Some or all of the information on this page might not apply to Trusted Cloud by S3NS.
This document describes how to use Cloud Logging to audit activities
related to policy tags. For example, you can determine:
The email address for the principal that grants or removes access on a policy
tag
The email address for whom the access was granted or removed
The policy tag whose access was changed
Access to logs
For information about the permission you need to view logs, see the
Cloud Logging access control guide.
Viewing logs for policy tag events
Go to the Logs Explorer page in the Trusted Cloud console.
Go to Logs Explorer
In the resources drop-down list, click Audited Resource, click Audited
Resources again, and then click datacatalog.googleapis.com. You will see
recent audit log entries of Data Catalog resources.
To view the log entries, select the Data Catalog
SetIamPolicy method.
Click the log entry to see details about the call to the SetIamPolicy
method.
Click the log entry fields to see details for the SetIamPolicy entry.
Click protoPayload, then click authenticationInfo to see the
principalEmail for the entity that set the IAM policy.
Click protoPayload, click request, click policy, and then click
bindings to see the bindings, including principals and roles, that were
changed.
What's next
Learn about best practices for policy tags.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["This guide explains how to use Cloud Logging to monitor activities related to policy tags, including who granted or removed access."],["You can view logs to determine the email of the principal granting or removing access, as well as the email of the user who was granted or removed from access."],["Access the logs through the Logs Explorer page in the Google Cloud console by selecting Audited Resources, and then datacatalog.googleapis.com."],["You can filter log entries to view calls made to the `SetIamPolicy` method, where details about policy changes are stored."]]],[]]
