Access Transparency logs

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Using G Suite audit logs, you can see a record of actions taken by your internal staff. Access Transparency logs provide information about actions of Google staff when they access your data.

In the G Suite Admin console, you can review the Access Transparency log report, which includes information about:

  • The affected resource and action.
  • The time of the action.
  • The reason for the action (for example, the case number associated with a customer support request).
  • Information about the Google staff member acting on the data (for example, office location).

Generate the Access Transparency log report

Open the Access Transparency log report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Access Transparency.

Customize or export the log report

Narrow the scope of the data that’s displayed
To narrow the scope of the log data that’s displayed, on the left, select one or more filters (such as G Suite product or date range).

Change the type of data that’s displayed
To change the type of log data that’s displayed in the report (such as date or justification), at the top right, click Manage columns Manage columns.

Export the log
To export the log data to a CSV file or Google Sheets, at the top right, click Download Download.

Understand the Access Transparency log report data

Log field descriptions

Report field name  System field name Description
Date items:id:time Time the log was written.
Log ID items:events:parameters:LOG_ID Unique log ID.
G Suite Product items:events:parameters:GSUITE_PRODUCT_NAME Customer’s G Suite product that was accessed. Upper case required. Can be:
  • GMAIL
  • CALENDAR
  • DRIVE
  • SHEETS
  • SLIDES
Actor Home Office items:events:parameters:ACTOR_HOME_OFFICE

ISO 3166-1 alpha-2 country code in which the accessor has a permanent desk:

  • "??" if location isn’t available
  • 3-character continent identifier where Googler is in a low-population country (ASI, EUR, OCE, AFR, NAM, SAM, ANT).
Justifications

items:events:parameters:JUSTIFICATIONS

Access justifications, such as “Customer Initiated Support - Case Number: 12345678”.

Tickets tickets Tickets associated with the justification, if any.
Resource Name items:events:parameters:RESOURCE_NAME Name of the resource that was accessed.
Owner Email items:events:parameters:OWNER_EMAIL The email ID or team identifier of the customer who owns the resource.

Justification reasons

Reason Description
CUSTOMER_INTIATED_SUPPORT Customer-Initiated support, such as a case number
GOOGLE_INITIATED_REVIEW Google-initiated access for security, fraud, abuse, or compliance purposes, including:
  • Ensuring the safety and security of customer accounts and data
  • Confirming whether data is affected by an event that might impact account security (such as malware infections)
  • Confirming whether the customer is using Google services in compliance with Google Terms of Service
  • Investigating complaints by other users and customers, or other signals of abusive activity
  • Checking that Google services are being used consistently with relevant compliance regimes (such as anti-money laundering regulations)
GOOGLE_INITIATED_SERVICE Google-initiated access to perform system management and troubleshooting, including:
  • Backup and recovery from outages and system failures
  • Investigation to confirm that the customer is not affected by suspected service issues
  • Remediation of technical issues, such as storage failure or data corruption
THIRD_PARTY_DATA_REQUEST Google accesses customer data to respond to a legal request or legal process. This includes when we respond to legal process from the customer that requires that we access the customer's own data.

In this case, Access Transparency logs might not be available if Google can’t legally inform you of such a request or process.

Set up an Access Transparency alert

You can set up an email alert for one or more log filters, such as Owner Email and Actor Home Office. You can also enable an alert for all logs across all G Suite products that support Access Transparency.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Access Transparency.
  4. Click + Add Filter.
  5. Select one or more filters and click Apply.
  6. (Optional) To enable an alert for all logs across all supported G Suite products, select Event Name, then click Access below the search line. This creates a filter called Event Name: Access.
  7. Click Create Alert Notifications, name your new alert, and enter the email IDs of any additional alert recipients.
  8. Click Create to complete the process.

Integrate Access Transparency log data with third-party tools

You can use the Reports API to integrate Access Transparency logs with your existing security information and event management (SIEM) tools. For more information, refer to Access Transparency Activity Events.

Make an inquiry on a log entry

To request an access investigation on a particular Access Transparency log entry:

  1. Note the Log ID of the entry you want to research.
  2. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  3. From the Admin console Home page, go to Support.

    To see Support, you might have to click More controls at the bottom.

  4. Click Contact Support.
  5. Provide this information to Support:
    • Log ID of the entry in question
    • Note that the inquiry is for Access Transparency
    • Ask for more details on the activity

 

Was this helpful?
How can we improve it?