An API call to create a user and simultaneously assign them to a group fails with a 403 error. This issue occurs when the API token's associated administrator account has its user-creation permissions and group-management permissions split across different custom roles.
- API
- Custom Administrator Roles
- User Provisioning
This error is caused by an enhancement to the user creation permission logic. Following this update, the permission to create a user and the permission to manage the group (defined in a Resource Set) must be assigned together within the same custom role.
When these permissions are separated into different roles, the API call fails because the role with the Create users permission lacks the necessary resource scope for the group.
To resolve this issue, consolidate the required permissions and resources into a single custom role.
-
Identify the custom administrator role that contains the Create users permission.
-
Edit this same role.
-
To configure a role for user and group management, Create users and Edit user's group membership are mandatory under Manage users. Manage group membership must be selected under Group in the same role.
-
Save the role.
NOTE: For example, if a user is assigned Create users (Role A) AND Edit users' group membership + Manage group membership (Role B), it results in a 403 error.
By assigning both the Create users permission and Edit users' group membership/Manage group membership to the same custom role, the administrator (and its API token) will have the correct scope to create the user and assign the group in a single API call.
