Audit log

Audit log - hero
In this Article

Audit logs give workspace owners access to detailed information about security and safety-related activity. This can help identify potential security issues, investigate suspicious behavior, and troubleshoot access 🔦


  • Open the Settings & members menu in your left sidebar.

  • Select Audit log.

The following information is included in each event recorded by the audit log:

  1. User: This is the Notion user who performed the event

  2. Event: This is the event captured. 

  3. Date: This is the date the event occurred

Where available, the IP address is also included.

Note: The audit log feature is exclusive to workspaces on the Enterprise Plan. If you upgrade to an Enterprise Plan, audit log events are recorded starting from the time of upgrade. Prior events will not be included in the audit log.

Interested in upgrading to Enterprise? Let us know →

By default, all events are shown in reverse chronological order. You can filter by each category of event information by using the filter buttons at the top.

  • Date: Select the Date button and choose the date, date range or time. 

  • User: Select the User button. Type the name of the user or scroll through the full list to choose the person that you'd like to filter by.

  • Event: Select the Event button. In the dropdown, click the checkboxes to filter specific event types. A full list of events can be found below.

Events are split into four main categories:

  1. Page events: This includes events users take on a single Notion page.

  2. Teamspace events: This includes events users take on one or more teamspaces.

  3. Workspace events: This includes events users take on an entire Notion workspace.

  4. Account events: This includes events about accounts of users in the workspace.

Page events

  • Page edited: That a user edited the content of a page.

  • Page property edited: That a user edited a page’s property, like a page title or a database property.

  • Page viewed: That a user viewed a page.

  • Page created: That a user created a new page nested under another page.

  • Page moved to trash: That a user moved a page to Trash.

  • Page deleted from trash: That a user deleted a page from Trash.

  • Page restored: That a user restored a formerly deleted page from Trash.

  • Page exported: That a user exported a page.

  • Page moved: That a user moved a page.

  • Page permission update: That a member or guest’s page permissions were updated.

  • Page shared to web: That a user enabled sharing (or disabled sharing) a page to the web.

  • File uploaded: That a user uploaded a file.

  • File downloaded: That a user opened or downloaded file name from a certain page.

  • Private content transferred: That the private pages of a user who left the workspace were transferred to a current user. Learn more here →

  • Automation created: That a user created a new automation.

  • Automation edited: That a user edited an automation.

  • Comment added: That a user added a new comment on a page.

  • Comment updated: That a user edited a comment.

  • Comment deleted: That a user deleted a comment.

  • Page suggestion created: That a user suggested an edit in a page.

  • Page suggestion accepted: That a user accepted a suggested edit in a page.

  • Page suggestion rejected: That a user rejected a suggested edit in a page.

  • Page suggestion comment created: That a user added a comment on a suggested edit in a page.

  • Page suggestion comment updated: That a user updated a comment on a suggested edit in a page.

  • Page suggestion comment deleted: That a user deleted a comment on a suggested edit in a page.

  • Page locked: That a page was locked.

  • Page unlocked: That a page was unlocked.

Page event audience

For page events, workspace owners can also view the audience or visibility level of each target page.

To see the audience, hover over the page-related audit log event. The audience captured in the audit log will be one of the following:

  • Private: page is not shared with other users.

  • Shared internally: page is shared with other members of the workspace only.

  • Shared externally: page is shared with one or more guests outside of the workspace and/or with an integration bot.

  • Shared to web: Page is published to the web.

Page event audience will also export as a column in CSV exports.

Teamspace events

  • Member added to teamspace: That a user added another user to the teamspace. Will specify “as Teamspace owner” if user is invited as a teamspace owner

  • Member removed from teamspace: That a teamspace owner has removed a teamspace member from the teamspace

  • Group added to teamspace: That a user added a permission group to the teamspace

  • Group removed from teamspace: That a teamspace owner has removed a permission group from the teamspace

  • Member joined the teamspace: That a user joined an open teamspace

  • Member left the teamspace: That a user left a teamspace

  • Teamspace created: That a user created the teamspace

  • Teamspace archived: That a teamspace owner archived a teamspace

  • Teamspace restored: That a teamspace owner restored a teamspace

  • Teamspace name changed: That a user updated the teamspace’s name

  • Teamspace description changed: That the teamspace description has been changed

  • Teamspace icon changed:

    That the teamspace icon has been changed

  • Teamspace privacy type changed: That a teamspace owner has changed the teamspace privacy type

  • Teamspace default toggled:

    That a user enabled or disabled a teamspace as a default teamspace

  • Teamspace creation setting toggled: That a user has enabled or disabled the ability for everyone in the workspace to create a teamspace

  • Teamspace Members default page permission updated: That the default page permissions of teamspace members have been changed

  • Everyone in workspace default page permission updated: That the default page permissions of everyone at workspace have been changed

  • Member teamspace role updated: That a has updated a teamspace member’s role in the teamspace

  • Custom permissions updated for a member in the teamspace: That a teamspace owner modified access to a teamspace member. Learn more here

  • Custom permissions updated for a group in the teamspace: That a teamspace owner modified access to a group. Learn more here

  • Teamspace invite access changed: That a user has updated settings for who can invite teamspace members

  • Teamspace disable guests toggled:  That a teamspace owner has enabled or disabled the ability to add guests to a teamspace

  • Export toggled for teamspace: That a teamspace owner has disabled or enabled exporting for a teamspace

  • Public page sharing toggled for teamspace: That a teamspace owner has switched public page sharing on/off for a teamspace

  • Teamspace sidebar editing toggled: That a teamspace owner has enabled or disabled the ability for users to change the teamspace sidebar section

  • Enabled teamspaces: That a user has enabled the teamspaces feature on a workspace

Workspace events

  • Member invited: That a Workspace owner or Membership admin invited a user to the workspace.

    • The new user's role will be specified "as Workspace owner” if they are invited as an Workspace owner, or "as Membership admin" if they are invited as a Membership admin.

  • Member joined: That a user has joined the workspace

  • Member role updated: That a Workspace owner has updated a user’s role 

  • Member removed: That a Workspace owner or Membership admin has removed a user from the workspace

  • Guest removed: That a guest has been removed from a workspace

  • Invite link toggled: That a user either enabled or disabled the invite link

  • Invite link reset: That a user has reset an invite link

  • Workspace name changed: That a user updated the workspace’s name

  • Workspace icon changed: That the workspace icon has been changed

  • Workspace domain changed: That the domain of a workspace is changed

  • Page access requests toggled: That a user has enabled or disabled page access requests from non-workspace-members

  • Public page sharing toggled: That a Workspace owner has switched public page sharing on/off

  • Workspace sidebar editing toggled: That a Workspace owner has enabled or disabled the ability for users to change the Workspace sidebar

  • Disable guests toggled: That a Workspace owner has enabled or disabled the ability to add guests to a workspace

  • Pages to other workspaces toggled: That a Workspace owner has either disabled or enabled moving pages to other workspaces

  • Export toggled: That a Workspace owner has disabled or enabled exporting

  • Workspace content exported: That a user has exported content from a page or the entire workspace

  • Integration installation toggled: That a Workspace Owner has disabled or enabled integrations restrictions

  • Integration created: That a new integration has been added to a workspace

  • Integration deleted: That an integration has been deleted

  • Integration secret reset: That an integration's secret token has been refreshed

  • Integration settings updated: That an integration's basic settings, like its name or icon, have been changed

  • Integration permission updated: That an integration's capabilities (reading content, inserting a comment, etc.) have been changed

  • Added allowed email domain: That the user added an allowed email domain to the workspace

  • Removed allowed email domain: That the user removed an allowed email domain from a workspace

  • Public home page set: That a Workspace owner has changed public home page

  • Public home page link cleared: That a Workspace owner has cleared public home page

  • SCIM token generated: That a Workspace owner generated a SCIM API token

  • SCIM token revoked: That a Workspace owner revoked a SCIM API token

  • IdP metadata URL updated: That a Workspace owner has set or updated the IdP metadata URL

  • IdP metadata XML updated: That a Workspace owner has updated the IdP metadata XML

  • IdP metadata XMP removed: That a Workspace owner has removed IdP metadata XML

  • SAML enable setting toggled: That a Workspace owner has disabled or enabled SAML

  • SAML enforce setting toggled: That a Workspace owner has disabled or enabled Enforce SAML

  • Auto-create accounts on sign-in toggled: That a Workspace owner has enabled automatically creating accounts on sign-in

  • Workspace creation setting updated: That a Workspace owner has restricted creation of new workspaces by users with the claimed enterprise email domain

  • Member added to group: That a Workspace Owner or Membership Admin has added a user to a group

  • Member removed from group: That a Workspace Owner or Membership Admin has removed a user from a group

  • Claimable workspace transfer status change: That the status of ownership transfer on a claimable workspace has changed

  • Claimable workspace upgrade status change: That the status of a claim and upgrade to Enterprise of a claimable workspace has changed

  • Claimable workspace deletion status change: That the status of workspace deletion of a claimable workspace has changed

  • Membership request toggled: That a user has enabled or disabled new workspace membership requests

  • Membership request resolved: That a user has resolved a workspace membership request

  • Audit Log exported: That the user exported the Audit Log

  • User Analytics exported: The the user exported the User Analytics table of Workspace Analytics

  • Content Analytics exported: That the user exported the Content Analytics table of Workspace Analytics

  • Workspace analytics tracking toggled: That the user enabled or disabled workspace analytics within the workspace

  • Content search queried: That a Workspace Owner has used the content search functionality to find workspace content

  • Content search results exported: That a Workspace Owner has exported the results from a content search query.

  • Notion AI toggled for workspace: That the user has enabled or disabled Notion AI in a workspace

  • Workspace consolidation started: A Notion employee has initiated workspace consolidation from this source or to this target workspace

  • Workspace consolidation completed: The source or target workspace has finished consolidation

  • Workspace consolidation failed: That workspace consolidation has failed for the source or target workspace

  • User suspended: That an admin has suspended a managed user account

  • User unsuspended: That an admin has unsuspended a managed user account

  • Log out all managed users: That an admin has logged out every managed user account

  • Log out one managed user: That an admin has logged out a single managed user account

  • Clear password for all managed users: That an admin has cleared all managed user accounts' passwords

  • Clear password for one managed user: That an admin has cleared a single managed user account's password

  • Integration added to approved connections: That an integration was added to the workspace’s list of approved connections.

  • Integration removed from approved connections: That an integration was removed from the workspace’s list of approved connections.

  • HIPAA compliance enabled: That a workspace owner has enabled HIPAA compliance by accepting Notion’s Business Associate Agreement.

  • HIPAA compliance disabled: That a workspace owner has disabled HIPAA compliance.

Account events

  • Login: When and from where a user has logged in

  • Logout: When and from where a user has logged out

  • Password set: That a user created a password

  • Password cleared: That a user cleared their password

  • Password changed: That a user changed their password

  • MFA SMS toggled: That a user updated their MFA via SMS text messages settings. Learn more here

  • MFA TOTP toggled: That a user updated their MFA via a TOTP (time-sensitive one time passcode) app. Learn more here

  • MFA backup code toggled: That a user updated their MFA backup code settings

  • Email changed: That the email of a user was changed

  • Picture changed: The the profile photo of the user was changed

  • User deleted: That a specific user account has been deleted

  • Granted support access: That a user’s account was granted Notion support access

  • Revoked support access: That a user’s account was revoked Notion support access

  • Preferred name changed: That a user has updated their account's preferred name

Note: If you are trying to find a deleted user or a user who has changed their name to a new name, the best way to do this is by through an exported audit log. Instructions for exporting your workspace audit log to CSV below.

Want to analyze the data in a spreadsheet or import your audit log to external tools? The workspace audit log can be exported in CSV format.

  • Select the blue Export button at the top right of the audit log screen.

  • You'll see four different export date range options. You can choose to export up to one year of audit log data.

  • Once you select your preferred date range, you will see a notification letting you know that an email will be sent to you with the audit log file download link.

Note: An exported audit log will show all applicable events within the chosen date range, up until 2 hours before the export time.


Give Feedback

Was this resource helpful?