memberships. If the userId is linked to a managed Atlassian account, the account is deactivated. The user is not available for future requests until created with a new userId. Any future operation for the deactivated user returns the 404 (resource not found) error.The deactivated user can be activated again via Atlassian Administration..
To deactivate the account instead, use the Update user by ID API. Update the op field to replace and value field to active:false within the operations request body.
Note: Executing this API call will result in the deletion of the SCIM record, and there is no method to reverse these changes except by creating a new SCIM record with Create a user API.
And this:
Delete user in SCIM DB/admin/user-provisioning/v1/org/{orgId}/user/{AAID}/onlyDeleteUserInDB
Delete the user in our SCIM DB with your Atlassian Account ID (AAID). This will apply to all directories in your organization matching that AAID and only works for managed users.
You will have to completely reprovision the deleted user to their respective groups after deletion.
Tell me more about Updating managed SCIM email addresses.
These must be for very specific use cases involving SCIM provisioning and "fixing" stuff.
https://developer.atlassian.com/cloud/admin/user-provisioning/email-change/
(OOOOH, this might fix a situation where for testing, I invited a user with his roku.com email prior to setting up SCIM provisioning, and then after provisioning, the other account still seems to be "hanging around".)
ANYWAYS, just wanted to at least throw all the documentation out there. It seems like most of these will probably only work with claimed domains. PLEASE PLEASE remember to test with fake users/test domains/orgs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Darryl Lee, I want to start off by saying you're a legend !!!
The week that has just past I spent quite a bit of time trying to find methods for programmatically disabling an Atlassian user, in the end I kept getting back to conclusions that the community was still waiting for this to be released as a feature which was being worked on here and mostly here (since 2015 already).
At first I was going to have to accept just removing the user(s) from the group(s) they were part of and then manually flip the "has access to the site" switch. I even initially came across the article you encouraged me to look through, but couldn't get it to work previously, but that's because I was using an API token and not an API key 🤦♂️
👆Now, just by using the API key instead, this managed to work for me because we happen to have our Atlassian org setup perfectly to be able to use this (claimed domain for users to join via, me having access to our Atlassian instance via the "Verified Org Admin" account to create the API key).
You've helped me solve my problem, thank you !!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Jeshua I'm really happy to hear that you got things working!
Yeah, the API key vs token thing is tricky.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.