Logging Level to Capture confluence-administrator Group Changes in Confluence Admin

Diagnosis

  1. Specific need arises to have users with "System Administrator" permissions in Confluence but not be in the confluence-administrators group (super users). This is usually due to requirements to enforce restrictions to pages/spaces.
  2. The confluence-administrators group permissions allow access to any restricted spaces/pages and the problem arises that Confluence users with System Administrator permissions can add/remove users to the confluence-administrators group.
  3. This allows users with "System Administrator" permissions to potentially grant  access to sensitive/restricted spaces and pages within Confluence. They could then remove users from the confluence-administrators group to cover their tracks.
  4. Default logging levels do not log activity for adding and removing users to groups.

Resolution

  1. Edit <install-dir>/confluence/WEB-INF/classes/log4j.properties
  2. Search for 'Embedded Crowd logging'
  3. Change this line to DEBUG level logging (default set at INFO initially)
log4j.logger.com.atlassian.confluence.user.crowd=DEBUG

 

  • Monitor the <confluence.home>/logs/atlassian-confluence.log for lines similar to this using a cron job or similar:
2012-02-23 16:02:58,778 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ ryan ] and group [ system-administrators ]
2012-02-23 16:02:58,783 DEBUG [http-5090-2] 
[confluence.user.crowd.CachedCrowdMembershipDao] addUserToGroup adding user [ ryan ] to group [ confluence-administrators ]

 

(info) No logging is apparent at this level when removing a user from the confluence-administrators group.

 

 

 

 

 

 

 

 

 

 

 

 

Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.