Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how audit logging works for secured private applications
using Chrome Enterprise Premium client connector. Enabling Cloud Audit Logs lets you
view a user access request to a private application and see all the access
levels a user has and has not met.
Enable audit logs
These logs are consideredData Access logs.
Therefore, they must be explicitly enabled for audit logging under thebeyondcorp.googleapis.comservice name since they are disabled by default.
Each audit log record contains information about users who attempted to
access the private application, whataccess levelswere enforced, and whether they were denied or granted access.
The following are some important values:
Field
Value
authenticationInfo
The email of the user who tried to access the resource asprincipalEmail.
requestMetadata.callerIp
The IP address the request originated from.
requestMetadata.requestAttributes
Contains access level names used for policy enforcement on the user access.
authorizationInfo.resource
The client connector service resource being accessed.
authorizationInfo.granted
A boolean representing whether the user was permitted the requested access.
method.Name
The called policy enforcement method. Should always beAuthorizeUser
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Client Connector - policy enforcement audit logging\n\nThis page describes how audit logging works for secured private applications\nusing Chrome Enterprise Premium client connector. Enabling Cloud Audit Logs lets you\nview a user access request to a private application and see all the access\nlevels a user has and has not met.\n\nEnable audit logs\n-----------------\n\nThese logs are considered [Data Access logs](/chrome-enterprise-premium/docs/beyondcorp-service-audit-logging#available-logs).\nTherefore, they must be explicitly enabled for audit logging under the\n`beyondcorp.googleapis.com` service name since they are disabled by default.\n\nFor information about enabling some or all of your Data Access audit logs, see\n[Configure Data Access audit logs](/logging/docs/audit/configure-data-access).\n\nAudit log record content\n------------------------\n\nEach audit log record contains information about users who attempted to\naccess the private application, what [access levels](/access-context-manager/docs/overview#access-levels)\nwere enforced, and whether they were denied or granted access.\n\nThe following are some important values:"]]
