Context-Aware Access log events

When a user is denied access to an app

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

As your organization's administrator, you can run searches and take action on Context-Aware Access log events, and take action based on the results. For example, you can view a record of actions to troubleshoot when a user is denied access to an app. Entries usually appear within an hour of when the user’s access is denied.

For more information, go to Context-Aware Access overview.

Run a search for log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Access level applied The access levels applied by the admins for the specific app. If one of them is satisfied, the user's access will be granted.
Access level satisfied

The access levels that the user successfully met during the access evaluation. 

If at least one of the access levels from the applied attribute falls under Access level satisfied, then it's an Access grant event, which is not shown in CAA audit logs.

Access level unsatisfied All the access levels that the user didn't meet during the access evaluation. If all of the access levels from the Access level applied attribute appear in this list, then access is denied.
Actor Email address of the user who performed the action
Actor group name

The group name of the actor. For more information, go to Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page appears.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group .
  8. Click Save.
Actor organizational unit Organizational unit of the actor
Application Can be either:
  • The application the user was denied access to
  • (For API access) The calling application that attempted to access a blocked API
Blocked API access The API of the application the user was denied access to. For API access, the API that the calling application was blocked from accessing.
Date Date and time of the event (displayed in your browser's default time zone)
Device ID

Device ID, as shown in Admin console Home pageand thenDevicesand thenMobile and Endpointsand thenDevices.

If the device could not be detected, this value could be unknown.

Device state

State of the device used to perform this access—for example, Normal, Out of sync (stale or old), Cross organization (device doesn't belong to your organization), or No device signals (device cannot be detected).

When the device ID is unknown and the Device state attribute says No device signals, the user's device doesn't have reporting agents, such as endpoint verification or mobile device management (MDM).

Device risks The security risks on the device that caused the user to be warned or blocked, due to a Security advisor for app access protection policy.
Event The logged event action:
  • Access Denied—Access was denied to the listed user (Actor) for the listed application.
  • Access Denied (Monitor mode)—Indicates when access would be denied, if the access level were in Active mode. See Deploy Context-Aware Access.
  • Access denied/User warned (Security advisor)—Access was denied, or a user warned, due to a Security advisor for app access protection policy.
  • Access Denied Internal Error—Policy enforcement failed (access was denied) due to an issue with the enforcement server.
IP address IP address of the actor

Manage log event data

Take action based on search results

Manage your investigations

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

Was this helpful?

How can we improve it?
11182525496447960668
true
Search
Clear search
Close search
Main menu
Search Help Center
true
true
true
true
true
73010
false
false
false
false