Stay organized with collections
Save and categorize content based on your preferences.
This page describes how audit logging works for secured private applications
using Chrome Enterprise Premium client connector. Enabling Cloud Audit Logs lets you
view a user access request to a private application and see all the access
levels a user has and has not met.
Enable audit logs
These logs are considered Data Access logs.
Therefore, they must be explicitly enabled for audit logging under the
beyondcorp.googleapis.com service name since they are disabled by default.
Each audit log record contains information about users who attempted to
access the private application, what access levels
were enforced, and whether they were denied or granted access.
The following are some important values:
Field
Value
authenticationInfo
The email of the user who tried to access the resource as principalEmail.
requestMetadata.callerIp
The IP address the request originated from.
requestMetadata.requestAttributes
Contains access level names used for policy enforcement on the user access.
authorizationInfo.resource
The client connector service resource being accessed.
authorizationInfo.granted
A boolean representing whether the user was permitted the requested access.
method.Name
The called policy enforcement method. Should always be AuthorizeUser
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-25 UTC."],[[["Audit logging for secured private applications using Chrome Enterprise Premium client connector allows visibility into user access requests."],["These logs, classified as Data Access logs, are disabled by default and must be explicitly enabled under the `beyondcorp.googleapis.com` service."],["Each audit log record includes details about the user's attempt, the access levels enforced, and whether access was granted or denied."],["Audit log records contain information like the user's email (`principalEmail`), the request's originating IP address (`callerIp`), and the names of enforced access levels."],["The `AuthorizeUser` method is consistently used in the logs to indicate the policy enforcement method that was called during the user's attempt."]]],[]]