Log inSkip to main contentSkip to sidebar
Something went wrong, please try again.
Create and track feature requests for Atlassian products.
  • More
    DashboardsProjectsIssues
  • Give feedback to Atlassian
  • Help
    • Jira Core help
    • Keyboard Shortcuts
    • About Jira
    • Jira Credits
  • Log In
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.

Created recently

  • All issues
  • Open issues
  • Done issues
  • Viewed recently
  • Created recently
  • Resolved recently
  • Updated recently
View all issues and filters
Order by Created
  1. Bug
    CONFSERVER-100309Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance.
  2. Bug
    CONFSERVER-100308Publishing a page created from a plugin blueprint fails depending on the size of the template
  3. Bug
    CONFSERVER-100298Reminders are deleted from all Custom Event Types, when a single Custom Event Type is deleted.
  4. Bug
    CONFSERVER-100297The Labelled Content page for a label tied to attachments are not rendered after a cache flush/system restart
  5. Bug
    CONFSERVER-100296Pages with "Spaces List" macro cannot be loaded on mobile browsers
  6. Bug
    CONFSERVER-100281Space HTML Export renders page links in Children Display Macro as Full URL when Faster Permission is enabled
  7. Bug
    CONFSERVER-100280Synchronization Fails in Confluence 9.2 when using a Clustered LDAP
  8. Suggestion
    CONFSERVER-100261Improve Excel/Word/PDF previews within Macros
  9. Suggestion
    CONFSERVER-100260[Confluence Cloud] More flexible Smart Link display options in Confluence (Jira links without title)
  10. Suggestion
    CONFSERVER-100257Page Copy should provide option to exclude unused attachments
  11. Bug
    CONFSERVER-100256Legacy Jira Project Key breaks Advanced Roadmap Macro
  12. Bug
    CONFSERVER-100255Popular Labels macro resulted in 500 Internal Server Error on REST API request for Page Body
  13. Suggestion
    CONFSERVER-100230Page Attachments Feature Improvement Request
  14. Bug
    CONFSERVER-100229Analytics Direct‑URL Bypass Ignores Global Analytics Permissions in Confluence Data Center
  15. Bug
    CONFSERVER-100228Users are unable to be granted system administrator privileges via a nested group or AD group
  16. Bug
    CONFSERVER-100225Cannot search for attachment content on Confluence 9.2 branch
  17. Bug
    CONFSERVER-100201Slow scrolling on a page with tables causes repositioning on the last row in Webkit browsers (Chrome/Chromium)
Refresh results
1 of 17
Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-100309

Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance.

Log In
Needs Triage
Export
undefinedView workflow
XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • None
    • 9.2.6, 8.5.24
    • Server - Authentication, User - Global / Space Permissions
    • None
    • Severity 2 - Major
    • View Atlassian Server bug fix policy

      Summary

      Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on CONFSERVER-81515 and Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.

      Version info

      • Confluence 9.2.6 LTS

      Description

      Issue Summary

      Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.

      Steps to Reproduce

      1. Deploy a Confluence 9.2.6.
      2. Configure SSO/SAML integration in Confluence (optional).
      3. Configure an external directory in Confluence and synchronize groups.
      4. Add such groups to Confluence's Global Permission and grant them admin permissions.
      5. Remove the external directory from Confluence.
      6. Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a Not found message below them.
      7. Try to authenticate with a user that is not a member of the confluence-administrator group.

      Expected Results

      Users not in an administrative group should be able to authenticate.

      Actual Results

      Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.

      2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n  ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
      2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
      2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n  ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause:  -- traceId: b7fcde203d7c60de 

      That's associated with the following situation on Global Permissions:

      Workaround

      Workaround 1: Remove all admin permissions for all 'not found' groups.

      Workaround 2: Use the web UI to remove the 'not found' group records from the Global Permissions menu.

      Workaround 3: Delete the faulty groups from the database:

      1. Stop your instance.
      2. Make a full database backup,
      3. On the database, run the following query to get the records for the deleted group:
        SELECT * 
        FROM spacepermissions 
        WHERE permgroupname not in (Select group_name from cwd_group); 
      4. Delete these records after verification:
        DELETE
        FROM spacepermissions
        WHERE permgroupname not in (Select group_name from cwd_group);
      5. Start your instance and check if the users can authenticate.

            • Sort By Name
            • Sort By Date
            • Ascending
            • Descending
            • Thumbnails
            • List
        1. image-2025-07-17-17-04-17-703.png
          image-2025-07-17-17-04-17-703.png
          59 kB
          17/Jul/2025 8:04 PM

        relates to

        Suggestion - CONFSERVER-81515 Delete Group Permissions( for the groups deleted from external user directory) from Global/Space Permission pages

        • Gathering Interest

              • All
              • Comments
              • Work Log
              • History
              • Activity
              Robert Louie made changes - 5 minutes ago
              Description Original: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-17-04-17-703.png|width=988,height=274!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}

               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}

               # Start your instance and check if the users can authenticate.
              New: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-17-04-17-703.png|width=988,height=274!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}
               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}
               # Start your instance and check if the users can authenticate.
              Robert Louie made changes - 11 minutes ago
              Link New: This issue relates to CONFSERVER-81515 [ CONFSERVER-81515 ]
              Robert Louie made changes - 34 minutes ago
              Affects Version/s Original: 8.5.21 [ 112195 ]
              Affects Version/s New: 8.5.24 [ 113025 ]
              Robert Louie made changes - 34 minutes ago
              Affects Version/s New: 8.5.21 [ 112195 ]
              Marcelo da Costa made changes - 2 hours ago
              Description Original: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-15-39-27-446.png|width=624,height=173!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}
               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}
               # Start your instance and check if the users can authenticate.
              New: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-17-04-17-703.png|width=988,height=274!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}

               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}

               # Start your instance and check if the users can authenticate.
              Marcelo da Costa made changes - 2 hours ago
              Attachment New: image-2025-07-17-17-04-17-703.png [ 506196 ]
              Ricardo Schieber made changes - 2 hours ago
              Description Original: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-15-39-27-446.png|width=624,height=173!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}

               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}

               # Start your instance and check if the users can authenticate.
              New: h2. Summary

              Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/]
              h2. Version info
               * Confluence 9.2.6 LTS

              h2. Description
              h3. Issue Summary

              Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
              h3. Steps to Reproduce
               # {color:#172b4d}Deploy a Confluence 9.2.6.{color}
               # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color}
               # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color}
               # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color}
               # {color:#172b4d}Remove the external directory from Confluence.{color}
               # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color}
               # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color}

              h3. Expected Results

              Users not in an administrative group should be able to authenticate.
              h3. Actual Results

              Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
              {code:java}
              2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
              2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
              2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
              ...
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
              2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code}
              That's associated with the following situation on Global Permissions:

              !image-2025-07-17-15-39-27-446.png|width=624,height=173!
              h3. Workaround

              *Workaround 1:* Remove all admin permissions for all 'not found' groups.

              *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu.

              *Workaround 3:* Delete the faulty groups from the database:
               # Stop your instance.
               # Make a full database backup,
               # On the database, run the following query to get the records for the deleted group:
              {code:sql}
              SELECT * 
              FROM spacepermissions 
              WHERE permgroupname not in (Select group_name from cwd_group); {code}
               # Delete these records after verification:
              {code:sql}
              DELETE
              FROM spacepermissions
              WHERE permgroupname not in (Select group_name from cwd_group);{code}
               # Start your instance and check if the users can authenticate.
              Marcelo da Costa created issue - 3 hours ago

                Unassigned Unassigned
                8ccca53078e5 Marcelo da Costa
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Created:
                  2 hours ago
                  Updated:
                  5 minutes ago
                  • Atlassian Jira Project Management Software
                  • About Jira
                  • Report a problem
                  • Privacy policy
                  • Notice at Collection

                  Atlassian