每個 IAM 權限都有一個 type 屬性,其值是枚舉,可為四個值之一:ADMIN_READ、ADMIN_WRITE、DATA_READ 或 DATA_WRITE。當您呼叫方法時,存取權核准會產生稽核記錄,其類別取決於執行方法所需權限的 type 屬性。需要具備 DATA_READ、DATA_WRITE 或 ADMIN_READ 的 type 屬性值的 IAM 權限的程式會產生資料存取稽核記錄。需要 IAM 權限,且 type 屬性值為 ADMIN_WRITE 的方法會產生管理員活動稽核記錄。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eAccess Approval audit logs track administrative and access activities within Google Cloud resources, using the service name \u003ccode\u003eaccessapproval.googleapis.com\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eAudit logs generated by Access Approval are categorized as either Data Access or Admin Activity logs, depending on the IAM permission type required for the method.\u003c/p\u003e\n"],["\u003cp\u003eMethods requiring \u003ccode\u003eADMIN_WRITE\u003c/code\u003e permissions generate Admin Activity audit logs, while methods with \u003ccode\u003eDATA_READ\u003c/code\u003e, \u003ccode\u003eDATA_WRITE\u003c/code\u003e, or \u003ccode\u003eADMIN_READ\u003c/code\u003e permissions result in Data Access audit logs.\u003c/p\u003e\n"],["\u003cp\u003eSpecific methods, such as \u003ccode\u003eApproveApprovalRequest\u003c/code\u003e, \u003ccode\u003eDeleteAccessApprovalSettings\u003c/code\u003e, \u003ccode\u003eDismissApprovalRequest\u003c/code\u003e, \u003ccode\u003eInvalidateApprovalRequest\u003c/code\u003e, and \u003ccode\u003eUpdateAccessApprovalSettings\u003c/code\u003e, each generate Admin Activity audit logs and have corresponding filter expressions for querying.\u003c/p\u003e\n"],["\u003cp\u003eSome methods like \u003ccode\u003eGetAccessApprovalServiceAccount\u003c/code\u003e, \u003ccode\u003eGetAccessApprovalSettings\u003c/code\u003e, \u003ccode\u003eGetApprovalRequest\u003c/code\u003e, and \u003ccode\u003eListApprovalRequests\u003c/code\u003e do not produce audit logs due to factors like high volume, low auditing value, or existing coverage in other logs.\u003c/p\u003e\n"]]],[],null,["# Access Approval audit logging information\n=========================================\n\nThis document describes audit logging for Access Approval. Google Cloud services\ngenerate audit logs that record administrative and access activities within your Google Cloud resources.\nFor more information about Cloud Audit Logs, see the following:\n\n- [Types of audit logs](/logging/docs/audit#types)\n- [Audit log entry structure](/logging/docs/audit#audit_log_entry_structure)\n- [Storing and routing audit logs](/logging/docs/audit#storing_and_routing_audit_logs)\n- [Cloud Logging pricing summary](/stackdriver/pricing#logs-pricing-summary)\n- [Enable Data Access audit logs](/logging/docs/audit/configure-data-access)\n\n\u003cbr /\u003e\n\nService name\n------------\n\nAccess Approval audit logs use the service name `accessapproval.googleapis.com`.\nFilter for this service: \n\n```gdscript\n protoPayload.serviceName=\"accessapproval.googleapis.com\"\n \n```\n\n\u003cbr /\u003e\n\nMethods by permission type\n--------------------------\n\nEach IAM permission has a `type` property, whose value is an enum\nthat can be one of four values: `ADMIN_READ`, `ADMIN_WRITE`,\n`DATA_READ`, or `DATA_WRITE`. When you call a method,\nAccess Approval generates an audit log whose category is dependent on the\n`type` property of the permission required to perform the method.\n\nMethods that require an IAM permission with the `type` property value\nof `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ` generate\n[Data Access](/logging/docs/audit#data-access) audit logs.\n\nMethods that require an IAM permission with the `type` property value\nof `ADMIN_WRITE` generate\n[Admin Activity](/logging/docs/audit#admin-activity) audit logs.\n\nAPI interface audit logs\n------------------------\n\nFor information about how and which permissions are evaluated for each method,\nsee the Identity and Access Management documentation for Access Approval.\n\n### `google.cloud.accessapproval.v1.AccessApproval`\n\nThe following audit logs are associated with methods belonging to\n`google.cloud.accessapproval.v1.AccessApproval`.\n\n#### `ApproveApprovalRequest`\n\n- **Method** : `google.cloud.accessapproval.v1.AccessApproval.ApproveApprovalRequest` \n- **Audit log type** : [Admin activity](/logging/docs/audit#admin-activity) \n- **Permissions** :\n - `accessapproval.requests.approve - ADMIN_WRITE`\n- **Method is a long-running or streaming operation** : No. \n- **Filter for this method** : `\n protoPayload.methodName=\"google.cloud.accessapproval.v1.AccessApproval.ApproveApprovalRequest\"\n ` \n\n#### `DeleteAccessApprovalSettings`\n\n- **Method** : `google.cloud.accessapproval.v1.AccessApproval.DeleteAccessApprovalSettings` \n- **Audit log type** : [Admin activity](/logging/docs/audit#admin-activity) \n- **Permissions** :\n - `accessapproval.settings.delete - ADMIN_WRITE`\n- **Method is a long-running or streaming operation** : No. \n- **Filter for this method** : `\n protoPayload.methodName=\"google.cloud.accessapproval.v1.AccessApproval.DeleteAccessApprovalSettings\"\n ` \n\n#### `DismissApprovalRequest`\n\n- **Method** : `google.cloud.accessapproval.v1.AccessApproval.DismissApprovalRequest` \n- **Audit log type** : [Admin activity](/logging/docs/audit#admin-activity) \n- **Permissions** :\n - `accessapproval.requests.dismiss - ADMIN_WRITE`\n- **Method is a long-running or streaming operation** : No. \n- **Filter for this method** : `\n protoPayload.methodName=\"google.cloud.accessapproval.v1.AccessApproval.DismissApprovalRequest\"\n ` \n\n#### `InvalidateApprovalRequest`\n\n- **Method** : `google.cloud.accessapproval.v1.AccessApproval.InvalidateApprovalRequest` \n- **Audit log type** : [Admin activity](/logging/docs/audit#admin-activity) \n- **Permissions** :\n - `accessapproval.requests.invalidate - ADMIN_WRITE`\n- **Method is a long-running or streaming operation** : No. \n- **Filter for this method** : `\n protoPayload.methodName=\"google.cloud.accessapproval.v1.AccessApproval.InvalidateApprovalRequest\"\n ` \n\n#### `UpdateAccessApprovalSettings`\n\n- **Method** : `google.cloud.accessapproval.v1.AccessApproval.UpdateAccessApprovalSettings` \n- **Audit log type** : [Admin activity](/logging/docs/audit#admin-activity) \n- **Permissions** :\n - `accessapproval.settings.update - ADMIN_WRITE`\n- **Method is a long-running or streaming operation** : No. \n- **Filter for this method** : `\n protoPayload.methodName=\"google.cloud.accessapproval.v1.AccessApproval.UpdateAccessApprovalSettings\"\n `"]]
