Trying to add Confluence users to a group throws "<directory> does not allow updates" error in logs

Still need help?

The Atlassian Community is here for you.

Ask the community

For Atlassian eyes only

This article is Not Validated and cannot be shared with customers.

Symptoms

When trying to add users into a group, the user cannot be added, and the following popup appears:

and the following error log appears in the atlassian-confluence.log:

2012-09-20 07:03:09,718 INFO [read-only-transaction:thread-1] [atlassian.confluence.user.DefaultUserAccessor] getUserNamesWithConfluenceAccess Could not find group configured with USE permission: null
2012-09-20 07:05:29,343 ERROR [http-8080-4] [bucket.user.DefaultUserAccessor] addMembership Failed to add '<username>' as a member of '<group-name>'
 -- referer: http://<confluence-url>/admin/users/docreateuser.action | url: /admin/users/docreateuser.action | userName: admin | action: docreateuser
com.atlassian.user.EntityException: com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update group '<group-name>' because directory '<user-directory-name>' does not allow updates.
...
Caused by: com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update group '<group-name>' because directory '<user-directory-name>' does not allow updates.

Feature request raised to improve the error message being thrown in the UI:  CONFSERVER-54111 - Getting issue details... STATUS

Cause

The affected user directory does not have permission to perform the required tasks (e.g., creating, editing, and deleting a group/user, etc.). 

External Directory

Use the following steps to diagnose and resolve the issue if you have problems adding External Directory users to a group. If the issue is with Internal Directory, skip the steps below and continue with the workaround under the title Internal Directory below.

Diagnosis (External Directory)

  1. Log in to Confluence as an admin user on the local Confluence directory.
  2. Navigate to  > Confluence Admin User Directories.

  3. Click Edit on the user directory where the affected user is from.
  4. Under Permissions, check what is the permission of this current directory, follow the steps below for each permission accordingly below:

Resolution (External Directory)

Resolution 1 - Permission set to Read-Only:

Change the Directory Permissions to Read-Only with Local Groups or Read and Write:

  • Read-Only with Local Groups permission will allow you to associate LDAP/External users with local Confluence groups. Changes will not be reflected on the LDAP/External side
  • Read and Write permission will allow you to assign LDAP users to any groups. Changes will be reflected in the LDAP/External side.

Resolution 2 - Permission set to Read-Only with Local Groups:

Should the issue persists when the External Directory permission has already been set to Read-Only with Local Groups, This means that the group that we're inserting the user into already exists in LDAP side. Confluence Admins will not be able to add users into groups that already exist on the LDAP side. Choose either the following as a solution:

  • Change the Directory Permissions to Read and Write.
  • Add the user-group membership from the LDAP side.
  • Remove the group from the LDAP side.

Internal directory

Use the following steps to diagnose and resolve the issue if you are having problems adding a local Confluence user to a Confluence group:

Diagnosis (Internal directory)

Run the following SQL queries against the Confluence database:

Query 1
SELECT COUNT(*)
FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D
WHERE O.DIRECTORY_ID = D.ID
  AND D.DIRECTORY_NAME = 'Confluence Internal Directory';
Query 2
SELECT COUNT(*)
FROM
  CWD_APP_DIR_OPERATION O,
  CWD_APP_DIR_MAPPING M,
  CWD_DIRECTORY D
WHERE O.directory_id=M.ID
  AND M.DIRECTORY_ID = D.ID
  AND D.DIRECTORY_NAME = 'Confluence Internal Directory';
Using SQL Server 
Query 1
SELECT COUNT(*)
FROM dbo.cwd_directory_operation O, dbo.cwd_directory D
WHERE O.directory_id = D.id
  AND D.directory_name = 'Confluence Internal Directory';
Query 2
SELECT COUNT(*)
FROM
  dbo.cwd_directory_operation O,
  dbo.cwd_app_dir_mapping M, 
  dbo.cwd_directory D    
WHERE O.app_dir_mapping_id=M.id 
  AND M.directory_id=D.id        
  AND D.directory_name = 'Confluence Internal Directory';



Depending on your output to these queries, proceed to the following resolution below:

  • If the output is 12 for both queries: Go to Resolution 1.
  • If the output is less than 12 for either query: Go to Resolution 2 (only for Confluence 3.5.x and above).

Resolution 1 (Internal directory)

Flush Confluence's cache by going to  > General ConfigurationCache Statistics and click Flush All.

Resolution 2 (Internal directory)

Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.

If "Query 1" returns a value less than 12:

Click here to expand...
  1. Replace <user-directory-name> with the problematic user directory name and execute this SQL query to find out about the Directory ID:

    SELECT ID AS 'Directory ID' FROM CWD_DIRECTORY WHERE DIRECTORY_NAME='<user-directory-name>';
  2. Replace <directory-id> in the following queries with the Directory ID acquired from Step 1.
  3. Execute the following queries to grant permissions for the directory. If an error is returned that such row with those values exists, ignore and proceed to the next query. One or more permissions are missing and they will be added using these queries.

    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_GROUP');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_ROLE');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_USER');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_GROUP');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_ROLE');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_USER');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP_ATTRIBUTE');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE_ATTRIBUTE');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER');
    INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER_ATTRIBUTE');
    
  4. Restart Confluence.


If "Query 2" returns a value less than 12:

Click here to expand...
  1. Replace <user-directory-name> with the problematic user directory name and run the following query to get the Mapping ID of the Directory:

    SELECT M.ID AS 'Mapping ID' FROM CWD_APP_DIR_MAPPING M, CWD_DIRECTORY D WHERE M.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<user-directory-name>';
  2. Replace <mapping-id> in the following queries with the Mapping ID acquired from Step 1.
  3. Execute the following queries to grant permissions for the application directory. If an error is returned that such row with those values exists, ignore and proceed to the next query. One or more permissions are missing and they will be added using these queries.

    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'CREATE_GROUP');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'CREATE_ROLE');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'CREATE_USER');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'DELETE_GROUP');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'DELETE_ROLE');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'DELETE_USER');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_GROUP');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_GROUP_ATTRIBUTE');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_ROLE');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_ROLE_ATTRIBUTE');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_USER');
    INSERT INTO CWD_APP_DIR_OPERATION VALUES(<mapping-id>, 'UPDATE_USER_ATTRIBUTE');
  4. Restart Confluence.

Last modified on Jun 19, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.