Is there a way to remove the Sticky flag on a user? If we update something through the UI, you can never update through our SIS interface. We have script to use the api to update passwords even if the sticky flag is on but it overrides the flag, it doesn't remove it.
I had a read through the SIS Imports API Documentation and it appears as though in addition to the override_sis_stickiness parameter, which tells the SIS import to ignore the "stickiness" and override all UI changes, you can include the clear_sis_stickiness parameter to clear the "stickiness" of all fields touched by the import. I haven't tried this myself, but it might be worth testing with your current script.
Interestlingly, it works on every field EXCEPT the password. The documentation doesn't show that password is a sticky field but once you change it in the UI, you can't change it with the upload. We have a script that does a one-time override of the password but it doesn't release the password field so that a future regular import would change if necessary. Names and logins work but password does not. Any ideas?
Perhaps this is not a problem of "stickiness". Like you mentioned, the password field is not a "sticky" field (according to the documentation) so that may explain why the clear_sis_stickiness parameter has no effect on it. Is the account that you are using configured to use an authentication service or SSO (single sign-on) protocol? If so, that may be the reason you are running into problems when trying to change the password through an SIS import (the documentation advises against this - SIS Import Format Documentation).
The only other way to change passwords through the API that I know of is using the Edit a User Login endpoint found here: Logins - Canvas LMS REST API Documentation; however, this option would also require the use of a script rather than your SIS interface.
We don't use an authentication service or SSO. We ran a script that changed all the passwords but apparently if you ever touch one through the UI, there is no way to clear it so that the SIS import will update it.
This [SIS imports not overwriting passwords] is by design.
The most common workflow is for the SIS import to set an initial password, but then if people change it through the UI, you want that to have precedence, even if the override stickiness is checked.
Some schools keep uploading the same SIS file over and over, perhaps with changes. If the SIS import overwrote the password, there would be a lot of people who couldn't login anymore. That's not a good user experience.
If you don't want people to be able to change their passwords through Canvas then you could use an external authentication system or remove the Change Password link (see How to remove "Change Password" profile option ). That's not a real fix, though -- it just makes it harder for them to find it.
You can override the password through the API, which is a less automatic, less likely to run as a bulk process over and over with a password still stuck in there.