Data Catalog API methods that are related to Data Catalog search and metadata are deprecated and will be discontinued on January 30, 2026. See Transition from Data Catalog to Dataplex Universal Catalog. Methods that are related to policy tags and policy tag taxonomies are not deprecated.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-17 UTC."],[[["\u003cp\u003eAuditConfig specifies which permission types are logged for a service and which identities are exempt, with each AuditConfig needing one or more AuditLogConfigs.\u003c/p\u003e\n"],["\u003cp\u003eIf both \u003ccode\u003eallServices\u003c/code\u003e and a specific service have AuditConfigs, the union of both is applied, enabling the specified log types and exempting the listed members.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAuditLogConfig\u003c/code\u003e configures logging for specific permission types and allows exemption of certain identities from logging.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eservice\u003c/code\u003e field in AuditConfig determines which service is enabled for auditing, with \u003ccode\u003eallServices\u003c/code\u003e covering all, and the \u003ccode\u003eauditLogConfigs\u003c/code\u003e field is an array of \u003ccode\u003eAuditLogConfig\u003c/code\u003e objects.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003elogType\u003c/code\u003e in \u003ccode\u003eAuditLogConfig\u003c/code\u003e determines what permission type is logged, while \u003ccode\u003eexemptedMembers\u003c/code\u003e are identities not subject to that type of permission logging.\u003c/p\u003e\n"]]],[],null,["# AuditConfig\n\n- [JSON representation](#SCHEMA_REPRESENTATION)\n- [AuditLogConfig](#AuditLogConfig)\n - [JSON representation](#AuditLogConfig.SCHEMA_REPRESENTATION)\n\nSpecifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.\n\nIf there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.\n\nExample Policy with multiple AuditConfigs: \n\n {\n \"auditConfigs\": [\n {\n \"service\": \"allServices\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n },\n {\n \"logType\": \"ADMIN_READ\"\n }\n ]\n },\n {\n \"service\": \"sampleservice.googleapis.com\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\"\n },\n {\n \"logType\": \"DATA_WRITE\",\n \"exemptedMembers\": [\n \"user:aliya@example.com\"\n ]\n }\n ]\n }\n ]\n }\n\nFor sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging.\n\nAuditLogConfig\n--------------\n\nProvides the configuration for logging a type of permissions. Example: \n\n {\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n }\n ]\n }\n\nThis enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [jose@example.com](mailto:jose@example.com) from DATA_READ logging."]]
