Logging Level to Capture confluence-administrator Group Changes in Confluence Admin

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Diagnosis

  1. Specific need arises to have users with "System Administrator" permissions in Confluence but not be in the confluence-administrators group (super users). This is usually due to requirements to enforce restrictions to pages/spaces.

  2. The confluence-administrators group permissions allow access to any restricted spaces/pages and the problem arises that Confluence users with System Administrator permissions can add/remove users to the confluence-administrators group.

  3. This allows users with "System Administrator" permissions to potentially grant access to sensitive/restricted spaces and pages within Confluence. They could then remove users from the confluence-administrators group to cover their tracks.

  4. Default logging levels do not log activity for adding and removing users to groups.

Resolution

  1. Edit <install-dir>/confluence/WEB-INF/classes/log4j.properties

  2. Search for 'Embedded Crowd logging'

  3. Change this line to DEBUG level logging (default set at INFO initially)

1 log4j.logger.com.atlassian.confluence.user.crowd=DEBUG

  • Monitor the <confluence.home>/logs/atlassian-confluence.log for lines similar to this using a cron job or similar:

1 2 3 2012-02-23 16:02:58,778 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ ryan ] and group [ system-administrators ] 2012-02-23 16:02:58,783 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] addUserToGroup adding user [ ryan ] to group [ confluence-administrators ]

ℹ️ No logging is apparent at this level when removing a user from the confluence-administrators group.

Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageDiagnosisResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community