Databricks Community

kohei-matsumura · Friday

I changed the administrative permissions for a specific service principal in the account management screen.

I expected an audit log to be generated with service_name = accountns and action_name = changeServicePrincipalAcls, as described in the audit log reference, but it wasn't generated.

What kind of operation would generate an audit log with service_name = accountns and action_name = changeServicePrincipalAcls?

Ashwin_DSA · Friday

Hi @kohei-matsumura,

An audit log entry with service_name = accounts and action_name = changeServicePrincipalAcls is generated only when you change the workspace-level ACLs of a service principal... as in... when you use the workspace permissions API/UI to grant or revoke "Service principal user/manager" on that service principal at the workspace level.

The account console "Permissions" tab you used is backed by the Account Access Control API, which emits service_name = accountsAccessControl, action_name = updateRuleSet, not changeServicePrincipalAcls.

You may also find this useful.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***