PATCH //miro.com/api/v1/scim/Users userName not unique

  • 22 August 2022
  • 5 replies
  • 82 views

Badge +1

Trying to update an existing user as of https://developers.miro.com/docs/users#update-user-attribute-by-id

If the taget userName belongs to a deleted account, I get …

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ],
  "status" : "400",
  "scimType" : "invalidValue",
  "detail" : "User name '*******@baloise.com' is invalid: 'not unique'"
}

 

You can reproduce this with the user ID 3074457348934407798. The UPN can not be changed to the baloise.com email domain.

 

Expected behaviour: a deleted account does not count as duplicate and it is possible to reuse UPN’s of deleted accounts.


5 replies

Badge

Hi @Matthias.Cullmann 
 

SCIM API works within the scope of an organization. The username (user email) is unique for Miro application. Username is connected to the global Miro user and SCIM user id represents this Miro user. And it is possible that a users can have access to different organizations. It is possible to update username by SCIM if the username is unique and the current username is not registered in other teams (organization). We have this validation to prevent receiving access to a random user account.

This exactly happened for mentioned user '3074457348934407798'. This user is a part of two teams from different organizations. Maybe you removed this user from your organization, but the user is not deleted from Miro system and they have access to another teams.

Badge +1

Hi @Dmytro Kharatin ,

I can’t follow the reasoning here.

  1. If a user can only be created with a globally unique UPN, how can there be two users with different IDs and the same UPN in different organisations? I only deleted the Baloise user with ID 3074457347771553555 yesterday and tried to update 3074457348934407798 immediately afterwards.
  2. I can create a new user in our organisation with the UPN, but I can not assign this UPN to an existing user in the same organisation ( after deleting the newly created user)
  3. I can update the UPN of 3074457348934407798  to anything else, like catchmeifyoucan@baloise.com

 

Badge

Hi @Matthias.Cullmann 
The user 3074457347771553555 is not fully removed from the Miro. It was just removed from organisation. User credentials are still valid and user has ‘Registered’ status.
I am trying to clarify in what cases the user could be removed completely. Looks like the discussion could take some time. Thank you for rising the problem.
Meanwhile I could ask support team to remove 3074457347771553555 global user from Miro. 

Badge

Hi @Matthias.Cullmann 
User can fully delete their profile by following the instruction https://help.miro.com/hc/en-us/articles/360017571354-How-to-delete-your-profile
You also can create a customer request to delete user profile https://help.miro.com/hc/en-us/articles/360020185799-How-to-contact-Miro-Support. I mayn’t make the request for you.

Badge +1

Thanks @Dmytro Kharatin for the clarification.

IMHO the “soft delete” makes sense for personal profiles.

For SSO / SCIM managed organisations in enterprise plans the org admin should be able to definitely delete a profile.

Enterprises have the right and in some cases even the obligation ( c.f. https://gdpr-info.eu/art-17-gdpr/ ) to delete information related to an ex employee.

It should be the default setting via SCIM / if a profile is deleted and content transferred. In practice we will not ask an employee leaving the company “on your last day please login to miro and delete your profile”.

 

Reply