diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a919054..b2459ddf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 * Enhancement: Added 'max_freebusy_occurrences` setting to avoid potential DOS on reports
 * Enhancement: remove unexpected control codes from uploaded items
 * Enhancement: add 'strip_domain' setting for username handling
+* Enhancement: add option to toggle debug log of right with doesn't match
 * Drop: remove unused requirement "typeguard"
 * Improve: Refactored some date parsing code
 
diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 15f54d0b..342b89cb 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -978,6 +978,12 @@ Log response on level=debug
 
 Default: `False`
 
+##### right_doesnt_match = True
+
+Log right which doesn't match on level=debug
+
+Default: `False`
+
 #### headers
 
 In this section additional HTTP headers that are sent to clients can be
diff --git a/config b/config
index b6bd2209..0a999877 100644
--- a/config
+++ b/config
@@ -158,6 +158,8 @@
 # Log response content on level=debug
 #response_content_on_debug = False
 
+# Log right which doesn't match
+#right_doesnt_match = False
 
 [headers]
 
diff --git a/radicale/config.py b/radicale/config.py
index 0515813b..46fafbb8 100644
--- a/radicale/config.py
+++ b/radicale/config.py
@@ -292,6 +292,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
             "value": "False",
             "help": "log response content on level=debug",
             "type": bool}),
+        ("right_doesnt_match", {
+            "value": "False",
+            "help": "log rights which doesn't match on level=debug",
+            "type": bool}),
         ("mask_passwords", {
             "value": "True",
             "help": "mask passwords in logs",
diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py
index d766d1dd..47218085 100644
--- a/radicale/rights/from_file.py
+++ b/radicale/rights/from_file.py
@@ -48,6 +48,7 @@ class Rights(rights.BaseRights):
     def __init__(self, configuration: config.Configuration) -> None:
         super().__init__(configuration)
         self._filename = configuration.get("rights", "file")
+        self._log_right_doesnt_match = configuration.get("logging", "right_doesnt_match")
 
     def authorization(self, user: str, path: str) -> str:
         user = user or ""
@@ -80,7 +81,8 @@ class Rights(rights.BaseRights):
                              user, sane_path, user_pattern,
                              collection_pattern, section, permission)
                 return permission
-            logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
+            if self._log_right_doesnt_match:
+                logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
                          user, sane_path, user_pattern, collection_pattern,
                          section)
         logger.info("Rights: %r:%r doesn't match any section", user, sane_path)