In the resources drop-down list, click Audited Resource, click Audited
Resources again, and then click datacatalog.googleapis.com. You will see
recent audit log entries of Data Catalog resources.
To view the log entries, select the Data Catalog
SetIamPolicy method.
Click the log entry to see details about the call to the SetIamPolicy
method.
Click the log entry fields to see details for the SetIamPolicy entry.
Click protoPayload, then click authenticationInfo to see the
principalEmail for the entity that set the IAM policy.
Click protoPayload, click request, click policy, and then click
bindings to see the bindings, including principals and roles, that were
changed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThis guide explains how to use Cloud Logging to monitor activities related to policy tags, including who granted or removed access.\u003c/p\u003e\n"],["\u003cp\u003eYou can view logs to determine the email of the principal granting or removing access, as well as the email of the user who was granted or removed from access.\u003c/p\u003e\n"],["\u003cp\u003eAccess the logs through the Logs Explorer page in the Google Cloud console by selecting Audited Resources, and then datacatalog.googleapis.com.\u003c/p\u003e\n"],["\u003cp\u003eYou can filter log entries to view calls made to the \u003ccode\u003eSetIamPolicy\u003c/code\u003e method, where details about policy changes are stored.\u003c/p\u003e\n"]]],[],null,["# Audit policy tags\n=================\n\nThis document describes how to use [Cloud Logging](/logging/docs) to audit activities\nrelated to policy tags. For example, you can determine:\n\n- The email address for the principal that grants or removes access on a policy\n tag\n\n- The email address for whom the access was granted or removed\n\n- The policy tag whose access was changed\n\nAccess to logs\n--------------\n\nFor information about the permission you need to view logs, see the\n[Cloud Logging access control guide](/logging/docs/access-control).\n\nViewing logs for policy tag events\n----------------------------------\n\n1. Go to the **Logs Explorer** page in the Google Cloud console.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. In the resources drop-down list, click **Audited Resource** , click **Audited\n Resources** again, and then click **datacatalog.googleapis.com**. You will see\n recent audit log entries of Data Catalog resources.\n\n3. To view the log entries, select the Data Catalog\n `SetIamPolicy` method.\n\n4. Click the log entry to see details about the call to the `SetIamPolicy`\n method.\n\n5. Click the log entry fields to see details for the `SetIamPolicy` entry.\n\n - Click `protoPayload`, then click `authenticationInfo` to see the\n `principalEmail` for the entity that set the IAM policy.\n\n - Click `protoPayload`, click `request`, click `policy`, and then click\n `bindings` to see the bindings, including principals and roles, that were\n changed.\n\nWhat's next\n-----------\n\nLearn about [best practices for policy tags](/bigquery/docs/best-practices-policy-tags)."]]
