Diagnosis

1. Specific need arises to have users with "System Administrator" permissions in Confluence but not be in the confluence-administrators group (super users). This is usually due to requirements to enforce restrictions to pages/spaces.
2. The confluence-administrators group permissions allow access to any restricted spaces/pages and the problem arises that Confluence users with System Administrator permissions can add/remove users to the confluence-administrators group.
3. This allows users with "System Administrator" permissions to potentially grant  access to sensitive/restricted spaces and pages within Confluence. They could then remove users from the confluence-administrators group to cover their tracks.
4. Default logging levels do not log activity for adding and removing users to groups.

Resolution

1. Edit <install-dir>/confluence/WEB-INF/classes/log4j.properties
2. Search for 'Embedded Crowd logging'
3. Change this line to DEBUG level logging (default set at INFO initially)

log4j.logger.com.atlassian.confluence.user.crowd=DEBUG

• Monitor the <confluence.home>/logs/atlassian-confluence.log for lines similar to this using a cron job or similar:

2012-02-23 16:02:58,778 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ ryan ] and group [ system-administrators ]
2012-02-23 16:02:58,783 DEBUG [http-5090-2] 
[confluence.user.crowd.CachedCrowdMembershipDao] addUserToGroup adding user [ ryan ] to group [ confluence-administrators ]

No logging is apparent at this level when removing a user from the confluence-administrators group.