Prevent to change organization related user attributes for federated users

[martin-kanis]

When a user federated from LDAP or a custom user federation become an organization member, we need a way to detect or prevent to change user attribute(s) related to the organization outside the Keycloak.

[pedroigor]

AFAIK, for LDAP that would require creating a mapper for those attributes related to the organization. And if the user is being managed through the user profile provider we are already running validations. Are you considering introducing constraints on which attributes can be mapped from an LDAP mapper?

[pedroigor]

@martin-kanis Btw, perhaps related to what you are proposing around LDAP:

• Review places when UserModel is directly updated without user profile #25726
• Allow selecting attributes from user profile when managing token mappers #26415

The #26415 does not prevent you entirely from setting any attribute but we could perhaps introduce validations (even if specific to the mapper configuration) to prevent touching such attributes.

Another option is rely on user-specific events to make sure such attributes don't change if not managed through the organization provider.