Automatically adding users into groups when users first login does not work

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

When connecting Confluence to an external user directory, Confluence has a setting to automatically add users into Default Groups when users first login:

(Auto-migrated image: description temporarily unavailable)

However, when users login, they are not automatically assigned to this group. This usually accompanied by getting "Not Permitted" error as usually the group assigned is the group that has the "Can-Use" permission.

The following appears in the atlassian-confluence.log

1 2 3 4 5 6 7 8 2019-03-13 12:27:04,562 ERROR [http-nio-26141-exec-3] [core.event.listener.AutoGroupAdderListener] handleEvent Could not auto add user to group: Group <confluence-users> is read-only and cannot be updated -- referer: http://localhost:26141/c6141/dologin.action | url: /c6141/dologin.action | traceId: 5a4b7669ec417ff8 com.atlassian.crowd.exception.ReadOnlyGroupException: Group <confluence-users> is read-only and cannot be updated at com.atlassian.crowd.directory.DbCachingRemoteDirectory.addUserToGroup(DbCachingRemoteDirectory.java:727) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.addUserToGroup(DirectoryManagerGeneric.java:633) at com.atlassian.crowd.core.event.listener.AutoGroupAdderListener.handleEvent(AutoGroupAdderListener.java:86) at com.atlassian.crowd.core.event.listener.AutoGroupAdderListener.handleEvent(AutoGroupAdderListener.java:53) ...

Diagnosis

  • User directory is a Connector with Read Only, with Local Groups permission

    • Default Group Memberships setting has been configured, and the field is not empty

  • User Directory is a Delegated directory (Internal with LDAP Authentication)

    • Copy User on Login has been ticked

    • Default Group Memberships setting has been configured, and the field is not empty

Cause

A group with the same name exists in LDAP side. This causes users unable to be added to the groups automatically. For the example error message above, the issue is due to there's already exist a group in LDAP side with the name "confluence-users"

Solution

Resolution

In order for automatically assign users into groups in Confluence when they first login to work, the group should not exist in LDAP side.

The resolution is either to

  • Delete the group in LDAP side

  • Manual group assignment, as well as changing the Permission to

    • Read Only (The group assignment is only done in LDAP side) or

    • Read and Write (Allow Confluence to change group membership to LDAP side)

Updated on April 15, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community