Even when you have delegated authentication to an external system (which becomes the source of truth for username, e-mail, name, and sometimes groups) it is still possible to overwrite this information in the Administration UI.
The next time the user logs in, this information is wiped away. This confuses users who don’t really understand how our implementation of Delegated Authentication works. To them, it mostly looks like a bug.
It would be great if, in the UI, it was not possible to edit the attributes (e-mail, name) of non-local users, and not possible to edit the groups a non-local user belongs to, if group mapping is enabled.
In Administration -> Security -> Users, it should not be possible to update the and the of external user (field local is false in response of api/users/search).
It should still be possible to edit his SCM accounts.
The web service api/users/update should fail with a 400 error when trying to update the and of an external user (users having column USER_DTO#USER_LOCAL to false).