https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155946#M2831 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/160826">@kohei-matsumura</a>,</P> <P>An audit log entry with service_name = accounts and action_name = changeServicePrincipalAcls is generated only when you change the workspace-level ACLs of a service principal... as in... when you use the workspace permissions API/UI to grant or revoke "Service principal user/manager" on that service principal at the workspace level.</P> <P>The account console "Permissions" tab you used is backed by the Account Access Control API, which emits service_name = accountsAccessControl, action_name = updateRuleSet, not changeServicePrincipalAcls.</P> <P>You may also find <A href="https://docs.databricks.com/aws/en/admin/account-settings/audit-logs" target="_blank">this</A> useful.</P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> Fri, 01 May 2026 15:35:24 GMT Ashwin_DSA 2026-05-01T15:35:24Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155907#M2830 <P>I changed the administrative permissions for a specific service principal in the account management screen.</P><P>I expected an audit log to be generated with service_name = accountns and action_name = changeServicePrincipalAcls, as described in the audit log reference, but it wasn't generated.</P><P>What kind of operation would generate an audit log with service_name = accountns and action_name = changeServicePrincipalAcls?<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="行った操作.png" style="width: 999px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/26548i73845E7EFDB5678A/image-size/large?v=v2&amp;px=999" role="button" title="行った操作.png" alt="行った操作.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ログの確認.png" style="width: 999px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/26549i042D73B02611E1D8/image-size/large?v=v2&amp;px=999" role="button" title="ログの確認.png" alt="ログの確認.png" /></span></P> Fri, 01 May 2026 09:05:00 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155907#M2830 kohei-matsumura 2026-05-01T09:05:00Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155946#M2831 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/160826">@kohei-matsumura</a>,</P> <P>An audit log entry with service_name = accounts and action_name = changeServicePrincipalAcls is generated only when you change the workspace-level ACLs of a service principal... as in... when you use the workspace permissions API/UI to grant or revoke "Service principal user/manager" on that service principal at the workspace level.</P> <P>The account console "Permissions" tab you used is backed by the Account Access Control API, which emits service_name = accountsAccessControl, action_name = updateRuleSet, not changeServicePrincipalAcls.</P> <P>You may also find <A href="https://docs.databricks.com/aws/en/admin/account-settings/audit-logs" target="_blank">this</A> useful.</P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> Fri, 01 May 2026 15:35:24 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155946#M2831 Ashwin_DSA 2026-05-01T15:35:24Z