A pop-up survey could appear while you're here --curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User removed from confluence-administrators by Anonymous

Michael VanHorn
Michael VanHorn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 16, 2026

One of our administrative users was suddenly removed from the confluence-administrators group, seemingly by the system itself (the other administrators didn't do it).

 

According to another post in the forum, it could be one of the installed apps that did it.  There are dozens of System apps installed; how do I tell what they do and if they did this? How do I prevent this in the future? 

Answer
Watch
Like Jason Krewson likes this
99 views

3 answers

0 votes
Arkadiusz Wroblewski
Arkadiusz Wroblewski
Community Champion
June 16, 2026

Hello @Michael VanHorn 

In Confluence Data Center, that kind of audit entry can also appear when the change was made by a system process where Confluence does not have a normal human actor to show.

It fits quite well to that behavior https://jira.atlassian.com/browse/CONFSERVER-54007 

Check your raw backend Confluence application logs from that exact timestamp. Basic Audit logs are useless.

Like don't get distract yourself because of 1000 another things.

Identificate first what are responsible for that and go from then.

Best,

Arkadiusz 🤠 

Reply
0 votes
Michael VanHorn
Michael VanHorn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 16, 2026

Yes, we are using the University's SAML authentication provider. However, that provider has no authority inside Confluence. I'm not even sure how the provider removing a user in Confluence from a group would even be possible.

So, I'm sure it wasn't the authentication server who removed the user. 

From my reading of the documentation and forum posts, when the Audit Log shows an action having been taken by Anonymous, it means it was the system itself doing something, like an automated task. I have not created any automated tasks.

View More Comments
Jason Krewson
Jason Krewson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
June 16, 2026

When you are using an identity provider you can tie access to groups, those groups can then be removed by that identity provider, removing that users access. This is actually how it is set up where I work right now. So that is why I recommended checking the identity provider logs for the time that this user was removed, it couldn't hurt for sure and maybe it won't tell you why it was deleted, but it could provide some more details on what's going on.

As for what anonymous user means, I am not sure. I did look this up and couldn't find anyone confirming what it actually means. 

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
June 16, 2026

@Michael VanHorn 

The question is marked with Server/Data Center. You say that a SAML authentication provider is used. This implies a use of SSO app — many 3rd party SSO apps do have this functionality to sync user groups on login based on the groups sent by the IdP in the SAML LoginResponse message. Often they also trigger a re-sync via backend AD/LDAP connection. This one in particular will be done as anonymous/system. In 

So in essence @Jason Krewson suggestion is correct — check your IdP and check your backend directory.

Like Jason Krewson likes this
Michael VanHorn
Michael VanHorn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 16, 2026

I am positive there is no group in our authentication server called "confluence-administrators". The only thing we do against that server is authentication.

So I suppose Confluence could be updating that user's information from there server, determines that that user isn't in the confluence-administrators group in the authentication server (since there is no such group), and then removing them from that group in Confluence. 

How do you stop Confluence from thinking that the groups in the authentication server matter?

 

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
June 16, 2026

@Michael VanHorn this all depends on what exactly is configured.

You should really direct this query + detailed configuration at Atlassian support (at support.atlassian.com – get through the AI chat and eventually there will be a link to submit a ticket), not the free Atlassian Community. Asking for support here is like asking for support on Atlassian-specific Facebook — sure someone may just point you in the right direction, but you should not be sharing specifics with any of us. And this question (I think) will require specifics.

Like Jason Krewson likes this
Reply
0 votes
Jason Krewson
Jason Krewson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
June 16, 2026

I'm guessing you checked the logs and that is where you are seeing the removed by anonymous?

Are you connected to an identity provider for authentication?

If so, maybe the user was removed by that and the logs just didn't catch that the identity provider removed the user. You could check in the identity providers logs also, might provide more information on this. 

But it seems whatever removed the user Confluence didn't catch the persons name, maybe an Atlassian ticket would help here but not sure.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
10.2.7
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security