The sample shows the PATCH /environments/{environmentId}/users/{userId} operation to update existing attribute properties. For the PATCH operation, the update operation targets only those attribute values specified in the request body.

Attributes omitted from the request body are not updated or removed. If the user does not have update access to an attribute, a 403 Forbidden error is returned if an update is attempted for that attribute.

All values for attributes with multiValued set to true are replaced with the provided data. For example, if a user has the following data set for the locales attribute:

{
    ...,
    "locales": ["London", "Sydney"],
    ...
}

and the PATCH operation is called with the following body:

{
    "locales": ["Tel Aviv"]
}

then the result would be the user’s locales value set to a one-value array consisting of “Tel Aviv”. Any user-initiated updates to the value will also replace the entire array. No merging is possible.

Users who are not authenticating with PingOne must be assigned an identity provider with the identityProvider.id attribute. If identityProvider.id is not provided, PingOne is set as the default identity provider. The identityProvider.type value is read-only, and its value is dependent on the value of identityProvider.id. If identityProvider.id is not provided, the default value of identityProvider.type is PING_ONE.

Important: Users who authenticate with an authoritative identity provider cannot self-service modify their account. The scopes p1:update:user and p1:read:user:{suffix} are not granted for these users. For additional information on scopes, see Access services through scopes and roles.