Trying to add Confluence users to a group throws "<directory> does not allow updates" error in logs
Symptoms
When trying to add users into a group, the user cannot be added, and the following popup appears:
and the following error log appears in the atlassian-confluence.log
:
2012-09-20 07:03:09,718 INFO [read-only-transaction:thread-1] [atlassian.confluence.user.DefaultUserAccessor] getUserNamesWithConfluenceAccess Could not find group configured with USE permission: null
2012-09-20 07:05:29,343 ERROR [http-8080-4] [bucket.user.DefaultUserAccessor] addMembership Failed to add '<username>' as a member of '<group-name>'
-- referer: http://<confluence-url>/admin/users/docreateuser.action | url: /admin/users/docreateuser.action | userName: admin | action: docreateuser
com.atlassian.user.EntityException: com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update group '<group-name>' because directory '<user-directory-name>' does not allow updates.
...
Caused by: com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update group '<group-name>' because directory '<user-directory-name>' does not allow updates.
Feature request raised to improve the error message being thrown in the UI: - CONFSERVER-54111Getting issue details... STATUS
Cause
The affected user directory does not have permission to perform the required tasks (e.g., creating, editing, and deleting a group/user, etc.).
External Directory
Use the following steps to diagnose and resolve the issue if you have problems adding External Directory users to a group. If the issue is with Internal Directory, skip the steps below and continue with the workaround under the title Internal Directory below.
Diagnosis (External Directory)
- Log in to Confluence as an admin user on the local Confluence directory.
Navigate to > Confluence Admin > User Directories.
- Click Edit on the user directory where the affected user is from.
- Under Permissions, check what is the permission of this current directory, follow the steps below for each permission accordingly below:
Resolution (External Directory)
Resolution 1 - Permission set to Read-Only:
Change the Directory Permissions to Read-Only with Local Groups or Read and Write:
- Read-Only with Local Groups permission will allow you to associate LDAP/External users with local Confluence groups. Changes will not be reflected on the LDAP/External side
- Read and Write permission will allow you to assign LDAP users to any groups. Changes will be reflected in the LDAP/External side.
Resolution 2 - Permission set to Read-Only with Local Groups:
Should the issue persists when the External Directory permission has already been set to Read-Only with Local Groups, This means that the group that we're inserting the user into already exists in LDAP side. Confluence Admins will not be able to add users into groups that already exist on the LDAP side. Choose either the following as a solution:
- Change the Directory Permissions to Read and Write.
- Add the user-group membership from the LDAP side.
- Remove the group from the LDAP side.
Internal directory
Use the following steps to diagnose and resolve the issue if you are having problems adding a local Confluence user to a Confluence group:
Diagnosis (Internal directory)
Run the following SQL queries against the Confluence database:
SELECT COUNT(*)
FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D
WHERE O.DIRECTORY_ID = D.ID
AND D.DIRECTORY_NAME = 'Confluence Internal Directory';
SELECT COUNT(*)
FROM
CWD_APP_DIR_OPERATION O,
CWD_APP_DIR_MAPPING M,
CWD_DIRECTORY D
WHERE O.directory_id=M.ID
AND M.DIRECTORY_ID = D.ID
AND D.DIRECTORY_NAME = 'Confluence Internal Directory';
Using SQL Server
SELECT COUNT(*)
FROM dbo.cwd_directory_operation O, dbo.cwd_directory D
WHERE O.directory_id = D.id
AND D.directory_name = 'Confluence Internal Directory';
SELECT COUNT(*)
FROM
dbo.cwd_directory_operation O,
dbo.cwd_app_dir_mapping M,
dbo.cwd_directory D
WHERE O.app_dir_mapping_id=M.id
AND M.directory_id=D.id
AND D.directory_name = 'Confluence Internal Directory';
Depending on your output to these queries, proceed to the following resolution below:
- If the output is 12 for both queries: Go to Resolution 1.
- If the output is less than 12 for either query: Go to Resolution 2 (only for Confluence 3.5.x and above).
Resolution 1 (Internal directory)
Flush Confluence's cache by going to > General Configuration > Cache Statistics and click Flush All.
Resolution 2 (Internal directory)
Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.