https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156439#M2839 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/160826">@kohei-matsumura</a>,</P> <P>Yes.. if you want to find changes to account-console roles on a service principal (for example, who has roles/servicePrincipal.manager or roles/servicePrincipal.user), then service_name = 'accountsAccessControl' and action_name = 'updateRuleSet' is the right audit event family to search. The account-console permissions flow for service principals is handled by the Accounts Access Control API, and grant/revoke is done by updating the rule set for that service principal resource.</P> <P>But those two predicates alone are too broad if your goal is a specific service principal. They will return all rule-set updates made through the Account Access Control API, not just service-principal-manager changes.</P> <P>What else that search can include:</P> <UL> <LI>updates to the account rule set: accounts/&lt;ACCOUNT_ID&gt;/ruleSets/default</LI> <LI>updates to a group rule set: accounts/&lt;ACCOUNT_ID&gt;/groups/&lt;GROUP_ID&gt;/ruleSets/default</LI> <LI>updates to a service principal rule set: accounts/&lt;ACCOUNT_ID&gt;/servicePrincipals/&lt;SP_ID&gt;/ruleSets/default</LI> <LI>updates to a tag policy rule set: accounts/&lt;ACCOUNT_ID&gt;/tagPolicies/&lt;TAG_POLICY_ID&gt;/ruleSets/default</LI> </UL> <P>So for your use case, the better filter is:</P> <UL> <LI>service_name = 'accountsAccessControl'</LI> <LI>action_name = 'updateRuleSet'</LI> <LI>request_params['account_id'] = '&lt;account-id&gt;'</LI> <LI>get_json_object(request_params['name'], '$.name') = 'accounts/&lt;account-id&gt;/servicePrincipals/&lt;sp-id&gt;/ruleSets/default'</LI> </UL> <P>That narrows the results to updates to that service principal’s rule set specifically. Also note...&nbsp;updateRuleSet is a full replacement of the rule set, not a single "grant one user" delta event. One audit record can therefore represent multiple additions/removals/changes at once, depending on the final contents of request_params['rule_set'].</P> <P>If you want to specifically inspect who can manage the SP, look inside the rule set for roles/servicePrincipal.manager. If you also care about who can use it, look for roles/servicePrincipal.user as well.</P> <P>Some links if you find them useful..&nbsp;</P> <P><A href="https://docs.databricks.com/aws/en/dev-tools/cli/reference/account-access-control-commands" target="_blank">https://docs.databricks.com/aws/en/dev-tools/cli/reference/account-access-control-commands</A></P> <P><A href="https://docs.databricks.com/aws/en/security/auth/access-control/service-principal-acl" target="_blank">https://docs.databricks.com/aws/en/security/auth/access-control/service-principal-acl</A></P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> <DIV class="tk0j8o1 _1ibi0s31a _1ibi0s3do">&nbsp;</DIV> <P>&nbsp;</P> Fri, 08 May 2026 09:54:10 GMT Ashwin_DSA 2026-05-08T09:54:10Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155907#M2830 <P>I changed the administrative permissions for a specific service principal in the account management screen.</P><P>I expected an audit log to be generated with service_name = accountns and action_name = changeServicePrincipalAcls, as described in the audit log reference, but it wasn't generated.</P><P>What kind of operation would generate an audit log with service_name = accountns and action_name = changeServicePrincipalAcls?<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="行った操作.png" style="width: 999px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/26548i73845E7EFDB5678A/image-size/large?v=v2&amp;px=999" role="button" title="行った操作.png" alt="行った操作.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ログの確認.png" style="width: 999px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/26549i042D73B02611E1D8/image-size/large?v=v2&amp;px=999" role="button" title="ログの確認.png" alt="ログの確認.png" /></span></P> Fri, 01 May 2026 09:05:00 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155907#M2830 kohei-matsumura 2026-05-01T09:05:00Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155946#M2831 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/160826">@kohei-matsumura</a>,</P> <P>An audit log entry with service_name = accounts and action_name = changeServicePrincipalAcls is generated only when you change the workspace-level ACLs of a service principal... as in... when you use the workspace permissions API/UI to grant or revoke "Service principal user/manager" on that service principal at the workspace level.</P> <P>The account console "Permissions" tab you used is backed by the Account Access Control API, which emits service_name = accountsAccessControl, action_name = updateRuleSet, not changeServicePrincipalAcls.</P> <P>You may also find <A href="https://docs.databricks.com/aws/en/admin/account-settings/audit-logs" target="_blank">this</A> useful.</P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> Fri, 01 May 2026 15:35:24 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/155946#M2831 Ashwin_DSA 2026-05-01T15:35:24Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156437#M2838 <P>Thank you for your reply. I understand that my criteria were incorrect.<BR />I want to check if there have been any operations that changed the user or group that can manage the service principal. Is it correct to search using the conditions you suggested, `service_name = accountsAccessControl, action_name = updateRuleSet`?<BR />Also, what other operations would be included in a search using these conditions?</P> Fri, 08 May 2026 08:57:57 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156437#M2838 kohei-matsumura 2026-05-08T08:57:57Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156439#M2839 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/160826">@kohei-matsumura</a>,</P> <P>Yes.. if you want to find changes to account-console roles on a service principal (for example, who has roles/servicePrincipal.manager or roles/servicePrincipal.user), then service_name = 'accountsAccessControl' and action_name = 'updateRuleSet' is the right audit event family to search. The account-console permissions flow for service principals is handled by the Accounts Access Control API, and grant/revoke is done by updating the rule set for that service principal resource.</P> <P>But those two predicates alone are too broad if your goal is a specific service principal. They will return all rule-set updates made through the Account Access Control API, not just service-principal-manager changes.</P> <P>What else that search can include:</P> <UL> <LI>updates to the account rule set: accounts/&lt;ACCOUNT_ID&gt;/ruleSets/default</LI> <LI>updates to a group rule set: accounts/&lt;ACCOUNT_ID&gt;/groups/&lt;GROUP_ID&gt;/ruleSets/default</LI> <LI>updates to a service principal rule set: accounts/&lt;ACCOUNT_ID&gt;/servicePrincipals/&lt;SP_ID&gt;/ruleSets/default</LI> <LI>updates to a tag policy rule set: accounts/&lt;ACCOUNT_ID&gt;/tagPolicies/&lt;TAG_POLICY_ID&gt;/ruleSets/default</LI> </UL> <P>So for your use case, the better filter is:</P> <UL> <LI>service_name = 'accountsAccessControl'</LI> <LI>action_name = 'updateRuleSet'</LI> <LI>request_params['account_id'] = '&lt;account-id&gt;'</LI> <LI>get_json_object(request_params['name'], '$.name') = 'accounts/&lt;account-id&gt;/servicePrincipals/&lt;sp-id&gt;/ruleSets/default'</LI> </UL> <P>That narrows the results to updates to that service principal’s rule set specifically. Also note...&nbsp;updateRuleSet is a full replacement of the rule set, not a single "grant one user" delta event. One audit record can therefore represent multiple additions/removals/changes at once, depending on the final contents of request_params['rule_set'].</P> <P>If you want to specifically inspect who can manage the SP, look inside the rule set for roles/servicePrincipal.manager. If you also care about who can use it, look for roles/servicePrincipal.user as well.</P> <P>Some links if you find them useful..&nbsp;</P> <P><A href="https://docs.databricks.com/aws/en/dev-tools/cli/reference/account-access-control-commands" target="_blank">https://docs.databricks.com/aws/en/dev-tools/cli/reference/account-access-control-commands</A></P> <P><A href="https://docs.databricks.com/aws/en/security/auth/access-control/service-principal-acl" target="_blank">https://docs.databricks.com/aws/en/security/auth/access-control/service-principal-acl</A></P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> <DIV class="tk0j8o1 _1ibi0s31a _1ibi0s3do">&nbsp;</DIV> <P>&nbsp;</P> Fri, 08 May 2026 09:54:10 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156439#M2839 Ashwin_DSA 2026-05-08T09:54:10Z https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156534#M2840 <P>Thank you very much!</P><P>I understand</P> Mon, 11 May 2026 08:23:35 GMT https://community.databricks.com/t5/data-governance/specific-audit-logs-are-not-being-generated/m-p/156534#M2840 kohei-matsumura 2026-05-11T08:23:35Z