KNOWLEDGE BASE

Unable to demote user's site role when syncing user via SCIM


Published: 20 Nov 2020
Last Modified Date: 08 Jul 2021

Issue

When attempting to update a user's site role in Tableau Online via Azure AD sync, the following error might occur:

SystemForCrossDomainIdentityManagementServiceIncompatible
{"error":{"summary":"Bad Request","detail":"There was a problem updating user 'userid'.","code":"400012"}}. This operation was retried 2 times. It will be retried again after this date: <date>

Environment

  • Tableau Online
  • SCIM
  • Azure AD
  • Okta
  • OneLogin

Resolution

Option 1: Remove the user from any groups that have Grant Role on Sign In enabled where they are a member. For more information, see Grant Role on Sign In.

Option 2: Disable the Grant Role on Sign In functionality for any groups of which the user is a member. For more information, see Grant Role on Sign In.

Cause

The user's site role is unable to be demoted because the user belongs to a group that has a Minimum Site Role requirement and Grant Role on Sign In enabled.
Did this article resolve the issue?