Audit log
Your workspace audit log gives Workspace owners access to detailed information about security and safety-related activity. This can include identifying potential security issues, investigating suspicious behavior, and troubleshooting access.
Open the
Settings & membersmenu in your left sidebar.Select
Audit log.
Note: This feature is only available to admins on an Enterprise plan workspace. Contact sales to learn more about our Enterprise plan →
The following information is included in each event recorded by the audit log:
User: This is the Notion user who performed the event
Event: This is the event captured.
Date: This is the date the event occurred
Where available, the IP address is also included.
Note: The audit log feature is exclusive to workspaces on the Enterprise Plan. If you upgrade to an Enterprise Plan, audit log events are recorded starting from the time of upgrade. Prior events will not be included in the audit log.
Interested in upgrading to Enterprise? Let us know →
By default, all events are shown in reverse chronological order. You can filter by each category of event information by using the filter buttons at the top.
Date: Select the
Datebutton and choose the date, date range or time.User: Select the
Userbutton. Type the name of the user or scroll through the full list to choose the person that you'd like to filter by.Event: Select the
Eventbutton. In the dropdown, click the checkboxes to filter specific event types. A full list of events can be found below.
Events are split into four main categories:
Page events: This includes events users take on a single Notion page.
Teamspace events: This includes events users take on one or more teamspaces.
Workspace events: This includes events users take on an entire Notion workspace.
Account events: This includes events about accounts of users in the workspace.
Page events
Page viewed: Which page a user viewed
Page edited: A user edited the content of a page
Page created: That a user created a new page nested under another page
Page deleted: That a user deleted a page
Page restored: That a user restored a formerly deleted page from Trash
Page exported: That a user exported a page
Page moved: That a user relocated a page
Page permission update: That a member or guest has had their page permissions updated
Page shared to web: A user enabled sharing (or disabled sharing) a page to the web
File uploaded: That a user uploaded a file
File downloaded: A user has downloaded
file namefrom a certain page
Page event audience
For page events, workspace owners can also view the audience—or visibility level—of each target page.
To see the audience, hover over the page-related audit log event. The audience captured in the audit log will be one of the following:
Private: page is not shared with other users.
Shared internally: page is shared with other members of the workspace only.
Shared externally: page is shared with one or more guests outside of the workspace and/or with an integration bot.
Shared to web: Page is published to the web.
Page event audience will also export as a column in CSV exports.
Teamspace events
Member added to teamspace: That a user added another user to the teamspace. Will specify “as Teamspace owner” if user is invited as a teamspace owner
Group added to teamspace: That a user added a permission group to the teamspace
Member joined the teamspace: That a user joined an open teamspace
Member teamspace role updated: That a teamspace owner has updated a teamspace member’s role in the teamspace
Member removed from teamspace: That a teamspace owner has removed a teamspace member from the teamspace
Group removed from teamspace: That a teamspace owner has removed a permission group from the teamspace
Member left the teamspace: That a user left a teamspace
Teamspace members default page permission updated: That the default page permissions of teamspace members have been changed
Everyone in workspace default page permission updated: That the default page permissions of everyone at workspace have been changed
Who can invite teamspace members toggle: That a teamspace owner has toggled this setting
Teamspace privacy type changed: That a teamspace owner has changed the teamspace privacy type
Teamspace created: That a user created the teamspace
Teamspace name changed: That a user updated the teamspace’s name
Teamspace icon changed: That the teamspace icon has been changed
Teamspace description changed: That the teamspace description has been changed
Disable guests toggled for team: That a teamspace owner has enabled or disabled the ability to add guests to a teamspace
Public page sharing toggled for teamspace: That a teamspace owner has switched public page sharing on/off for a teamspace
Export toggled for teamspace: That a teamspace owner has disabled or enabled exporting for a teamspace
Teamspace sidebar editing toggled: That a teamspace owner has enabled or disabled the ability for users to change the teamspace sidebar section
Teamspace archived: That a teamspace owner archived a teamspace
Teamspace restored: That a teamspace owner restored a teamspace
Workspace events
Member invited: That a Workspace owner or Membership admin invited a user to the workspace.
The new user's role will be specified "as Workspace owner” if they are invited as an Workspace owner, or "as Membership admin" if they are invited as a Membership admin.
Member joined: That a user has joined the workspace
Member role updated: That a Workspace owner has updated a user’s role
Member removed: That a Workspace owner or Membership admin has removed a user from the workspace
Guest removed: That a guest has been removed from a workspace
Invite link toggled: That a user either enabled or disabled the invite link
Invite link reset: That a user has reset an invite link
Workspace name changed: That a user updated the workspace’s name
Workspace icon changed: That the workspace icon has been changed
Workspace domain changed: That the domain of a workspace is changed
Page access requests toggled: That a user has enabled or disabled page access requests from non-workspace-members
Public page sharing toggled: That a Workspace owner has switched public page sharing on/off
Workspace sidebar editing toggled: That a Workspace owner has enabled or disabled the ability for users to change the Workspace sidebar
Disable guests toggled: That a Workspace owner has enabled or disabled the ability to add guests to a workspace
Pages to other workspaces toggled: That a Workspace owner has either disabled or enabled moving pages to other workspaces
Export toggled: That a Workspace owner has disabled or enabled exporting
Added/removed allowed email domain: That the allowed email domain of a workspace is changed
All workspace content exported: That a user has exported content from a page or the entire workspace
Integration installation toggled: That a Workspace owner has disabled or enabled integrations restrictions
Workspace creation setting updated: That a Workspace owner has restricted creation of new workspaces by users with the claimed enterprise email domain
Limiting teamspace creation to admins: That a workspace admin has enabled or disabled the ability for everyone in the workspace to create a teamspace
Added new default teamspace: That a workspace admin made a teamspace a default team
Removed existing default teamspace: That a workspace admin removed a teamspace from being a default teamspace
Public home page set: That a Workspace owner has changed public home page
Public home page link cleared: That a Workspace owner has cleared public home page
SCIM token generated: That a Workspace owner generated a SCIM API token
SCIM token revoked: That a Workspace owner revoked a SCIM API token
IDP metadata URL updated: That a Workspace owner has set or updated the IDP metadata URL
IDP metadata XML updated: That a Workspace owner has updated the IDP metadata XML
IDP metadata XMP removed: That a Workspace owner has removed IDP metadata XML
SAML enabling toggled: That a Workspace owner has disabled or enabled SAML
SAML enforcing toggled: That a Workspace owner has disabled or enabled Enforce SAML
Auto-create accounts on sign-in toggled: That a Workspace owner has enabled automatically creating accounts on sign-in
Member added to group: That a Workspace Owner or Membership Admin has added a user to a group
Member removed from group: That a Workspace Owner or Membership Admin has removed a user from a group
Admin content search queried: That a Workspace Owner has used the content search functionality to find workspace content
Account events
Login: When and from where a user has logged in
Logout: When and from where a user has logged out
Password set: That a user created a password
Password cleared: That a user cleared their password
Password changed: That a user changed their password
Email changed: That a user changed their email
Picture changed: When a user changed their profile photo
User deleted: That a specific user has been deleted from the workspace
Note: If you are trying to find a deleted user or a user who has changed their name to a new name, the best way to do this is by through an exported audit log. Instructions for exporting your workspace audit log to CSV below.
Want to analyze the data in a spreadsheet or import your audit log to external tools? The workspace audit log can be exported in CSV format.
Select the blue
Exportbutton at the top right of the audit log screen.
You'll see four different export date range options. You can choose to export up to one year of audit log data.
Once you select your preferred date range, you will see a notification letting you know that an email will be sent to you with the audit log file download link.
Note: An exported audit log will show all applicable events within the chosen date range, up until 2 hours before the export time.
