Summary
At present, users who are prevented from updating user profile fields via Access Policies (ABAC Policies) are still permitted to clear these fields (e.g. delete phone numbers) because this action does not register as a change. When users clear contact information (such as deleting phone numbers), the system doesn’t detect this as a change and bypasses ABAC validation checks.
A behavioral change is being implemented to improve the security posture of the associated API requests, such that deleting user profile field data now registers as a change, so that it can be detected as such by ABAC policies.
Effective Date
Monday, October 20, 2025
Details
This change is being implemented to improve the robustness of ABAC (Attribute Based Access Control) policies designed to prevent users from updating user profile fields.
Customer Impact
Users who were prevented from updating user profile fields via an ABAC policy could still delete the data from these fields. Following this change, that will no longer be possible.
We are announcing this as a breaking change to cover a potential scenario where, as a result of this change, an application might generate ABAC validation errors, where they didn’t previously.
Impacted Resources
PUT /api/v2/users/{userId}/profile
Issue References
AUTHZ-898
Contacts
@David Murray
Please reply to this announcement with any questions. This helps the wider developer community benefit from the discussion. We encourage you to use this thread before contacting the designated person directly. Thank you for your understanding.