Solved: Monaco account command: unable to update a group (HTTP 400) {\"error\":true,\"payload\":null,\"message\":\"Cannot modify SCIM grou

erh_inetum · ‎25 Mar 2026

Hi,

I'm trying to assign policies and boundaries for many groups using Monaco

The groups were deployed in Account Management using SCIM and now we're trying to assign policies and boundaries to each group using Monaco.

But when we try to deploy the configuration, we receive this error:

Error: unable to deploy group 'GROUP_NAME' for account tenant_account_id: unable to update group with UUID: uuid_group (HTTP 400): {\"error\":true,\"payload\":null,\"message\":\"Cannot modify SCIM group uuid_group\"}" error.type=*errors.joinError error.details="unable to deploy group 'GROUP_NAME' for account tenant_account_id: unable to update group with UUID: uuid_group (HTTP 400): {\"error\":true,\"payload\":null,\"message\":\"Cannot modify SCIM group uuid_group"}"

The test (deploy -d) works fine but the deploy fails with that error.

Before deploying with Monaco, we assigned the policies and boundaries for a group from UI. Then we downloaded the configuration and put these rules for each new group to assign the policies and roles but it fails.

This is the code we are using:

- id: MY_GROUP

name: MY_GROUP

environments:

- environment: my_environment

policies:

- policy: All Grail data read access

boundaries:

- type: reference

id: my_boundary

- policy: Pro User

boundaries:

- type: reference

id: my_boundary

- policy:

type: reference

id: my_policy

boundaries:

- type: reference

id: my_boundary

originObjectId: objetctID

I've seen this link talking about -d options and HTTP 400 error but I'm not able to fix it.

Does someone know what's wrong?

Thanks in advance.
Regards,
Elena.

t_pawlak · ‎25 Mar 2026

Hi,
The issue is caused by the fact that your group is SCIM-managed.

Dynatrace does not allow modifying SCIM groups via Account Management update operations, which is why you get:

Cannot modify SCIM group ...

Why does deploy -d work?

it only validates the configuration
it does not attempt to update the group

During a real deploy, Monaco tries to update the group object, and this is blocked for SCIM groups -> HTTP 400.

Here:

- id: MY_GROUP
  ...
  originObjectId: objectID

makes Monaco treat the group as managed and updatable, which is not allowed for SCIM groups.

You shouldn't manage SCIM groups via groups: in Monaco. Instead manage policies and boundaries or assign them to existing SCIM groups

erh_inetum · ‎25 Mar 2026

Hi @t_pawlak ,

Thanks a lot for your answer.

But we're trying to assign policies and boundaries to existing SCIM groups.

This is the steps we have followed:

Azure administrator supplied many user groups from SCIM
Before that we've defined two policies that we want to apply to these new groups
After that, we created using Monaco as many boundaries as new supplied to groups. Each of these boundaries and the policies will apply to the new supplied groups
When we try to assign these policies and boundaries to these new existing SCIM groups we get HTTP 400 error

So as the SCIM groups exist, it should be worked.

Do you know any further idea what can be happen?

Thanks a lot.

Elena

erh_inetum · ‎26 Mar 2026

Hi @t_pawlak,

Definetely it seems it's not possible manage permissions using Monaco, even manage policies and boundaries or assign them to existing SCIM groups, according to this link:

Fortunately, automation via API is possible.

Thank you so much for your help.

Regards,

Elena.