Issue
- User provisioning via SCIM is failing.
- Liferay logs indicate a permission error:
ERROR [org.wso2.charon3.core.protocol.endpoints.AbstractResourceManager] Unable to provision a portal user for null org.wso2.charon3.core.exceptions.CharonException: Unable to provision a portal user for null [...] Caused by: com.liferay.portal.kernel.security.auth.PrincipalException$MustHavePermission: User \[USER_ID] must have UPDATE permission for com.liferay.portal.kernel.model.User \[USER_ID] [...]
Environment
- 2024.Q1
Resolution
Important
This feature is behind a beta feature flag in 2024.Q1.
- The issue is caused by a known bug where the OAuth 2 access token used by SCIM is generated with guest user permissions instead of the permissions of the user who generated the SCIM access token.
- To resolve this issue, apply the fix for LPD-33284
- either upgrading to 2024.Q4.0 or above
- Or open a help center ticket to request a hotfix at your current patch level
Additional Information
- If you are interacting with SCIM headlessly, you should also request the fix for LPD-33598
- Read more about SCIM at System for Cross-domain Identity Management (SCIM)