Allow adding existing users to registrar (#2616 )

Add a bulk-domain-action console endpoint (#2611 )
For now it only includes two options (domain deletion and domain suspension). In the future, as necessary, we can add other actions but this seems like a relatively simple starting point (actions like bulk updates are much more conceptually complex).
2026-05-25 17:20:32 +00:00 · 2024-11-27 22:40:32 +00:00 · 2024-11-22 20:47:47 +00:00 · 2024-11-22 19:48:19 +00:00
20 changed files with 900 additions and 111 deletions
--- a/console-webapp/src/app/shared/services/backend.service.ts
+++ b/console-webapp/src/app/shared/services/backend.service.ts
@@ -166,9 +166,9 @@ export class BackendService {
      .pipe(catchError((err) => this.errorCatcher<User[]>(err)));
  }

-  createUser(registrarId: string): Observable<User> {
+  createUser(registrarId: string, maybeUser: User | null): Observable<User> {
    return this.http
-      .post<User>(`/console-api/users?registrarId=${registrarId}`, {})
+      .post<User>(`/console-api/users?registrarId=${registrarId}`, maybeUser)
      .pipe(catchError((err) => this.errorCatcher<User>(err)));
  }

--- a/console-webapp/src/app/shared/services/userData.service.ts
+++ b/console-webapp/src/app/shared/services/userData.service.ts
@@ -27,6 +27,7 @@ export interface UserData {
  supportEmail: string;
  supportPhoneNumber: string;
  technicalDocsUrl: string;
+  userRoles?: Map<string, string>;
 }

@Injectable({
--- a/console-webapp/src/app/users/userEdit.component.ts
+++ b/console-webapp/src/app/users/userEdit.component.ts
@@ -19,7 +19,7 @@ import { SelectedRegistrarModule } from '../app.module';
 import { MaterialModule } from '../material.module';
 import { RegistrarService } from '../registrar/registrar.service';
 import { SnackBarModule } from '../snackbar.module';
-import { User, UsersService, roleToDescription } from './users.service';
+import { UsersService, roleToDescription } from './users.service';
 import { FormsModule } from '@angular/forms';

@Component({
--- a/console-webapp/src/app/users/users.component.html
+++ b/console-webapp/src/app/users/users.component.html
@@ -3,6 +3,62 @@
  <div class="console-app__users-spinner">
    <mat-spinner />
  </div>
+  } @else if(selectingExistingUser) {
+
+  <div class="console-app__users">
+    <h1 class="mat-headline-4">Add existing user</h1>
+
+    <p>
+      <button
+        mat-icon-button
+        aria-label="Back to users list"
+        (click)="selectingExistingUser = false"
+      >
+        <mat-icon>arrow_back</mat-icon>
+      </button>
+    </p>
+    <h1>Select registrar from which to add a new user</h1>
+    <p>
+      <mat-form-field appearance="outline">
+        <mat-label>Registrar</mat-label>
+        <mat-select
+          [(ngModel)]="selectedRegistrarId"
+          name="selectedRegistrarId"
+          (selectionChange)="onRegistrarSelectionChange($event)"
+        >
+          @for (registrar of registrarService.registrars(); track registrar) {
+          <mat-option [value]="registrar.registrarId">{{
+            registrar.registrarId
+          }}</mat-option>
+          }
+        </mat-select>
+      </mat-form-field>
+    </p>
+    @if(usersSelection.length) {
+    <app-users-list
+      [users]="usersSelection"
+      (onSelect)="existingUserSelected($event)"
+    />
+    <p class="console-app__users-add-existing">
+      <button
+        mat-flat-button
+        color="primary"
+        aria-label="Add user"
+        (click)="submitExistingUser()"
+        [disabled]="!selectedExistingUser"
+      >
+        Add user
+      </button>
+      <button
+        mat-stroked-button
+        aria-label="Cancel adding existing user"
+        (click)="selectingExistingUser = false"
+      >
+        Cancel
+      </button>
+    </p>
+    }
+  </div>
  } @else if(usersService.currentlyOpenUserEmail()) {
  <app-user-edit></app-user-edit>
  } @else {
@@ -10,39 +66,31 @@
    <div class="console-app__users-header">
      <h1 class="mat-headline-4">Users</h1>
      <div class="spacer"></div>
-      <button
-        mat-flat-button
-        (click)="createNewUser()"
-        aria-label="Create new user"
-        color="primary"
-      >
-        Create a Viewer User
-      </button>
+      <div class="console-app__users-header-buttons">
+        <button
+          class="console-app__users-header-add"
+          mat-stroked-button
+          (click)="addExistingUser()"
+          aria-label="Create new user"
+          color="primary"
+        >
+          <mat-icon>add</mat-icon>
+          Add existing user
+        </button>
+        <button
+          mat-flat-button
+          (click)="createNewUser()"
+          aria-label="Create new user"
+          color="primary"
+        >
+          Create a Viewer User
+        </button>
+      </div>
    </div>
-    <mat-table
-      [dataSource]="dataSource"
-      class="mat-elevation-z0"
-      class="console-app__users-table"
-      matSort
-    >
-      <ng-container
-        *ngFor="let column of columns"
-        [matColumnDef]="column.columnDef"
-      >
-        <mat-header-cell *matHeaderCellDef>
-          {{ column.header }}
-        </mat-header-cell>
-        <mat-cell
-          *matCellDef="let row"
-          [innerHTML]="column.cell(row)"
-        ></mat-cell>
-      </ng-container>
-      <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
-      <mat-row
-        *matRowDef="let row; columns: displayedColumns"
-        (click)="openDetails(row.emailAddress)"
-      ></mat-row>
-    </mat-table>
+    <app-users-list
+      [users]="usersService.users()"
+      (onSelect)="openDetails($event)"
+    />
  </div>
  }
 </app-selected-registrar-wrapper>
--- a/console-webapp/src/app/users/users.component.scss
+++ b/console-webapp/src/app/users/users.component.scss
@@ -13,26 +13,37 @@
 // limitations under the License.

 .console-app {
+  &__users {
+    max-width: 1024px;
+    overflow-x: auto;
+  }
+
  &__users-spinner {
    align-items: center;
    display: flex;
    justify-content: center;
  }

-  $min-width: 756px;
-  $max-width: 1024px;
-
-  &__users-table {
-    min-width: $min-width !important;
-    max-width: $max-width;
-  }
-
  &__users-new {
    margin-left: 20px;
  }

+  &__users-add-existing {
+    margin-top: 20px;
+    > button {
+      margin-right: 15px;
+    }
+  }
  &__users-header {
    display: flex;
    justify-content: space-between;
+    flex-wrap: wrap;
+    &-buttons {
+      display: flex;
+      flex-wrap: wrap;
+      button {
+        margin: 0 15px 15px 0;
+      }
+    }
  }
 }
--- a/console-webapp/src/app/users/users.component.ts
+++ b/console-webapp/src/app/users/users.component.ts
@@ -14,29 +14,18 @@

 import { CommonModule } from '@angular/common';
 import { HttpErrorResponse } from '@angular/common/http';
-import { Component, effect, ViewChild } from '@angular/core';
+import { Component, effect } from '@angular/core';
 import { MatSnackBar } from '@angular/material/snack-bar';
-import { MatSort } from '@angular/material/sort';
-import { MatTableDataSource } from '@angular/material/table';
 import { SelectedRegistrarModule } from '../app.module';
 import { MaterialModule } from '../material.module';
 import { RegistrarService } from '../registrar/registrar.service';
 import { SnackBarModule } from '../snackbar.module';
 import { UserEditComponent } from './userEdit.component';
-import { roleToDescription, User, UsersService } from './users.service';
-
-export const columns = [
-  {
-    columnDef: 'emailAddress',
-    header: 'User email',
-    cell: (record: User) => `${record.emailAddress || ''}`,
-  },
-  {
-    columnDef: 'role',
-    header: 'User role',
-    cell: (record: User) => `${roleToDescription(record.role)}`,
-  },
-];
+import { User, UsersService } from './users.service';
+import { UserDataService } from '../shared/services/userData.service';
+import { FormsModule } from '@angular/forms';
+import { UsersListComponent } from './usersList.component';
+import { MatSelectChange } from '@angular/material/select';

@Component({
  selector: 'app-users',
@@ -44,41 +33,45 @@ export const columns = [
  styleUrls: ['./users.component.scss'],
  standalone: true,
  imports: [
+    FormsModule,
    MaterialModule,
    SnackBarModule,
    CommonModule,
    SelectedRegistrarModule,
+    UsersListComponent,
    UserEditComponent,
  ],
  providers: [UsersService],
 })
 export class UsersComponent {
-  dataSource: MatTableDataSource<User>;
-  columns = columns;
-  displayedColumns = this.columns.map((c) => c.columnDef);
  isLoading = false;
-
-  @ViewChild(MatSort) sort!: MatSort;
+  selectingExistingUser = false;
+  selectedRegistrarId = '';
+  usersSelection: User[] = [];
+  selectedExistingUser: User | undefined;

  constructor(
    protected registrarService: RegistrarService,
    protected usersService: UsersService,
+    private userDataService: UserDataService,
    private _snackBar: MatSnackBar
  ) {
-    this.dataSource = new MatTableDataSource<User>(usersService.users());
-
    effect(() => {
      if (registrarService.registrarId()) {
        this.loadUsers();
      }
    });
-    effect(() => {
-      this.dataSource.data = usersService.users();
-    });
  }

-  ngAfterViewInit() {
-    this.dataSource.sort = this.sort;
+  addExistingUser() {
+    this.selectingExistingUser = true;
+    this.selectedRegistrarId = '';
+    this.usersSelection = [];
+    this.selectedExistingUser = undefined;
+  }
+
+  existingUserSelected(user: User) {
+    this.selectedExistingUser = user;
  }

  loadUsers() {
@@ -96,7 +89,7 @@ export class UsersComponent {

  createNewUser() {
    this.isLoading = true;
-    this.usersService.createNewUser().subscribe({
+    this.usersService.createOrAddNewUser(null).subscribe({
      error: (err: HttpErrorResponse) => {
        this._snackBar.open(err.error || err.message);
        this.isLoading = false;
@@ -107,7 +100,39 @@ export class UsersComponent {
    });
  }

-  openDetails(emailAddress: string) {
-    this.usersService.currentlyOpenUserEmail.set(emailAddress);
+  openDetails(user: User) {
+    this.usersService.currentlyOpenUserEmail.set(user.emailAddress);
+  }
+
+  onRegistrarSelectionChange(e: MatSelectChange) {
+    if (e.value) {
+      this.usersService.fetchUsersForRegistrar(e.value).subscribe({
+        error: (err) => {
+          this._snackBar.open(err.error || err.message);
+        },
+        next: (users) => {
+          this.usersSelection = users;
+        },
+      });
+    }
+  }
+
+  submitExistingUser() {
+    this.isLoading = true;
+    if (this.selectedExistingUser) {
+      this.usersService
+        .createOrAddNewUser(this.selectedExistingUser)
+        .subscribe({
+          error: (err) => {
+            this._snackBar.open(err.error || err.message);
+            this.isLoading = false;
+          },
+          complete: () => {
+            this.isLoading = false;
+            this.selectingExistingUser = false;
+            this.loadUsers();
+          },
+        });
+    }
  }
 }
--- a/console-webapp/src/app/users/users.service.ts
+++ b/console-webapp/src/app/users/users.service.ts
@@ -46,6 +46,10 @@ export class UsersService {
    private registrarService: RegistrarService
  ) {}

+  fetchUsersForRegistrar(registrarId: string) {
+    return this.backendService.getUsers(registrarId);
+  }
+
  fetchUsers() {
    return this.backendService
      .getUsers(this.registrarService.registrarId())
@@ -56,14 +60,16 @@ export class UsersService {
      );
  }

-  createNewUser() {
+  createOrAddNewUser(maybeExistingUser: User | null) {
    return this.backendService
-      .createUser(this.registrarService.registrarId())
+      .createUser(this.registrarService.registrarId(), maybeExistingUser)
      .pipe(
        tap((newUser: User) => {
-          this.users.set([...this.users(), newUser]);
-          this.currentlyOpenUserEmail.set(newUser.emailAddress);
-          this.isNewUser = true;
+          if (newUser) {
+            this.users.set([...this.users(), newUser]);
+            this.currentlyOpenUserEmail.set(newUser.emailAddress);
+            this.isNewUser = true;
+          }
        })
      );
  }
--- a/console-webapp/src/app/users/usersList.component.html
+++ b/console-webapp/src/app/users/usersList.component.html
@@ -0,0 +1,24 @@
+<div class="console-app__users-table-wrapper">
+  <mat-table
+    [dataSource]="dataSource"
+    class="mat-elevation-z0"
+    class="console-app__users-table"
+    matSort
+  >
+    <ng-container
+      *ngFor="let column of columns"
+      [matColumnDef]="column.columnDef"
+    >
+      <mat-header-cell *matHeaderCellDef>
+        {{ column.header }}
+      </mat-header-cell>
+      <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
+    </ng-container>
+    <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
+    <mat-row
+      *matRowDef="let row; columns: displayedColumns"
+      [class.rowSelected]="isRowSelected(row)"
+      (click)="onClick(row)"
+    ></mat-row>
+  </mat-table>
+</div>
--- a/console-webapp/src/app/users/usersList.component.scss
+++ b/console-webapp/src/app/users/usersList.component.scss
@@ -0,0 +1,14 @@
+.console-app {
+  &__users-table {
+    min-width: 616px;
+    .rowSelected {
+      background-color: var(--light-highlight);
+      font-weight: bold;
+    }
+  }
+
+  &__users-table-wrapper {
+    width: 100%;
+    overflow: auto;
+  }
+}
--- a/console-webapp/src/app/users/usersList.component.ts
+++ b/console-webapp/src/app/users/usersList.component.ts
@@ -0,0 +1,78 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { CommonModule } from '@angular/common';
+import {
+  Component,
+  effect,
+  EventEmitter,
+  input,
+  Output,
+  ViewChild,
+} from '@angular/core';
+import { MaterialModule } from '../material.module';
+import { User, roleToDescription } from './users.service';
+import { MatTableDataSource } from '@angular/material/table';
+import { MatSort } from '@angular/material/sort';
+
+export const columns = [
+  {
+    columnDef: 'emailAddress',
+    header: 'User email',
+    cell: (record: User) => `${record.emailAddress || ''}`,
+  },
+  {
+    columnDef: 'role',
+    header: 'User role',
+    cell: (record: User) => `${roleToDescription(record.role)}`,
+  },
+];
+
+@Component({
+  selector: 'app-users-list',
+  templateUrl: './usersList.component.html',
+  styleUrls: ['./usersList.component.scss'],
+  standalone: true,
+  imports: [MaterialModule, CommonModule],
+  providers: [],
+})
+export class UsersListComponent {
+  columns = columns;
+  displayedColumns = this.columns.map((c) => c.columnDef);
+  dataSource: MatTableDataSource<User>;
+  selectedRow!: User;
+  users = input<User[]>([]);
+  @Output() onSelect = new EventEmitter<User>();
+  @ViewChild(MatSort) sort!: MatSort;
+
+  constructor() {
+    this.dataSource = new MatTableDataSource<User>(this.users());
+    effect(() => {
+      this.dataSource.data = this.users();
+    });
+  }
+
+  ngAfterViewInit() {
+    this.dataSource.sort = this.sort;
+  }
+
+  onClick(row: User) {
+    this.selectedRow = row;
+    this.onSelect.emit(row);
+  }
+
+  isRowSelected(row: User) {
+    return row === this.selectedRow;
+  }
+}
--- a/core/src/main/java/google/registry/flows/ExtensionManager.java
+++ b/core/src/main/java/google/registry/flows/ExtensionManager.java
@@ -105,7 +105,7 @@ public final class ExtensionManager {
  }

  private static final ImmutableSet<EppRequestSource> ALLOWED_METADATA_EPP_REQUEST_SOURCES =
-      ImmutableSet.of(EppRequestSource.TOOL, EppRequestSource.BACKEND);
+      ImmutableSet.of(EppRequestSource.BACKEND, EppRequestSource.CONSOLE, EppRequestSource.TOOL);

  private void checkForRestrictedExtensions(
      ImmutableSet<Class<? extends CommandExtension>> suppliedExtensions)
--- a/core/src/main/java/google/registry/flows/poll/PollAckFlow.java
+++ b/core/src/main/java/google/registry/flows/poll/PollAckFlow.java
@@ -37,6 +37,8 @@ import google.registry.model.poll.MessageQueueInfo;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.poll.PollMessageExternalKeyConverter;
 import google.registry.model.poll.PollMessageExternalKeyConverter.PollMessageExternalKeyParseException;
+import google.registry.persistence.IsolationLevel;
+import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.VKey;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -55,6 +57,7 @@ import org.joda.time.DateTime;
 * @error {@link PollAckFlow.MissingMessageIdException}
 * @error {@link PollAckFlow.NotAuthorizedToAckMessageException}
 */
+@IsolationLevel(value = TransactionIsolationLevel.TRANSACTION_READ_COMMITTED)
 public final class PollAckFlow implements MutatingFlow {

  @Inject ExtensionManager extensionManager;
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleBulkDomainAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleBulkDomainAction.java
@@ -0,0 +1,228 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static jakarta.servlet.http.HttpServletResponse.SC_OK;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.escape.Escaper;
+import com.google.common.xml.XmlEscapers;
+import com.google.gson.JsonElement;
+import com.google.gson.annotations.Expose;
+import google.registry.flows.EppController;
+import google.registry.flows.EppRequestSource;
+import google.registry.flows.PasswordOnlyTransportCredentials;
+import google.registry.flows.StatelessRequestSessionMetadata;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.User;
+import google.registry.model.eppcommon.ProtocolDefinition;
+import google.registry.model.eppoutput.EppOutput;
+import google.registry.model.eppoutput.Result;
+import google.registry.request.Action;
+import google.registry.request.OptionalJsonPayload;
+import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/**
+ * Console endpoint to perform the same action to a list of domains.
+ *
+ * <p>All requests must include the {@link BulkAction} to perform as well as a {@link
+ * BulkDomainList} of domains on which to apply the action. The remaining contents of the request
+ * body depend on the type of action -- some requests may require more data than others.
+ */
+@Action(
+    service = Action.GaeService.DEFAULT,
+    gkeService = Action.GkeService.CONSOLE,
+    path = ConsoleBulkDomainAction.PATH,
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class ConsoleBulkDomainAction extends ConsoleApiAction {
+
+  public static final String PATH = "/console-api/bulk-domain";
+
+  private static Escaper XML_ESCAPER = XmlEscapers.xmlContentEscaper();
+
+  public enum BulkAction {
+    DELETE,
+    SUSPEND
+  }
+
+  /** All requests must include at least a list of domain names on which to perform the action. */
+  public record BulkDomainList(@Expose List<String> domainList) {}
+
+  public record BulkDomainDeleteRequest(@Expose String reason) {}
+
+  public record BulkDomainSuspendRequest(@Expose String reason) {}
+
+  private static final String DOMAIN_DELETE_XML =
+      """
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
+  <command>
+    <delete>
+      <domain:delete
+       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
+        <domain:name>%DOMAIN_NAME%</domain:name>
+      </domain:delete>
+    </delete>
+    <extension>
+      <metadata:metadata xmlns:metadata="urn:google:params:xml:ns:metadata-1.0">
+        <metadata:reason>%REASON%</metadata:reason>
+        <metadata:requestedByRegistrar>true</metadata:requestedByRegistrar>
+      </metadata:metadata>
+    </extension>
+    <clTRID>RegistryConsole</clTRID>
+  </command>
+</epp>""";
+
+  private static final String DOMAIN_SUSPEND_XML =
+      """
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<epp
+  xmlns="urn:ietf:params:xml:ns:epp-1.0">
+  <command>
+    <update>
+      <domain:update
+        xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
+        <domain:name>%DOMAIN_NAME%</domain:name>
+        <domain:add>
+          <domain:status s="serverDeleteProhibited" lang="en"></domain:status>
+          <domain:status s="serverHold" lang="en"></domain:status>
+          <domain:status s="serverRenewProhibited" lang="en"></domain:status>
+          <domain:status s="serverTransferProhibited" lang="en"></domain:status>
+          <domain:status s="serverUpdateProhibited" lang="en"></domain:status>
+        </domain:add>
+        <domain:rem></domain:rem>
+      </domain:update>
+    </update>
+    <extension>
+      <metadata:metadata
+        xmlns:metadata="urn:google:params:xml:ns:metadata-1.0">
+        <metadata:reason>Console suspension: %REASON%</metadata:reason>
+        <metadata:requestedByRegistrar>false</metadata:requestedByRegistrar>
+      </metadata:metadata>
+    </extension>
+    <clTRID>RegistryTool</clTRID>
+  </command>
+</epp>""";
+
+  private final EppController eppController;
+  private final String registrarId;
+  private final String bulkDomainAction;
+  private final Optional<JsonElement> optionalJsonPayload;
+
+  @Inject
+  public ConsoleBulkDomainAction(
+      ConsoleApiParams consoleApiParams,
+      EppController eppController,
+      @Parameter("registrarId") String registrarId,
+      @Parameter("bulkDomainAction") String bulkDomainAction,
+      @OptionalJsonPayload Optional<JsonElement> optionalJsonPayload) {
+    super(consoleApiParams);
+    this.eppController = eppController;
+    this.registrarId = registrarId;
+    this.bulkDomainAction = bulkDomainAction;
+    this.optionalJsonPayload = optionalJsonPayload;
+  }
+
+  @Override
+  protected void postHandler(User user) {
+    BulkAction bulkAction = BulkAction.valueOf(bulkDomainAction);
+    JsonElement jsonPayload =
+        optionalJsonPayload.orElseThrow(
+            () -> new IllegalArgumentException("Bulk action payload must be present"));
+    BulkDomainList domainList = consoleApiParams.gson().fromJson(jsonPayload, BulkDomainList.class);
+    checkPermission(user, registrarId, ConsolePermission.EXECUTE_EPP_COMMANDS);
+    ImmutableMap<String, ConsoleEppOutput> result =
+        switch (bulkAction) {
+          case DELETE -> handleBulkDelete(jsonPayload, domainList, user);
+          case SUSPEND -> handleBulkSuspend(jsonPayload, domainList, user);
+        };
+    // Front end should parse situations where only some commands worked
+    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(result));
+    consoleApiParams.response().setStatus(SC_OK);
+  }
+
+  private ImmutableMap<String, ConsoleEppOutput> handleBulkDelete(
+      JsonElement jsonPayload, BulkDomainList domainList, User user) {
+    String reason =
+        consoleApiParams.gson().fromJson(jsonPayload, BulkDomainDeleteRequest.class).reason;
+    return runCommandOverDomains(
+        domainList,
+        DOMAIN_DELETE_XML,
+        new ImmutableMap.Builder<String, String>().put("REASON", reason),
+        user);
+  }
+
+  private ImmutableMap<String, ConsoleEppOutput> handleBulkSuspend(
+      JsonElement jsonPayload, BulkDomainList domainList, User user) {
+    String reason =
+        consoleApiParams.gson().fromJson(jsonPayload, BulkDomainSuspendRequest.class).reason;
+    return runCommandOverDomains(
+        domainList,
+        DOMAIN_SUSPEND_XML,
+        new ImmutableMap.Builder<String, String>().put("REASON", reason),
+        user);
+  }
+
+  /** Runs the provided XML template and substitutions over a provided list of domains. */
+  private ImmutableMap<String, ConsoleEppOutput> runCommandOverDomains(
+      BulkDomainList domainList,
+      String xmlTemplate,
+      ImmutableMap.Builder<String, String> replacements,
+      User user) {
+    return domainList.domainList.stream()
+        .collect(
+            toImmutableMap(
+                d -> d,
+                d ->
+                    executeEpp(
+                        fillSubstitutions(xmlTemplate, replacements.put("DOMAIN_NAME", d)), user)));
+  }
+
+  private ConsoleEppOutput executeEpp(String xml, User user) {
+    return ConsoleEppOutput.fromEppOutput(
+        eppController.handleEppCommand(
+            new StatelessRequestSessionMetadata(
+                registrarId, ProtocolDefinition.getVisibleServiceExtensionUris()),
+            new PasswordOnlyTransportCredentials(),
+            EppRequestSource.CONSOLE,
+            false,
+            user.getUserRoles().isAdmin(),
+            xml.getBytes(UTF_8)));
+  }
+
+  /** Fills the provided XML template with the replacement values, including escaping the values. */
+  private String fillSubstitutions(
+      String xmlTemplate, ImmutableMap.Builder<String, String> replacements) {
+    String xml = xmlTemplate;
+    for (Map.Entry<String, String> entry : replacements.buildKeepingLast().entrySet()) {
+      xml = xml.replaceAll("%" + entry.getKey() + "%", XML_ESCAPER.escape(entry.getValue()));
+    }
+    return xml;
+  }
+
+  public record ConsoleEppOutput(@Expose String message, @Expose int responseCode) {
+    static ConsoleEppOutput fromEppOutput(EppOutput eppOutput) {
+      Result result = eppOutput.getResponse().getResult();
+      return new ConsoleEppOutput(result.getMsg(), result.getCode().code);
+    }
+  }
+}
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleModule.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleModule.java
@@ -241,6 +241,12 @@ public final class ConsoleModule {
    return extractOptionalParameter(req, "searchTerm");
  }

+  @Provides
+  @Parameter("bulkDomainAction")
+  public static String provideBulkDomainAction(HttpServletRequest req) {
+    return extractRequiredParameter(req, "bulkDomainAction");
+  }
+
  @Provides
  @Parameter("eppPasswordChangeRequest")
  public static Optional<EppPasswordData> provideEppPasswordChangeRequest(
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
@@ -82,6 +82,8 @@ public class ConsoleUserDataAction extends ConsoleApiAction {
                // auth checks.
                "isAdmin", user.getUserRoles().isAdmin(),
                "globalRole", user.getUserRoles().getGlobalRole(),
+                // registrar-specific roles
+                "userRoles", user.getUserRoles().getRegistrarRoles(),
                // Include static contact resources in this call to minimize round trips
                "productName", productName,
                "supportEmail", supportEmail,
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java
@@ -48,6 +48,8 @@ import google.registry.tools.IamClient;
 import google.registry.util.StringGenerator;
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
@@ -100,7 +102,12 @@ public class ConsoleUsersAction extends ConsoleApiAction {
    // Temporary flag while testing
    if (user.getUserRoles().isAdmin()) {
      checkPermission(user, registrarId, ConsolePermission.MANAGE_USERS);
-      tm().transact(this::runCreateInTransaction);
+      if (userData.isPresent()) { // Adding existing user to registrar
+        tm().transact(this::runAppendUserInTransaction);
+      } else { // Adding new user to registrar
+        tm().transact(this::runCreateInTransaction);
+      }
+
    } else {
      consoleApiParams.response().setStatus(SC_FORBIDDEN);
    }
@@ -111,7 +118,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
    // Temporary flag while testing
    if (user.getUserRoles().isAdmin()) {
      checkPermission(user, registrarId, ConsolePermission.MANAGE_USERS);
-      tm().transact(() -> runUpdateInTransaction());
+      tm().transact(this::runUpdateInTransaction);
    } else {
      consoleApiParams.response().setStatus(SC_FORBIDDEN);
    }
@@ -145,21 +152,46 @@ public class ConsoleUsersAction extends ConsoleApiAction {
    }
  }

-  private void runDeleteInTransaction() throws IOException {
-    if (!isModifyingRequestValid()) {
+  private void runAppendUserInTransaction() {
+    if (!isModifyingRequestValid(false)) {
      return;
    }
-    String email = this.userData.get().emailAddress;
-    try {
-      directory.users().delete(email).execute();
-    } catch (IOException e) {
-      setFailedResponse("Failed to delete the user workspace account", SC_INTERNAL_SERVER_ERROR);
-      throw e;
+    ImmutableList<User> allRegistrarUsers = getAllRegistrarUsers(registrarId);
+    if (allRegistrarUsers.size() >= 4)
+      throw new BadRequestException("Total users amount per registrar is limited to 4");
+
+    updateUserRegistrarRoles(
+        this.userData.get().emailAddress,
+        registrarId,
+        RegistrarRole.valueOf(this.userData.get().role),
+        false);
+    consoleApiParams.response().setStatus(SC_OK);
+  }
+
+  private void runDeleteInTransaction() throws IOException {
+    if (!isModifyingRequestValid(true)) {
+      return;
+    }
+
+    String email = this.userData.get().emailAddress;
+    User updatedUser =
+        updateUserRegistrarRoles(
+            email, registrarId, RegistrarRole.valueOf(this.userData.get().role), true);
+
+    // User has no registrars assigned
+    if (updatedUser.getUserRoles().getRegistrarRoles().size() == 0) {
+      try {
+        directory.users().delete(email).execute();
+      } catch (IOException e) {
+        setFailedResponse("Failed to delete the user workspace account", SC_INTERNAL_SERVER_ERROR);
+        throw e;
+      }
+
+      VKey<User> key = VKey.create(User.class, email);
+      tm().delete(key);
+      User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, null, iamClient);
    }

-    VKey<User> key = VKey.create(User.class, email);
-    tm().delete(key);
-    User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, null, iamClient);

    consoleApiParams.response().setStatus(SC_OK);
  }
@@ -220,27 +252,19 @@ public class ConsoleUsersAction extends ConsoleApiAction {
  }

  private void runUpdateInTransaction() {
-    if (!isModifyingRequestValid()) {
+    if (!isModifyingRequestValid(true)) {
      return;
    }

-    UserData userData = this.userData.get();
-    UserRoles userRoles =
-        new UserRoles.Builder()
-            .setRegistrarRoles(ImmutableMap.of(registrarId, RegistrarRole.valueOf(userData.role)))
-            .build();
-    User updatedUser =
-        tm().loadByKeyIfPresent(VKey.create(User.class, userData.emailAddress))
-            .get()
-            .asBuilder()
-            .setUserRoles(userRoles)
-            .build();
-
-    tm().put(updatedUser);
+    updateUserRegistrarRoles(
+        this.userData.get().emailAddress,
+        registrarId,
+        RegistrarRole.valueOf(this.userData.get().role),
+        false);
    consoleApiParams.response().setStatus(SC_OK);
  }

-  private boolean isModifyingRequestValid() {
+  private boolean isModifyingRequestValid(boolean verifyAccess) {
    if (userData.isEmpty()
        || isNullOrEmpty(userData.get().emailAddress)
        || isNullOrEmpty(userData.get().role)) {
@@ -252,7 +276,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
            .orElseThrow(
                () -> new BadRequestException(String.format("User %s doesn't exist", email)));

-    if (!userToUpdate.getUserRoles().getRegistrarRoles().containsKey(registrarId)) {
+    if (verifyAccess && !userToUpdate.getUserRoles().getRegistrarRoles().containsKey(registrarId)) {
      setFailedResponse(
          String.format("Can't update user not associated with registrarId %s", registrarId),
          SC_FORBIDDEN);
@@ -261,6 +285,36 @@ public class ConsoleUsersAction extends ConsoleApiAction {
    return true;
  }

+  private User updateUserRegistrarRoles(
+      String email, String registrarId, RegistrarRole newRole, boolean isDelete) {
+    User userToUpdate = tm().loadByKeyIfPresent(VKey.create(User.class, email)).get();
+    Map<String, RegistrarRole> updatedRegistrarRoles;
+    if (isDelete) {
+      updatedRegistrarRoles =
+          userToUpdate.getUserRoles().getRegistrarRoles().entrySet().stream()
+              .filter(entry -> !Objects.equals(entry.getKey(), registrarId))
+              .collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
+    } else {
+      updatedRegistrarRoles =
+          ImmutableMap.<String, RegistrarRole>builder()
+              .putAll(userToUpdate.getUserRoles().getRegistrarRoles())
+              .put(registrarId, newRole)
+              .buildKeepingLast();
+    }
+    var updatedUser =
+        userToUpdate
+            .asBuilder()
+            .setUserRoles(
+                userToUpdate
+                    .getUserRoles()
+                    .asBuilder()
+                    .setRegistrarRoles(updatedRegistrarRoles)
+                    .build())
+            .build();
+    tm().put(updatedUser);
+    return updatedUser;
+  }
+
  private ImmutableList<User> getAllRegistrarUsers(String registrarId) {
    return tm().transact(
            () ->
--- a/core/src/test/java/google/registry/flows/ExtensionManagerTest.java
+++ b/core/src/test/java/google/registry/flows/ExtensionManagerTest.java
@@ -121,7 +121,7 @@ class ExtensionManagerTest {
  void testMetadataExtension_forbiddenWhenNotToolSource() {
    ExtensionManager manager =
        new TestInstanceBuilder()
-            .setEppRequestSource(EppRequestSource.CONSOLE)
+            .setEppRequestSource(EppRequestSource.TLS)
            .setDeclaredUris()
            .setSuppliedExtensions(MetadataExtension.class)
            .build();
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleBulkDomainActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleBulkDomainActionTest.java
@@ -0,0 +1,242 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
+import static google.registry.model.common.FeatureFlag.FeatureStatus.INACTIVE;
+import static google.registry.testing.DatabaseHelper.createTld;
+import static google.registry.testing.DatabaseHelper.loadByEntity;
+import static google.registry.testing.DatabaseHelper.persistActiveContact;
+import static google.registry.testing.DatabaseHelper.persistDomainWithDependentResources;
+import static google.registry.testing.DatabaseHelper.persistResource;
+import static google.registry.util.DateTimeUtils.START_OF_TIME;
+import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+import static jakarta.servlet.http.HttpServletResponse.SC_OK;
+import static org.mockito.Mockito.when;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedMap;
+import com.google.gson.Gson;
+import com.google.gson.JsonElement;
+import com.google.gson.reflect.TypeToken;
+import google.registry.flows.DaggerEppTestComponent;
+import google.registry.flows.EppController;
+import google.registry.flows.EppTestComponent;
+import google.registry.model.common.FeatureFlag;
+import google.registry.model.console.GlobalRole;
+import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
+import google.registry.model.domain.Domain;
+import google.registry.model.eppcommon.StatusValue;
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.request.auth.AuthResult;
+import google.registry.testing.ConsoleApiParamsUtils;
+import google.registry.testing.FakeClock;
+import google.registry.testing.FakeResponse;
+import google.registry.tools.GsonUtils;
+import java.util.Map;
+import java.util.Optional;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+/** Tests for {@link ConsoleBulkDomainAction}. */
+public class ConsoleBulkDomainActionTest {
+
+  private static final Gson GSON = GsonUtils.provideGson();
+
+  private final FakeClock clock = new FakeClock(DateTime.parse("2024-05-13T00:00:00.000Z"));
+
+  @RegisterExtension
+  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
+      new JpaTestExtensions.Builder().withClock(clock).buildIntegrationTestExtension();
+
+  private EppController eppController;
+  private FakeResponse fakeResponse;
+  private Domain domain;
+
+  @BeforeEach
+  void beforeEach() {
+    persistResource(
+        new FeatureFlag()
+            .asBuilder()
+            .setFeatureName(MINIMUM_DATASET_CONTACTS_OPTIONAL)
+            .setStatusMap(ImmutableSortedMap.of(START_OF_TIME, INACTIVE))
+            .build());
+    eppController =
+        DaggerEppTestComponent.builder()
+            .fakesAndMocksModule(EppTestComponent.FakesAndMocksModule.create(clock))
+            .build()
+            .startRequest()
+            .eppController();
+    createTld("tld");
+    domain =
+        persistDomainWithDependentResources(
+            "example",
+            "tld",
+            persistActiveContact("contact1234"),
+            clock.nowUtc(),
+            clock.nowUtc().minusMonths(1),
+            clock.nowUtc().plusMonths(11));
+  }
+
+  @Test
+  void testSuccess_delete() {
+    ConsoleBulkDomainAction action =
+        createAction(
+            "DELETE",
+            GSON.toJsonTree(
+                ImmutableMap.of("domainList", ImmutableList.of("example.tld"), "reason", "test")));
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_OK);
+    assertThat(fakeResponse.getPayload())
+        .isEqualTo(
+            "{\"example.tld\":{\"message\":\"Command completed"
+                + " successfully\",\"responseCode\":1000}}");
+    assertThat(loadByEntity(domain).getDeletionTime()).isEqualTo(clock.nowUtc());
+  }
+
+  @Test
+  void testSuccess_suspend() throws Exception {
+    User adminUser =
+        persistResource(
+            new User.Builder()
+                .setEmailAddress("email@email.com")
+                .setUserRoles(
+                    new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).setIsAdmin(true).build())
+                .build());
+    ConsoleBulkDomainAction action =
+        createAction(
+            "SUSPEND",
+            GSON.toJsonTree(
+                ImmutableMap.of("domainList", ImmutableList.of("example.tld"), "reason", "test")),
+            adminUser);
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_OK);
+    assertThat(fakeResponse.getPayload())
+        .isEqualTo(
+            "{\"example.tld\":{\"message\":\"Command completed"
+                + " successfully\",\"responseCode\":1000}}");
+    assertThat(loadByEntity(domain).getStatusValues())
+        .containsAtLeast(
+            StatusValue.SERVER_RENEW_PROHIBITED,
+            StatusValue.SERVER_TRANSFER_PROHIBITED,
+            StatusValue.SERVER_UPDATE_PROHIBITED,
+            StatusValue.SERVER_DELETE_PROHIBITED,
+            StatusValue.SERVER_HOLD);
+  }
+
+  @Test
+  void testHalfSuccess_halfNonexistent() throws Exception {
+    ConsoleBulkDomainAction action =
+        createAction(
+            "DELETE",
+            GSON.toJsonTree(
+                ImmutableMap.of(
+                    "domainList",
+                    ImmutableList.of("example.tld", "nonexistent.tld"),
+                    "reason",
+                    "test")));
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_OK);
+    assertThat(fakeResponse.getPayload())
+        .isEqualTo(
+            "{\"example.tld\":{\"message\":\"Command completed"
+                + " successfully\",\"responseCode\":1000},\"nonexistent.tld\":{\"message\":\"The"
+                + " domain with given ID (nonexistent.tld) doesn\\u0027t"
+                + " exist.\",\"responseCode\":2303}}");
+    assertThat(loadByEntity(domain).getDeletionTime()).isEqualTo(clock.nowUtc());
+  }
+
+  @Test
+  void testFailure_badActionString() {
+    ConsoleBulkDomainAction action = createAction("bad", null);
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_BAD_REQUEST);
+    assertThat(fakeResponse.getPayload())
+        .isEqualTo(
+            "No enum constant"
+                + " google.registry.ui.server.console.ConsoleBulkDomainAction.BulkAction.bad");
+  }
+
+  @Test
+  void testFailure_emptyBody() {
+    ConsoleBulkDomainAction action = createAction("DELETE", null);
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_BAD_REQUEST);
+    assertThat(fakeResponse.getPayload()).isEqualTo("Bulk action payload must be present");
+  }
+
+  @Test
+  void testFailure_noPermission() {
+    JsonElement payload =
+        GSON.toJsonTree(ImmutableMap.of("domainList", ImmutableList.of("domain.tld")));
+    ConsoleBulkDomainAction action =
+        createAction(
+            "DELETE",
+            payload,
+            new User.Builder()
+                .setEmailAddress("foobar@theregistrar.com")
+                .setUserRoles(
+                    new UserRoles.Builder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER))
+                        .build())
+                .build());
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_FORBIDDEN);
+  }
+
+  @Test
+  void testFailure_suspend_nonAdmin() {
+    ConsoleBulkDomainAction action =
+        createAction(
+            "SUSPEND",
+            GSON.toJsonTree(
+                ImmutableMap.of("domainList", ImmutableList.of("example.tld"), "reason", "test")));
+    action.run();
+    assertThat(fakeResponse.getStatus()).isEqualTo(SC_OK);
+    Map<String, ConsoleBulkDomainAction.ConsoleEppOutput> payload =
+        GSON.fromJson(fakeResponse.getPayload(), new TypeToken<>() {});
+    assertThat(payload).containsKey("example.tld");
+    assertThat(payload.get("example.tld").responseCode()).isEqualTo(2004);
+    assertThat(payload.get("example.tld").message()).contains("cannot be set by clients");
+    assertThat(loadByEntity(domain)).isEqualTo(domain);
+  }
+
+  private ConsoleBulkDomainAction createAction(String action, JsonElement payload) {
+    User user =
+        persistResource(
+            new User.Builder()
+                .setEmailAddress("email@email.com")
+                .setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build())
+                .build());
+    return createAction(action, payload, user);
+  }
+
+  private ConsoleBulkDomainAction createAction(String action, JsonElement payload, User user) {
+    AuthResult authResult = AuthResult.createUser(user);
+    ConsoleApiParams params = ConsoleApiParamsUtils.createFake(authResult);
+    when(params.request().getMethod()).thenReturn("POST");
+    fakeResponse = (FakeResponse) params.response();
+    return new ConsoleBulkDomainAction(
+        params, eppController, "TheRegistrar", action, Optional.ofNullable(payload));
+  }
+}
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java
@@ -20,6 +20,7 @@ import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.mockito.Mockito.when;

+import com.google.common.collect.ImmutableMap;
 import com.google.gson.Gson;
 import google.registry.model.console.User;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -71,6 +72,8 @@ class ConsoleUserDataActionTest {
        GSON.fromJson(((FakeResponse) consoleApiParams.response()).getPayload(), Map.class);
    assertThat(jsonObject)
        .containsExactly(
+            "userRoles",
+            ImmutableMap.of(),
            "isAdmin",
            true,
            "technicalDocsUrl",
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java
@@ -246,6 +246,50 @@ class ConsoleUsersActionTest {
        .isEmpty();
  }

+  @Test
+  void testSuccess_removesRole() throws IOException {
+    User user1 = DatabaseHelper.loadByKey(VKey.create(User.class, "test1@test.com"));
+    AuthResult authResult =
+        AuthResult.createUser(
+            user1
+                .asBuilder()
+                .setUserRoles(user1.getUserRoles().asBuilder().setIsAdmin(true).build())
+                .build());
+    DatabaseHelper.persistResource(
+        new User.Builder()
+            .setEmailAddress("test4@test.com")
+            .setUserRoles(
+                new UserRoles()
+                    .asBuilder()
+                    .setRegistrarRoles(
+                        ImmutableMap.of(
+                            "TheRegistrar",
+                            RegistrarRole.PRIMARY_CONTACT,
+                            "SomeRegistrar",
+                            RegistrarRole.PRIMARY_CONTACT))
+                    .build())
+            .build());
+
+    ConsoleUsersAction action =
+        createAction(
+            Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
+            Optional.of("DELETE"),
+            Optional.of(
+                new UserData("test4@test.com", RegistrarRole.ACCOUNT_MANAGER.toString(), null)));
+
+    action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
+    when(directory.users()).thenReturn(users);
+    when(users.delete(any(String.class))).thenReturn(delete);
+    action.run();
+    var response = ((FakeResponse) consoleApiParams.response());
+    assertThat(response.getStatus()).isEqualTo(SC_OK);
+    Optional<User> actualUser =
+        DatabaseHelper.loadByKeyIfPresent(VKey.create(User.class, "test4@test.com"));
+    assertThat(actualUser).isPresent();
+    assertThat(actualUser.get().getUserRoles().getRegistrarRoles().containsKey("TheRegistrar"))
+        .isFalse();
+  }
+
  @Test
  void testFailure_limitedTo4UsersPerRegistrar() throws IOException {
    User user1 = DatabaseHelper.loadByKey(VKey.create(User.class, "test1@test.com"));