Client Connector - policy enforcement audit logging

This page describes how audit logging works for secured private applications using Chrome Enterprise Premium client connector. Enabling Cloud Audit Logs lets you view a user access request to a private application and see all the access levels a user has and has not met.

Enable audit logs

These logs are considered Data Access logs. Therefore, they must be explicitly enabled for audit logging under the beyondcorp.googleapis.com service name since they are disabled by default.

For information about enabling some or all of your Data Access audit logs, see Configure Data Access audit logs.

Audit log record content

Each audit log record contains information about users who attempted to access the private application, what access levels were enforced, and whether they were denied or granted access.

The following are some important values:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
requestMetadata.callerIp The IP address the request originated from.
requestMetadata.requestAttributes Contains access level names used for policy enforcement on the user access.
authorizationInfo.resource The client connector service resource being accessed.
authorizationInfo.granted A boolean representing whether the user was permitted the requested access.
method.Name The called policy enforcement method. Should always be AuthorizeUser