when synchronizing external identities into the oak repository the users/groups are marked with a rep:externalId property but are otherwise accessible through the repository's user management API.
today this means that synced external identities can be modified like local users/groups if the editing session has sufficient permission to do so.
the aim of the improvement request is to optionally mark synced identities as 'protected' which would only allow system internal tasks (i.e. update upon re-sync) to write those external users/groups but prevent updates of properties or member information through regular JCR sessions. to discuss if removal of these external users should still be permitted.
cc: insuafer as we discussed this improvement in a private conversation.