SAP Databricks audit log reference

This article provides a comprehensive reference of audit log services and events available in SAP Databricks. By understanding which events are logged in the audit logs, your enterprise can monitor detailed SAP Databricks usage patterns in your account.

To access and query your account's audit logs, use the audit log system table.

For the full list of APIs supported on SAP Databricks, see SAP Databricks API reference.

Audit log considerations

• The services in this reference are organized by audit_level, with workspace-level actions presented first and account-level actions following.
• Because account-level actions aren't specific to a single workspace, the workspace_id in account-level logs is recorded as 0.
• Most audit logs are only accessible from the region in which they are recorded.
• SAP Databricks is a restricted platform. Audit events for Databricks features that aren't supported on SAP (for example, all-purpose and job compute, Databricks Apps, Marketplace, Lakebase, and Genie spaces) do not appear in this reference.

Workspace-level events

The following services log audit events at the workspace level.

Authentication events

These events are related to user authentication.

These events are logged under the service_name of accounts.

action_name	Description	request_params
accountInHouseOAuthClientAuthentication	An OAuth client is authenticated using an in-house OAuth token.	user authenticationMethod
accountLoginCodeAuthentication	A user's account login code is authenticated.	user
jwtLogin	User logs into Databricks using a JWT.	user authenticationMethod
login	User logs into the workspace.	user authenticationMethod
logout	User logs out of the workspace.	user
mfaAddKey	User registers a new security key.
mfaDeleteKey	User deletes a security key.	id
mfaLogin	User logs into Databricks using MFA.	user authenticationMethod
mintOAuthAuthorizationCode	An in-house OAuth authorization code is minted.	client_id
mintOAuthToken	An in-house OAuth token is minted.	grant_type scope expires_in client_id
multiFactorAuthenticationLogin	A user logs in to Databricks using multi-factor authentication.	user authenticationMethod
oidcBrowserLogin	A user logs in to Databricks using an OpenID Connect browser workflow.	user authenticationMethod
oidcTokenAuthorization	When an API call is authorized through a generic OIDC/OAuth token.	user authenticationMethod
samlLogin	User logs in to Databricks through SAML SSO.	user authenticationMethod
workspaceLoginCodeAuthentication	A user's workspace-scoped login code is authenticated.	user authenticationMethod

User and group management events

These events are related to user and group management.

These events are logged under the service_name of accounts.

action_name	Description	request_params
activateUser	A user is reactivated after being deactivated.	targetUserName endpoint targetUserId
add	A user is added to a SAP Databricks workspace.	targetUserName endpoint targetUserId
addPrincipalToGroup	A user is added to a workspace-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
addPrincipalsToGroup	Multiple users are added to a workspace-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
changeDatabricksSqlAcl	A user's Databricks SQL permissions are changed.	shardName targetUserId resourceId aclPermissionSet
changeDatabricksWorkspaceAcl	Permissions to a workspace are changed.	shardName targetUserId resourceId aclPermissionSet
changeDatabricksWorkspaceDirectoryAcl	Permissions to a workspace directory are changed.	shardName targetUserId resourceId aclPermissionSet
changeServicePrincipalAcls	When a service principal's permissions are changed.	shardName targetServicePrincipal resourceId aclPermissionSet
createGroup	A workspace-level group is created.	endpoint targetUserId targetUserName
deactivateUser	A user is deactivated in the workspace.	targetUserName endpoint targetUserId
delete	A user is deleted from the SAP Databricks workspace.	targetUserId targetUserName endpoint
deleteUser	A user's personally identifiable information is purged after they have not belonged to any running workspaces for at least 7 days.
disableWorkspaceAcls	Workspace access control is disabled for the workspace.	shardName endpoint
enableWorkspaceAcls	Workspace access control is enabled for the workspace.	shardName endpoint
removeAdmin	A user is revoked of workspace admin permissions.	targetUserName endpoint targetUserId
removeGroup	A group is removed from the workspace.	targetGroupId targetGroupName endpoint
removePrincipalFromGroup	A user is removed from a group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
removePrincipalsFromGroup	Multiple users are removed from a workspace-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
setAdmin	A user is granted account admin permissions.	endpoint targetUserName targetUserId
updateGroup	A group's properties are updated.	endpoint targetGroupId targetGroupName
updateUser	An account admin updates a user's account.	targetUserName endpoint targetUserId
usernameDomainDenied	A user sign-up attempt is denied because the email domain is not allowed.	targetUserName
validateEmail	When a user validates their email after account creation.	endpoint targetUserName targetUserId

IP access list events

These events are related to IP access lists.

These events are logged under the service_name of accounts.

action_name	Description	request_params
createIpAccessList	An IP access list is added to the workspace.	ipAccessListId userId
deleteIpAccessList	An IP access list is deleted from the workspace.	ipAccessListId userId
IpAccessDenied	A user attempts to connect to the service through a denied IP.	path user userId
ipAccessListQuotaExceeded		userId
updateIpAccessList	An IP access list is changed.	ipAccessListId userId

Ingestion events

The following event is logged at the workspace level and is related to file uploads.

These events are logged under the service_name of ingestion.

action_name	Description	request_params
proxyFileUpload	A user uploads a file to their SAP Databricks workspace.	x-databricks-content-length-0 x-databricks-total-files

Lineage tracking events

These events are logged at the workspace level. This service includes events related to data lineage.

These events are logged under the service_name of lineageTracking.

action_name	Description	request_params
listColumnLineages	A user accesses the list of the upstream or downstream columns of a column.	table_name column_name lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
listSecurableLineagesBySecurable	A user accesses the list of the upstream or downstream securables of a securable.	securable_full_name securable_type lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM). metastore_id page_size page_token securable_response_filter start_timestamp subsecurable_id workspace_id
listEntityLineagesBySecurable	A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable.	securable_full_name securable_type lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM). entity_response_filter: The entity type (notebook, job, dashboard, pipeline, query, serving endpoint, etc.). metastore_id page_size start_timestamp subsecurable_id workspace_id
getColumnLineages	A user gets the column lineages for a table and its column.	table_name column_name metastore_id only_downstream only_upstream workspace_id
getTableEntityLineages	A user gets the upstream and downstream lineages of a table.	table_name include_entity_lineage include_downstream include_upstream metastore_id workspace_id
getJobTableLineages	A user gets the upstream and downstream table lineages of a job.	job_id max_result metastore_id workspace_id
getFunctionLineages	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function.	function_name
getModelVersionLineages	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version.	model_name version metastore_id workspace_id
getEntityTableLineages	A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.).	entity_type entity_id max_downstreams max_upstreams metastore_id workspace_id
getFrequentlyJoinedTables	A user gets the frequently joined tables for a table.	table_name include_columns limit_size metastore_id workspace_id
getFrequentQueryByTable	A user gets the frequent queries for a table.	source_table_name limit_size metastore_id workspace_id
getFrequentUserByTable	A user gets the frequent users for a table.	table_name limit_size metastore_id workspace_id
getTablePopularityByDate	A user gets the popularity (query count) for a table for the past month.	table_name metastore_id workspace_id
getPopularEntities	A user gets the popular entities (notebooks, jobs, etc.) for a table.	scope: Specifies the scope for retrieving popular entities, either from the workspace or table name. table_name limit_size metastore_id workspace_id
getPopularTables	A user gets the table popularity info for a list of tables.	scope: Specifies the scope for retrieving popular tables, either from the metastore or the table list. table_name_list metastore_id workspace_id
listCustomLineages	A user lists custom lineages for an entity.	entity_id lineage_direction metastore_id page_size workspace_id
listSecurableByEntityEvent	A user lists securables associated with entity events.	entity_id entity_type lineage_direction metastore_id page_size page_token securable_response_filter start_timestamp workspace_id

Data monitoring events

These events are logged at the workspace level. This service includes events related to Data Quality Monitoring.

These events are logged under the service_name of dataMonitoring.

action_name	Description	request_params
CancelRefresh	User cancels a monitor refresh.	full_table_name_arg refresh_id
CreateMonitor	User creates a monitor.	data_classification_config full_table_name_arg assets_dir schedule output_schema_name notifications inference_log custom_metrics slicing_exprs snapshot time_series
DeleteMonitor	User deletes a monitor.	full_table_name_arg
RegenerateDashboard	User regenerates a monitor dashboard.	full_table_name_arg
RunRefresh	Monitor is refreshed, either by schedule or manually.	full_table_name_arg
UpdateMonitor	User makes an update to a monitor.	data_classification_config table_name full_table_name_arg drift_metrics_table_name dashboard_id custom_metrics assets_dir monitor_version profile_metrics_table_name baseline_table_name status output_schema_name inference_log slicing_exprs latest_monitor_failure_msg notifications schedule snapshot

Request for access events

These events are logged at the workspace level. This service includes events related to access request destinations (Public Preview).

These events are logged under the service_name of request-for-access.

action_name	Description	request_params
updateAccessRequestDestinations	A user updates access request destinations for a Unity Catalog securable.	destinations securable
getAccessRequestDestinations	A user gets access request destinations for a Unity Catalog securable.	full_name securable_type
listDestinations	A user gets access request destinations for a Unity Catalog securable. This is a legacy version of the getAccessRequestDestinations action.	securable
getStatus	A user gets status information for a Unity Catalog securable. Request for access is considered enabled for a Unity Catalog securable if at least one access request destination exists.	securable
batchCreateAccessRequests	A user requests access for one or more Unity Catalog securables.	requests
requestAccess	A user requests access for a single Unity Catalog securable. This is a legacy version of the batchCreateAccessRequests action.	behalf_of comment privileges securable
updateDefaultDestinationStatus	A user updates the status of a workspace-level setting that controls whether all Unity Catalog securables have a default destination assigned.	none
getDefaultDestinationStatus	A user gets the status of the default destination setting.	none

Uniform Iceberg REST API events

These events are logged at the workspace level. These events are logged when users interact with managed Apache Iceberg tables using an external Iceberg-compatible engine that supports the Iceberg REST Catalog API.

These events are logged under the service_name of uniformIcebergRestCatalog.

action_name	Description	request_params
config	User gets a catalog configuration.	http_method http_path
createNamespace	User creates a namespace, with an optional set of properties.	http_method http_path
createTable	User creates a new Iceberg table.	http_method http_path
deleteNamespace	User deletes an existing namespace.	http_method http_path
deleteTable	User deletes an existing table.	http_method http_path
getNamespace	User gets properties of a namespace.	http_method http_path
listNamespaces	User makes a call to list all namespaces at a specified level.	http_method http_path
listTables	User lists all tables under a given namespace.	http_method http_path
loadTableCredentials	User loads vended credentials for a table from the catalog.	http_method http_path
loadTable	User loads a table from the catalog.	http_method http_path
loadView	User loads a view from the catalog.	http_method http_path
namespaceExists	User checks if a namespace exists.	http_method http_path
renameTable	User renames an existing table.	http_method http_path
reportMetrics	User sends a metrics report.	http_method http_path
tableExists	User checks if a table exists within a given namespace.	http_method http_path
updateNamespaceProperties	User updates properties for a namespace.	http_method http_path
updateTable	User updates table metadata.	http_method http_path
viewExists	User checks if a view exists within a given namespace.	http_method http_path

Predictive optimization events

These events are logged at the workspace level. This service includes events related to predictive optimization.

These events are logged under the service_name of predictiveOptimization.

action_name	Description	request_params
PutMetrics	Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations.	table_metrics_list start_time end_time

Files events

These events are logged at the workspace level. This service includes events related to file management, which includes interacting with files using the Files API or in the volumes UI.

These events are logged under the service_name of filesystem.

action_name	Description	request_params
directoriesDelete	A user deletes a directory using the Files API or the volumes UI.	path
directoriesGet	A user lists the contents of a directory using the Files API or the volumes UI.	path
directoriesHead	A user gets information about a directory using the Files API or the volumes UI.	path
directoriesPut	A user creates a directory using the Files API or the volumes UI.	path
filesDelete	User deletes a file using the Files API or the volumes UI.	path
filesGet	User downloads a file using the Files API or the volumes UI.	path transferredSize
filesHead	User gets information about a file using the Files API or the volumes UI.	path
filesPut	User uploads a file using the Files API or the volumes UI.	path receivedSize

Workspace files events

These events are logged at the workspace level. This service includes events related to workspaces files.

These events are logged under the service_name of workspaceFiles.

action_name	Description	request_params
wsfsStreamingRead	A workspace file is read by a user or programmatically as part of a workflow.	path
wsfsStreamingWrite	A workspace file is written to by a user or programmatically as part of a workflow.	path
wsfsImportFile	A user imports a file into the workspace.	path

MLflow experiment events

These events are logged at the workspace level. This service includes events related to MLflow experiments.

These events are logged under the service_name of mlflowExperiment.

action_name	Description	request_params
createMlflowExperiment	A user creates an MLflow experiment.	experimentId path experimentName
deleteMlflowExperiment	A user deletes an MLflow experiment.	experimentId path experimentName
moveMlflowExperiment	A user moves an MLflow experiment.	newPath experimentId oldPath
restoreMlflowExperiment	A user restores an MLflow experiment.	experimentId path experimentName
renameMlflowExperimentEvent	A user renames an MLflow experiment.	oldName newName experimentId parentPath

MLflow artifacts with ACL events

These events are logged at the workspace level. This service includes events related to MLflow artifacts with ACLs.

These events are logged under the service_name of mlflowAcledArtifact.

action_name	Description	request_params
readArtifact	A user makes call to read an artifact.	artifactLocation experimentId runId
writeArtifact	A user makes call to write to an artifact.	artifactLocation experimentId runId

MLflow model registry events

These events are logged at the workspace level. This service includes events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.

These events are logged under the service_name of modelRegistry.

action_name	Description	request_params
approveTransitionRequest	A user approves a model version stage transition request.	name version stage archive_existing_versions comment
changeRegisteredModelAcl	A user updates permissions for a registered model.	registeredModelId userId aclPermissionSet resourceId shardName targetUserId
createComment	A user posts a comment on a model version.	name version
createModelVersion	A user creates a model version.	name source run_id tags run_link
createRegisteredModel	A user creates a new registered model.	name tags description
createRegistryWebhook	User creates a webhook for Model Registry events.	orgId registeredModelId events description status creatorId httpUrlSpec
createTransitionRequest	A user creates a model version stage transition request.	name version stage comment
deleteComment	A user deletes a comment on a model version.	id
deleteModelVersion	A user deletes a model version.	name version
deleteModelVersionTag	A user deletes a model version tag.	name version key
deleteRegisteredModel	A user deletes a registered model.	name
deleteRegisteredModelTag	A user deletes the tag for a registered model.	name key
deleteRegistryWebhook	User deletes a Model Registry webhook.	orgId webhookId
deleteTransitionRequest	A user cancels a model version stage transition request.	name version stage creator
finishCreateModelVersionAsync	Completed asynchronous model copying.	name version
generateBatchInferenceNotebook	Batch inference notebook is autogenerated.	userId orgId modelName inputTableOpt outputTablePathOpt stageOrVersion modelVersionEntityOpt notebookPath
generateDltInferenceNotebook	Inference notebook for a declarative pipeline is autogenerated.	userId orgId modelName inputTable outputTable stageOrVersion notebookPath input_table name output_table stage version
getModelVersionDownloadUri	A user gets a URI to download the model version.	name version
getModelVersionSignedDownloadUri	A user gets a URI to download a signed model version.	name version path
listModelArtifacts	A user makes a call to list a model's artifacts.	name version path page_token
listRegistryWebhooks	A user makes a call to list all registry webhooks in the model.	orgId registeredModelId
rejectTransitionRequest	A user rejects a model version stage transition request.	name version stage comment
renameRegisteredModel	A user renames a registered model.	name new_name
setEmailSubscriptionStatus	A user updates the email subscription status for a registered model.	model_name subscription_type
setModelVersionTag	A user sets a model version tag.	name version key value
setRegisteredModelTag	A user sets a model version tag.	name key value
setUserLevelEmailSubscriptionStatus	A user updates their email notifications status for the whole registry.	orgId userId subscriptionStatus subscription_type
testRegistryWebhook	A user tests the Model Registry webhook.	orgId webhookId
transitionModelVersionStage	A user gets a list of all open stage transition requests for the model version.	name version stage archive_existing_versions comment
triggerRegistryWebhook	A Model Registry webhook is triggered by an event.	orgId registeredModelId events status
updateComment	A user post an edit to a comment on a model version.	id
updateRegistryWebhook	A user updates a Model Registry webhook.	orgId webhookId

Model serving events

These events are logged at the workspace level. This service includes events related to model serving.

These events are logged under the service_name of serverlessRealTimeInference.

action_name	Description	request_params
cancelUpdateServingEndpoint	User cancels an in-progress update of a model serving endpoint.	name
changeInferenceEndpointAcl	User updates permissions for an inference endpoint.	shardName targetUserId resourceId aclPermissionSet
createServingEndpoint	User creates a model serving endpoint.	name config
deleteServingEndpoint	User deletes a model serving endpoint.	name
getQuerySchemaPreview	Users makes a call to get the query schema preview.	endpoint_name
patchInferenceEndpointUsagePolicy	User updates the usage policy of a serving endpoint.	name
putInferenceEndpointAiGateway	User updates the AI Gateway configuration for a serving endpoint, including rate limits, guardrails, inference tables, fallbacks, and usage tracking.	name ai_gateway_config
startServingEndpoint	User starts a model serving endpoint.	name
stopServingEndpoint	User stops a model serving endpoint.	name
updateServingEndpoint	User updates a model serving endpoint.	name served_models traffic_config

Unity Catalog HTTP connection events

These events are logged at the workspace level when requests are proxied through a Unity Catalog HTTP connection, such as when calling external functions or connecting to external MCP servers.

These events are logged under the service_name of ucHttpConnection.

action_name	Description	request_params
ucHttpConnectionProxiedRequest	A request is proxied through a Unity Catalog HTTP connection to an external endpoint.	auth_type connection_id connection_name http_method

Vector search events

These events are logged at the workspace level. This service includes events related to Vector Search.

These events are logged under the service_name of vectorSearch.

action_name	Description	request_params
createEndpoint	User creates a vector search endpoint.	name endpoint_type
deleteEndpoint	User deletes a vector search endpoint.	name
changeEndpointAcl	User updates permissions on a vector search endpoint.	access_control_list request_object_id request_object_type
createVectorIndex	User creates a vector search index.	name endpoint_name primary_key index_type delta_sync_index_spec direct_access_index_spec
deleteVectorIndex	User deletes a vector search index.	name endpoint_name (optional) delete_embedding_writeback_table
changeEndpointAcl	User changes access control list for an endpoint.	name endpoint_name access_control_list
queryVectorIndex	User queries a vector search index.	name endpoint_name (optional)
queryVectorIndexNextPage	User reads the paginated results of a vector search index query.	name endpoint_name (optional)
scanVectorIndex	User scans all data in a vector search index.	name endpoint_name (optional)
upsertDataVectorIndex	User upserts data in a Direct Access vector search index.	name endpoint_name (optional)
deleteDataVectorIndex	User deletes data in a Direct Access vector search index.	name endpoint_name (optional)
queryVectorIndexRouteOptimized	User queries a vector search index using a low-latency API route.	name endpoint_name (optional)
queryVectorIndexNextPageRouteOptimized	User reads the paginated results of a vector search index query using a low-latency API route.	name endpoint_name (optional)
scanVectorIndexRouteOptimized	User scans all data in a vector search index using a low-latency API route.	name endpoint_name (optional)
upsertDataVectorIndexRouteOptimized	User upserts data in a Direct Access vector search index using a low-latency API route.	name endpoint_name (optional)
deleteDataVectorIndexRouteOptimized	User deletes data in a Direct Access vector search index using a low-latency API route.	name endpoint_name (optional)

Databricks SQL events

These events are logged at the workspace level. This service includes events related to Databricks SQL.

These events are logged under the service_name of databrickssql.

action_name	Description	request_params
cancelQueryExecution	A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.	queryExecutionId: Only emitted when the legacy SQL editor is used. query_id: Only emitted when the new SQL editor is used.
changeEndpointAcls	A warehouse manager updates permissions on a SQL warehouse.	aclPermissionSet resourceId shardName targetUserId
cloneFolderNode	A user clones a folder in the workspace browser.	dashboardId
commandFinish	Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.	warehouseId commandId
commandSubmit	Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.	warehouseId commandId validation commandText commandParameters
createQuery	A user creates a new query.	queryId
getQuery	A user opens a query in SQL editor page or calls the Databricks SQL Get a query API. Only emitted when the legacy SQL editor or Databricks SQL REST API is used.	queryId
createQueryDraft	A user creates a query draft. Only emitted when the legacy SQL editor is used.	queryId
createQuerySnippet	A user creates a query snippet.	querySnippetId
createVisualization	A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. Only emitted when the legacy SQL editor is used.	queryId visualizationId
createWarehouse	A user with the cluster create entitlement creates a SQL warehouse.	auto_resume auto_stop_mins channel warehouse_type cluster_size conf_pairs custom_cluster_confs enable_databricks_compute enable_photon enable_serverless_compute instance_profile_arn max_num_clusters min_num_clusters name size spot_instance_policy tags test_overrides
deleteWarehouse	A warehouse manager deletes a SQL warehouse.	id
deleteQuery	A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.	queryId
deleteQueryDraft	A user deletes a query draft. Only emitted when the legacy SQL editor is used.	queryId
deleteQuerySnippet	A user deletes a query snippet.	querySnippetId
deleteVisualization	A user deletes a visualization from a query in the SQL Editor. Only emitted when the legacy SQL editor is used.	visualizationId
downloadQueryResult	A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.	fileType queryId queryResultId: Only emitted when the legacy SQL editor is used. credentialsEmbedded credentialsEmbeddedId
editWarehouse	A warehouse manager makes edits to a SQL warehouse.	auto_stop_mins channel warehouse_type cluster_size confs enable_photon enable_serverless_compute id instance_profile_arn max_num_clusters min_num_clusters name spot_instance_policy tags
executeAdhocQuery	Generated by one of the following: - A user runs a query draft in the SQL editor - A query is executed from a visualization aggregation - A user loads a dashboard and executes underlying queries.	dataSourceId: Only emitted when the legacy SQL editor is used. Equivalent to the SQL warehouse ID. warehouse_id: Only emitted when the new SQL editor is used. query_id: Only emitted when the new SQL editor is used. Corresponds to the current query text in the new SQL editor, which may be equivalent to the original saved query.
executeSavedQuery	A user runs a saved query. Only emitted when the legacy SQL editor is used.	queryId
favoriteQuery	A user favorites a query.	queryId
forkQuery	A user clones a query.	originalQueryId queryId
getHistoryQueriesByLookupKeys	A user gets details for one or more query executions using lookup keys.	lookup_keys include_metrics
getHistoryQuery	A user gets details for a query execution using the UI.	id queryId include_metrics include_plans include_json_plans
listHistoryQueries	A user opens the query history page or calls the Query History List Queries API.	filter_by include_metrics max_results page_token order_by
moveQueryToTrash	A user moves a query to the trash.	queryId treestoreId: Only emitted when the new SQL editor is used and a valid queryId cannot be returned.
restoreQuery	A user restores a query from the trash.	queryId
setWarehouseConfig	A workspace admin updates their workspace's SQL warehouse settings, including configuration parameters and data access properties.	data_access_config enable_serverless_compute instance_profile_arn security_policy serverless_agreement sql_configuration_parameters
startWarehouse	A SQL warehouse is started.	id
stopWarehouse	A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.	id
transferObjectOwnership	A workspace admin transfers the ownership of a query to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.	newOwner objectId objectType
unfavoriteQuery	A user removes a query from their favorites.	queryId
updateFolderNode	A user updates a folder node in the workspace browser.	name
updateOrganizationSetting	A workspace admin makes updates to the workspace's SQL settings.	has_configured_data_access has_explored_sql_warehouses has_granted_permissions hide_plotly_mode_bar send_email_on_failed_dashboards allow_downloads
updateQuery	A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API.	queryId ownerUserName
updateQueryDraft	A user makes an update to a query draft. Only emitted when the legacy SQL editor is used.	queryId
updateQuerySnippet	A user makes an update to a query snippet.	querySnippetId
updateVisualization	A user updates a visualization from the SQL Editor. Only emitted when the legacy SQL editor is used.	visualizationId

Notebook events

These events are logged at the workspace level. This service includes events related to notebooks.

note

SAP Databricks does not support classic notebook compute (all-purpose clusters). The attachNotebook, detachNotebook, runCommand, and submitCommand events on SAP Databricks fire only when the new SQL editor is attached to a SQL warehouse. In those events, the clusterId parameter contains the SQL warehouse ID.

These events are logged under the service_name of notebook.

action_name	Description	request_params
attachNotebook	A notebook is attached to a cluster. Also emitted when the new SQL editor is attached to a SQL warehouse.	path clusterId notebookId
cloneNotebook	A user clones a notebook.	notebookId path clonedNotebookId destinationPath
createFolder	A notebook folder is created.	path
createNotebook	A notebook is created.	notebookId path
deleteFolder	A notebook folder is deleted.	path
deleteNotebook	A notebook is deleted.	notebookId notebookName path
deleteRepo	A repository is deleted.	path
detachNotebook	A notebook is detached from a cluster. Also emitted when the new SQL editor is detached from a SQL warehouse.	notebookId clusterId path
downloadLargeResults	A user downloads query results too large to display in the notebook. Also emitted when the new SQL editor is used to download query results.	notebookId notebookFullPath commandId fileType
downloadPreviewResults	A user downloads query results from a notebook or the new SQL editor. Also emitted when a user views a previous result in execution history. If the log is from a view, fileType is set to json.	notebookId notebookFullPath commandId fileType statementId: Only emitted when a user views a previous result in execution history.
importNotebook	A user imports a notebook.	path workspaceExportFormat
modifyNotebook	A notebook is modified.	notebookId path
moveFolder	A notebook folder is moved from one location to another.	oldPath newPath folderId
moveNotebook	A notebook is moved from one location to another.	newPath oldPath notebookId
openNotebook	A user opens a notebook using the UI.	notebookId path
renameFolder	A notebook folder is renamed.	folderId newName oldName parentPath
renameNotebook	A notebook is renamed.	newName oldName parentPath notebookId
restoreFolder	A deleted folder is restored.	path
restoreNotebook	A deleted notebook is restored.	path notebookId notebookName
restoreRepo	A deleted repository is restored.	path
runCommand	Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor. executionTime is measured in seconds.	notebookId executionTime status commandId commandText commandLanguage
submitCommand	Generated when a command is submitted for execution in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor.	notebookId commandId clusterId commandLanguage commandText (only available when verbose audit logs are enabled)
takeNotebookSnapshot	Notebook snapshots are taken when either the job service or mlflow is run.	path

Git folder events

These events are logged at the workspace level. This service includes events related to Databricks Git folders. See also gitCredentials.

These events are logged under the service_name of repos.

action_name	Description	request_params
checkoutBranch	A user checks out a branch on the repo.	id branch
commitAndPush	A user commits and pushes to a repo.	id message files checkSensitiveToken
createRepo	A user creates a repo in the workspace.	url provider path
deleteRepo	A user deletes a repo.	id
discard	A user discards a commit to a repo.	id file_paths
getRepo	A user makes a call to get information about a single repo.	id
listRepos	A user makes a call to get all repos they have Manage permissions on.	path_prefix next_page_token
pull	A user pulls the latest commits from a repo.	id
updateRepo	A user updates the repo to a different branch or tag, or to the latest commit on the same branch.	id branch tag git_url git_provider

Git credential events

These events are logged at the workspace level. This service includes events related to Git credentials for Databricks Git folders.

These events are logged under the service_name of gitCredentials.

action_name	Description	request_params
createGitCredential	A user creates a git credential.	git_provider git_username
deleteGitCredential	A user deletes a git credential.	id
getGitCredential	A user gets a git credentials.	id
linkGitProvider	A user links a git provider.	git_provider principal_id
listGitCredentials	A user lists all git credentials.	principal_id
updateGitCredential	A user updates a git credential.	id git_provider git_username

Workspace events

These events are logged at the workspace level. This service includes events related to workspace management.

These events are logged under the service_name of workspace.

action_name	Description	request_params
addPermissionAssignment	An account admin adds a principal to a workspace.	principal_id account_id workspace_id
changeWorkspaceAcl	Permissions to the workspace are changed.	shardName targetUserId aclPermissionSet resourceId
deletePermissionAssignment	A workspace admin removes a principal from a workspace.	principal_id account_id workspace_id
deleteSetting	A setting is deleted from the workspace.	settingKeyTypeName settingKeyName settingTypeName settingName
fileCreate	User creates a file in the workspace.	path
fileDelete	User deletes a file in the workspace.	path
fileEditorOpenEvent	User opens the file editor.	notebookId path
getPermissionAssignment	An account admin gets a workspace's permission assignments.	account_id workspace_id
getRoleAssignment	User gets a workspace's user roles.	account_id workspace_id
mintOAuthAuthorizationCode	Recorded when in-house OAuth authorization code is minted at the workspace level.	client_id
mintOAuthToken	OAuth token is minted for workspace.	grant_type scope expires_in client_id
moveWorkspaceNode	A workspace admin moves workspace node.	destinationPath path
purgeWorkspaceNodes	A workspace admin purges workspace nodes.	treestoreId
reattachHomeFolder	An existing home folder is re-attached for a user that is re-added to the workspace.	path
renameWorkspaceNode	A workspace admin renames workspace nodes.	path destinationPath
unmarkHomeFolder	Home folder special attributes are removed when a user is removed from the workspace.	path
updateRoleAssignment	A workspace admin updates a workspace user's role.	account_id workspace_id principal_id role
updatePermissionAssignment	A workspace admin adds a principal to the workspace.	principal_id permissions
setSetting	A workspace admin configures a workspace setting.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
workspaceConfEdit	Workspace admin makes updates to a setting, for example enabling verbose audit logs.	workspaceConfKeys workspaceConfValues
workspaceExport	User exports a notebook from a workspace.	workspaceExportDirectDownload workspaceExportFormat notebookFullPath
workspaceInHouseOAuthClientAuthentication	OAuth client is authenticated in workspace service.	user

Secrets events

These events are logged at the workspace level. This service includes events related to secrets.

These events are logged under the service_name of secrets.

action_name	Description	request_params
createScope	User creates a secret scope.	scope initial_manage_principal scope_backend_type
deleteAcl	User deletes ACLs for a secret scope.	scope principal
deleteScope	User deletes a secret scope.	scope
deleteSecret	User deletes a secret from a scope.	key scope
getAcl	User gets ACLs for a secret scope.	scope principal
getSecret	User gets a secret from a scope.	key scope
listAcls	User makes a call to list ACLs for a secret scope.	scope
listScopes	User makes a call to list secret scopes.	none
listSecrets	User makes a call to list secrets within a scope.	scope
putAcl	User changes ACLs for a secret scope.	scope principal permission
putSecret	User adds or edits a secret within a scope.	string_value key scope

Databricks workspace access events

These events are logged at the workspace level. This service includes events related to remote workspace access by Databricks personnel. For more information, see Workspace access for SAP Databricks personnel.

These events are logged under the service_name of genie.

action_name	Description	request_params
databricksAccess	A Databricks personnel is authorized to access a customer environment.	duration approver reason authType user

Account-level services

The following services log audit events at the account level.

Account access control events

These events are logged at the account level and are related to the Account Access Control API (Public Preview).

These events are logged under the service_name of accountsAccessControl.

action_name	Description	request_params
updateRuleSet	A user updates a rule set using the Account Access Control API.	account_id name: Name of the rule set rule_set authz_identity

Federation policy events

These events are logged at the account level and are related to federation policies.

These events are logged under the service_name of accounts.

action_name	Description	request_params
createFederationPolicy	An account admin creates an account or service principal federation policy.	policy_id service_principal_id (optional)
deleteFederationPolicy	An account admin deletes an account or service principal federation policy.	policy_id service_principal_id (optional)
updateFederationPolicy	An account admin updates an account or service principal federation policy.	policy_id service_principal_id (optional)

Account-level authentication events

These events are related to account console authentication.

These events are logged under the service_name of accounts.

action_name	Description	request_params
accountInHouseOAuthClientAuthentication	An OAuth client is authenticated.	endpoint user: logged as an email address authenticationMethod
accountLoginCodeAuthentication	A user's account login code is authenticated.	user
accountlessToAccountLoginAuthentication	A user logs in through the accountless-to-account upgrade flow.	user authenticationMethod
deletePasskeyCredential	A user deletes a passkey credential.	credential_id
deleteTotpCredential	A user deletes a TOTP authenticator app setup key.
login	A user logs into the account console.	user authenticationMethod
logout	A user logs out of the account console.	user
mfaLogin	A user logs in to the account console using multi-factor authentication.	user authenticationMethod
mintOAuthAuthorizationCode	Recorded when in-house OAuth authorization code is minted at the account level.	client_id
mintOAuthToken	An account-level OAuth token is issued to the service principal.	grant_type scope expires_in client_id
multiFactorAuthenticationLogin	A user logs in to the account console using multi-factor authentication.	user authenticationMethod
multiFactorAuthenticationUpdateUserAuthPolicy	A user's multi-factor authentication policy is updated.	user_mfa_state user_id
oidcBrowserLogin	A user logs into their account with the OpenID Connect browser workflow.	user
oidcTokenAuthorization	An OIDC token is authenticated for an account admin login.	user authenticationMethod
registerPasskeyCredential	A user registers a passkey credential for multi-factor authentication.
registerTotpCredential	A user registers a TOTP authenticator app credential for multi-factor authentication.
skipRegistration	A user skips multi-factor authentication registration.

Account-level user and group management events

These events are related to account-level user and group management.

These events are logged under the service_name of accounts.

action_name	Description	request_params
activateUser	A user is reactivated after being deactivated.	targetUserName endpoint targetUserId
add	A user is added to the SAP Databricks account.	targetUserName endpoint targetUserId
addPrincipalToGroup	A user is added to an account-level group.	targetGroupId endpoint targetUserId targetGroupName groupMembershipType targetUserName
addPrincipalsToGroup	Users are added to an account-level group using SCIM provisioning.	targetGroupId endpoint targetUserId targetGroupName targetUserName
createGroup	An account-level group is created.	endpoint targetGroupId targetGroupName
deactivateUser	A user is deactivated.	targetUserName endpoint targetUserId
delete	A user is deleted from the SAP Databricks account.	targetUserId targetUserName endpoint
removeAccountAdmin	An account admin removes account admin permissions from another user.	targetUserName endpoint targetUserId
removeGroup	A group is removed from the account.	targetGroupId targetGroupName endpoint
removePrincipalFromGroup	A user is removed from an account-level group.	targetGroupId endpoint targetUserId targetGroupName groupMembershipType targetUserName
removePrincipalsFromGroup	Users are removed from an account-level group using SCIM provisioning.	targetGroupId endpoint targetUserId targetGroupName targetUserName
setAccountAdmin	An account admin assigns the account admin role to another user.	targetUserName endpoint targetUserId
updateGroup	An account admin updates an account-level group.	endpoint targetGroupId targetGroupName
updateUser	An account admin updates a user account.	targetUserName endpoint targetUserId
usernameDomainDenied	A user sign-up attempt is denied because the email domain is not allowed.	targetUserName
validateEmail	When a user validates their email after account creation.	endpoint targetUserName targetUserId

Account-level token and settings events

These events are related to token management and account settings.

These events are logged under the service_name of accounts.

action_name	Description	request_params
accountIpAclsValidationFailed	IP permissions validation fails. Returns statusCode 403.	sourceIpAddress user: logged as an email address
deleteSetting	Account admin removes a setting from the SAP Databricks account.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
setSetting	An account admin updates an account-level setting.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit

Service principal credentials events

These events are logged at the account level. These events are related to service credentials.

These events are logged under the service_name of servicePrincipalCredentials.

action_name	Description	request_params
create	Account admin generates an OAuth secret for the service principal.	account_id service_principal secret_id lifetime
list	Account admin lists all OAuth secrets under a service principal.	account_id service_principal
delete	Account admin deletes a service principal's OAuth secret.	account_id service_principal secret_id

Private access settings events

These events are logged at the account level and are related to the Private Access Settings API.

These events are logged under the service_name of accountsManager.

action_name	Description	request_params
createPrivateAccessSettings	Account admin created a private access settings configuration.	private_access_settings
deletePrivateAccessSettings	Account admin deleted a private access settings configuration.	account_id private_access_settings_id
getPrivateAccessSettings	Account admin requests details about a private access settings configuration.	account_id private_access_settings_id
listPrivateAccessSettings	Account admin lists all private access settings configurations in the account.	account_id

Unity Catalog events

The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog events are logged at the account level, so workspace_id is recorded as 0. The originating workspace ID is included in request_params.workspace_id.

These events are logged under the service_name of unityCatalog.

action_name	Description	request_params
createMetastore	Account admin creates a metastore.	name storage_root workspace_id metastore_id
getMetastore	Account admin requests metastore ID.	id workspace_id metastore_id
getMetastoreSummary	Account admin requests details about a metastore.	workspace_id metastore_id
listMetastores	Account admin requests a list of all metastores in an account.	workspace_id
updateMetastore	Account admin makes an update to a metastore.	id owner workspace_id metastore_id
deleteMetastore	Account admin deletes a metastore.	id force workspace_id metastore_id
updateMetastoreAssignment	Account admin makes an update to a metastore's workspace assignment.	workspace_id metastore_id default_catalog_name
createExternalLocation	Account admin creates an external location.	name skip_validation url credential_name workspace_id metastore_id
getExternalLocation	Account admin requests details about an external location.	name_arg include_browse workspace_id metastore_id
listExternalLocations	Account admin request list of all external locations in an account.	url max_results workspace_id metastore_id
updateExternalLocation	Account admin makes an update to an external location.	name_arg owner workspace_id metastore_id
deleteExternalLocation	Account admin deletes an external location.	name_arg force workspace_id metastore_id
createCatalog	User creates a catalog.	name comment workspace_id metastore_id
deleteCatalog	User deletes a catalog.	name_arg workspace_id metastore_id
getCatalog	User requests details about a catalog.	name_arg dependent workspace_id metastore_id
updateCatalog	User updates a catalog.	name_arg isolation_mode comment workspace_id metastore_id
listCatalog	User makes a call to list all catalogs in the metastore.	name_arg workspace_id metastore_id
createSchema	User creates a schema.	name catalog_name comment workspace_id metastore_id
deleteSchema	User deletes a schema.	full_name_arg force workspace_id metastore_id
getSchema	User requests details about a schema.	full_name_arg dependent workspace_id metastore_id
listSchema	User requests a list of all schemas in a catalog.	catalog_name
updateSchema	User updates a schema.	full_name_arg name workspace_id metastore_id comment
createStagingTable		name catalog_name schema_name workspace_id metastore_id
createTable	User creates a table. The request parameters differ depending on the type of table created.	name data_source_format catalog_name schema_name storage_location columns dry_run table_type view_dependencies view_definition sql_path comment
deleteTable	User deletes a table.	full_name_arg workspace_id metastore_id
getTable	User requests details about a table.	include_delta_metadata full_name_arg dependent workspace_id metastore_id
privilegedGetTable		full_name_arg
listTables	User makes a call to list all tables in a schema.	catalog_name schema_name workspace_id metastore_id include_browse
listTableSummaries	User gets an array of summaries for tables for a schema and catalog within the metastore.	catalog_name schema_name_pattern workspace_id metastore_id
updateTables	User makes an update to a table. The request parameters displayed vary depending on the type of table updates made.	full_name_arg table_type table_constraint_list data_source_format columns dependent row_filter storage_location sql_path view_definition view_dependencies owner comment workspace_id metastore_id
createStorageCredential	Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials.	name comment workspace_id metastore_id
listStorageCredentials	Account admin makes a call to list all storage credentials in the account.	workspace_id metastore_id
getStorageCredential	Account admin requests details about a storage credential.	name_arg workspace_id metastore_id
updateStorageCredential	Account admin makes an update to a storage credential.	name_arg owner workspace_id metastore_id
deleteStorageCredential	Account admin deletes a storage credential.	name_arg workspace_id metastore_id
generateTemporaryTableCredential	Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.	credential_id credential_type credential_kind is_permissions_enforcing_client table_full_name operation table_id workspace_id table_url metastore_id
generateTemporaryPathCredential	Logged whenever a temporary credential is granted for a path.	url operation make_path_only_parent credential_kind fallback_enabled workspace_id metastore_id
checkPathAccess	Logged whenever user permissions are checked for a given path.	path fallback_enabled
getPermissions	User makes a call to get permission details for a securable object. This call doesn't return inherited permissions, only explicitly assigned permissions.	securable_type securable_full_name workspace_id metastore_id
getEffectivePermissions	User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions.	securable_type securable_full_name workspace_id metastore_id
updatePermissions	User updates permissions on a securable object.	securable_type changes securable_full_name workspace_id metastore_id
metadataSnapshot	User queries the metadata from a previous table version.	securables include_delta_metadata workspace_id metastore_id
metadataAndPermissionsSnapshot	User queries the metadata and permissions from a previous table version.	securables include_delta_metadata workspace_id metastore_id
updateMetadataSnapshot	User updates the metadata from a previous table version.	table_list_snapshots schema_list_snapshots workspace_id metastore_id
getForeignCredentials	User makes a call to get details about a foreign table.	securables workspace_id metastore_id
getInformationSchema	User makes a call to get details about a schema.	table_name page_token required_column_names row_set_type required_column_names workspace_id metastore_id
createConstraint	User creates a constraint for a table.	full_name_arg constraint workspace_id metastore_id
deleteConstraint	User deletes a constraint for a table.	full_name_arg constraint workspace_id metastore_id
deleteResourceFailure	Resource fails to delete.	none
createVolume	User creates a Unity Catalog volume.	name catalog_name schema_name volume_type storage_location owner comment workspace_id metastore_id
getVolume	User makes a call to get information on a Unity Catalog volume.	volume_full_name workspace_id metastore_id
updateVolume	User updates a Unity Catalog volume's metadata with the ALTER VOLUME or COMMENT ON calls.	volume_full_name name owner comment workspace_id metastore_id
deleteVolume	User deletes a Unity Catalog volume.	volume_full_name workspace_id metastore_id
listVolumes	User makes a call to get a list of all Unity Catalog volumes in a schema.	catalog_name schema_name workspace_id metastore_id
generateTemporaryVolumeCredential	A temporary credential is granted for a volume.	volume_id volume_full_name operation volume_storage_location credential_id credential_type credential_kind workspace_id metastore_id
getTagSecurableAssignments	Tag assignments for a securable are fetched.	securable_type securable_full_name workspace_id metastore_id
getTagSubentityAssignments	Tag assignments for a subentity are fetched.	securable_type securable_full_name workspace_id metastore_id subentity_name
UpdateTagSecurableAssignments	Tag assignments for a securable are updated.	securable_type securable_full_name workspace_id metastore_id changes
UpdateTagSubentityAssignments	Tag assignments for a subentity are updated.	securable_type securable_full_name workspace_id metastore_id subentity_name changes
createRegisteredModel	User creates a Unity Catalog registered model.	name catalog_name schema_name owner comment workspace_id metastore_id
getRegisteredModel	User makes a call to get information on a Unity Catalog registered model.	full_name_arg workspace_id metastore_id
updateRegisteredModel	User updates a Unity Catalog registered model's metadata.	full_name_arg name owner comment workspace_id metastore_id
deleteRegisteredModel	User deletes a Unity Catalog registered model.	full_name_arg workspace_id metastore_id
listRegisteredModels	User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas.	catalog_name schema_name max_results page_token workspace_id metastore_id
createModelVersion	User creates a model version in Unity Catalog.	catalog_name schema_name model_name source comment workspace_id metastore_id
finalizeModelVersion	User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows.	full_name_arg version_arg workspace_id metastore_id
getModelVersion	User makes a call to get details on a model version.	full_name_arg version_arg workspace_id metastore_id
getModelVersionByAlias	User makes a call to get details on a model version using the alias.	full_name_arg include_aliases alias_arg workspace_id metastore_id
updateModelVersion	User updates a model version's metadata.	full_name_arg version_arg name owner comment workspace_id metastore_id
deleteModelVersion	User deletes a model version.	full_name_arg version_arg workspace_id metastore_id
listModelVersions	User makes a call to get a list of Unity Catalog model versions in a registered model.	catalog_name schema_name model_name max_results page_token workspace_id metastore_id
generateTemporaryModelVersionCredential	A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when.	full_name_arg version_arg operation model_version_url credential_id credential_type credential_kind workspace_id metastore_id
setRegisteredModelAlias	User sets an alias on a Unity Catalog registered model.	full_name_arg alias_arg version
deleteRegisteredModelAlias	User deletes an alias on a Unity Catalog registered model.	full_name_arg alias_arg
getModelVersionByAlias	User gets a Unity Catalog model version by alias.	full_name_arg alias_arg
createFunction	User creates a new function.	function_info workspace_id metastore_id
updateFunction	User updates a function.	full_name_arg owner workspace_id metastore_id
listFunctions	User requests a list of all functions within a specific parent catalog or schema.	catalog_name schema_name include_browse workspace_id metastore_id
getFunction	User requests a function from a parent catalog or schema.	full_name_arg workspace_id metastore_id
deleteFunction	User requests a function from a parent catalog or schema.	full_name_arg workspace_id metastore_id
generateTemporaryServiceCredential	A temporary credential is generated to access a cloud service account from Databricks.	credential_id credential_type credential_kind workspace_id metastore_id
UpdateWorkspaceBindings	A metastore admin or object owner updates the workspace bindings of a catalog, external location, or storage credential.	securable_type securable_full_name add: Only logged when binding is assigned. Includes a list of workspace IDs and the binding type. remove: Only logged when a binding is unassigned. Includes workspace IDs of affected workspaces. workspace_id metastore_id
CreateSecurableTagAssignment	A tag assignment is created on a securable.	securable_type tag_value securable_full_name workspace_id tag_key metastore_id
CreateSubsecurableTagAssignment	A tag assignment is created on a subsecurable.	securable_type tag_value subsecurable_name securable_full_name subsecurable_type workspace_id tag_key metastore_id
DeleteSecurableTagAssignment	A tag assignment on a securable is deleted.	securable_type securable_full_name workspace_id tag_key metastore_id
DeleteSubsecurableTagAssignment	A tag assignment on a subsecurable is deleted.	securable_type subsecurable_name securable_full_name subsecurable_type workspace_id tag_key metastore_id
ListSecurableTagAssignments	A user requests a list of tag assignments on a securable.	securable_type securable_full_name workspace_id metastore_id
ListSubsecurableTagAssignments	A user requests a list of tag assignments on a subsecurable.	securable_type subsecurable_name securable_full_name subsecurable_type workspace_id metastore_id
createEntityTagAssignment	A tag assignment is created on a Unity Catalog entity.	entity_name entity_type tag_key tag_value workspace_id metastore_id
getEntityTagAssignment	A user requests details of a tag assignment on a Unity Catalog entity.	entity_name entity_type tag_key include_inherited workspace_id metastore_id
listEntityTagAssignments	A user requests a list of tag assignments on a Unity Catalog entity.	entity_name entity_type max_results include_inherited workspace_id metastore_id
updateEntityTagAssignment	A tag assignment on a Unity Catalog entity is updated.	entity_name entity_type tag_key tag_value workspace_id metastore_id
deleteEntityTagAssignment	A tag assignment on a Unity Catalog entity is deleted.	entity_name entity_type tag_key workspace_id metastore_id
listSecurableTags	A user requests a list of tags on a securable.	workspace_id metastore_id
createPolicy	ABAC policy is created.	policy_info workspace_id metastore_id
deletePolicy	ABAC policy is deleted.	name on_securable_type on_securable_fullname workspace_id metastore_id
getPolicy	User requests details about an ABAC policy.	name on_securable_type on_securable_fullname workspace_id metastore_id
listPolicies	User requests a list of ABAC policies.	include_inherited on_securable_type on_securable_fullname max_results workspace_id metastore_id
updatePolicy	ABAC policy is updated.	name policy_info on_securable_type on_securable_fullname workspace_id metastore_id
GetWorkspaceBindings	User requests workspace binding details for a securable object.	securable_type securable_full_name max_results workspace_id metastore_id
UpdateCatalogWorkspaceBindings	User updates workspace bindings for a catalog.	catalog_name assign_workspaces workspace_id metastore_id
createCredential	User creates a storage or service credential.	name credential_id credential_type purpose comment credential_kind workspace_id metastore_id
deleteCredential	User deletes a storage or service credential.	name_arg workspace_id metastore_id
getCredential	User requests details about a storage or service credential.	credential_id name_arg credential_type credential_kind workspace_id metastore_id
listCredentials	User requests a list of storage and service credentials.	max_results workspace_id metastore_id
updateCredential	User updates a storage or service credential.	name_arg name owner workspace_id metastore_id
validateCredential	User validates a storage or service credential.	external_location_name url read_only credential_name workspace_id metastore_id
createStorageLocation	User creates a storage location.	storage_info workspace_id metastore_id
createMetastoreAssignment	Admin assigns a metastore to a workspace.	input_workspace_id input_metastore_id metastore_id
deleteMetastoreAssignment	Admin removes a metastore assignment from a workspace.	input_workspace_id input_metastore_id metastore_id
getCurrentMetastoreAssignment	User requests current metastore assignment details.	workspace_id metastore_id
enableSystemSchema	Admin enables a system schema.	schema metastore_id workspace_id
disableSystemSchema	Admin disables a system schema.	schema metastore_id workspace_id
listSystemSchemas	User requests a list of system schemas.	metastore_id workspace_id
getQuota	User requests details about a resource quota.	quota_name parent_full_name parent_securable_type workspace_id metastore_id
listQuotas	User requests a list of resource quotas.	max_results workspace_id metastore_id
getTableById	User requests table details by table ID.	table_id workspace_id metastore_id
listDroppedTables	User requests a list of dropped tables.	catalog_name page_token schema_name max_results workspace_id metastore_id
tableExists	User checks if a table exists.	full_name_arg dependent workspace_id metastore_id
undropTable	User restores a dropped table.	full_name_arg workspace_id metastore_id
updateTableToManaged	User converts an external table to a managed table.	is_rollback_to_external full_name_arg entity_storage_location_id workspace_id metastore_id
listAllVolumesInMetastore	User requests a list of all volumes in a metastore.	page_token workspace_id metastore_id
getArtifactAllowlist	User requests details about the artifact allowlist.	artifact_type workspace_id metastore_id
setArtifactAllowlist	User updates the artifact allowlist.	artifact_matchers artifact_type workspace_id metastore_id

Delta Sharing events

Delta Sharing events are broken up into two sections: events recorded in the data provider's account and events recorded in the data recipient's account.

Delta Sharing provider events

These audit log events are logged in the provider's account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

These events are logged under the service_name of unityCatalog.

action_name	Description	request_params
deltaSharingListShares	A data recipient requests a list of shares.	options: The pagination options provided with this request. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingGetShare	A data recipient requests details about a shares.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListSchemas	A data recipient requests a list of shared schemas.	share: The name of the share. recipient_name: Indicates the recipient executing the action. options: The pagination options provided with this request. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListAllTables	A data recipient requests a list of all shared tables.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListTables	A data recipient requests a list of shared tables.	share: The name of the share. recipient_name: Indicates the recipient executing the action. options: The pagination options provided with this request. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingGetTableMetadata	A data recipient requests a details about a table's metadata.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. predicateHints: The predicates included in the query. limitHints: The maximum number of rows to return. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingGetTableVersion	A data recipient requests a details about a table version.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingQueryTable	Logged when a data recipient queries a shared table.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. predicateHints: The predicates included in the query. limitHints: The maximum number of rows to return. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingQueryTableChanges	Logged when a data recipient queries change data for a table.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. cdf_options: Change data feed options. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingQueriedTable	Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient's query.	recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingQueriedTableChanges	Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient's query..	recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListNotebookFiles	A data recipient requests a list of shared notebook files.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingQueryNotebookFile	A data recipient queries a shared notebook file.	file_name: The name of the notebook file. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListFunctions	A data recipient requests a list of functions in a parent schema.	share: The name of the share. schema: The name of the parent schema of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListAllFunctions	A data recipient requests a list of all shared functions.	share: The name of the share. schema: The name of the parent schema of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListFunctionVersions	A data recipient requests a list of function versions.	share: The name of the share. schema: The name of the parent schema of the function. function: The name of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListVolumes	A data recipient requests a list of shared volumes in a schema.	share: The name of the share. schema: The parents schema of the volumes. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
deltaSharingListAllVolumes	A data recipient requests all shared volumes.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
updateMetastore	Provider updates their metastore.	delta_sharing_scope: Values can be INTERNAL or INTERNAL_AND_EXTERNAL. delta_sharing_recipient_token_lifetime_in_seconds: If present, indicates that the recipient token lifetime was updated.
createRecipient	Provider creates a data recipient.	name: The name of the recipient. comment: The comment for the recipient. ip_access_list.allowed_ip_addresses: Recipient IP address allowlist.
deleteRecipient	Provider deletes a data recipient.	name: The name of the recipient.
getRecipient	Provider requests details about a data recipient.	name: The name of the recipient.
listRecipients	Provider requests a list of all their data recipients.	none
rotateRecipientToken	Provider rotates a recipient's token.	name: The name of the recipient. comment: The comment given in the rotation command.
updateRecipient	Provider updates a data recipient's attributes.	name: The name of the recipient. updates: A JSON representation of recipient attributes that were added or removed from the share.
createShare	Provider updates a data recipient's attributes.	name: The name of the share. comment: The comment for the share.
deleteShare	Provider updates a data recipient's attributes.	name: The name of the share.
getShare	Provider requests details about a share.	name: The name of the share. include_shared_objects: Whether the share's table names were included in the request.
updateShare	Provider adds or removes data assets from a share.	name: The name of the share. updates: A JSON representation of data assets that were added or removed from the share. Each item includes action (add or remove), name (the actual name of the table), shared_as (the name the asset was shared as, if different from the actual name), and partition_specification (if a partition specification was provided).
listShares	Provider requests a list of their shares.	none
getSharePermissions	Provider requests details on a share's permissions.	name: The name of the share.
updateSharePermissions	Provider updates a share's permissions.	name: The name of the share. changes: A JSON representation of the updated permissions. Each change includes principal (the user or group to whom permission is granted or revoked), add (the list of permissions that were granted), and remove (the list of permissions that were revoked).
getRecipientSharePermissions	Provider requests details about a recipient's share permissions.	name: The name of the share.
getActivationUrlInfo	Provider requests details about activity on their activation link.	recipient_name: The name of the recipient who opened the activation URL. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
generateTemporaryVolumeCredential	Temporary credential is generated for the recipient to access a shared volume.	share_name: The name of the share through which the recipient requests. share_id: The ID of the share. share_owner: The owner of the share. recipient_name: The name of the recipient who requests the credential. recipient_id: The ID of the recipient. volume_full_name: The full 3-level name of the volume. volume_id: The ID of the volume. volume_storage_location: The cloud path of the volume root. operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported. credential_id: The ID of the credential. credential_type: The type of the credential. Value is either StorageCredential or ServiceCredential. credential_kind: The method used to authorize access. workspace_id: Value is always 0 when the request is for shared volumes.
generateTemporaryTableCredential	Temporary credential is generated for the recipient to access a shared table.	share_name: The name of the share through which the recipient requests. share_id: The ID of the share. share_owner: The owner of the share. recipient_name: The name of the recipient who requests the credential. recipient_id: The ID of the recipient. table_full_name: The full 3-level name of the table. table_id: The ID of the table. table_url: The cloud path of the table root. operation: Either READ or READ_WRITE. credential_id: The ID of the credential. credential_type: The type of the credential. Value is either StorageCredential or ServiceCredential. credential_kind: The method used to authorize access. workspace_id: Value is always 0 when the request is for shared tables.
createRecipientOidcPolicy	Provider creates an OIDC federation policy for a recipient.	recipient_name policy
deleteRecipientOidcPolicy	Provider deletes an OIDC federation policy for a recipient.	recipient_name name workspace_id metastore_id
deleteRecipientPolicy	Provider deletes a recipient policy.	recipient_name name workspace_id metastore_id
getRecipientOidcPolicy	Provider requests details about a recipient's OIDC federation policy.	recipient_name name workspace_id metastore_id
getRecipientPropertiesByDependentId	Provider requests recipient properties for a dependent object.	dependent property_keys workspace_id metastore_id
listRecipientOidcPolicies	Provider requests a list of OIDC federation policies for a recipient.	recipient_name workspace_id metastore_id
reconnectRecipientAccount	Provider reconnects a Databricks-to-Databricks recipient account.	recipient metastore_id
retrieveRecipientToken	Recipient retrieves their bearer token for open sharing authentication.	recipient_name is_ip_access_denied metastore_id
deltaSharingGetQueryInfo	Provider requests query information for a shared table.	name recipient_authentication_type recipient_global_metastore_id recipient_name share_id user_agent is_ip_access_denied share schema query_id share_name recipient_id workspace_id metastore_id
deltaSharingReconciliation	Delta Sharing performs reconciliation for a shared table.	tableType tableDataSourceFormat tableUrl schemaId tableFullName accountId metastoreId securableId catalogId opType workspace_id metastore_id
addShareToCatalog	Recipient mounts a share to a catalog.	catalog_name provider_name share_name workspace_id metastore_id
listSharesInCatalog	User requests a list of shares mounted in a catalog.	catalog_name workspace_id metastore_id
removeShareFromCatalog	Recipient unmounts a share from a catalog.	catalog_name provider_name share_name workspace_id metastore_id
listProviderShareAssets	User requests a list of assets in a provider's share.	provider_name_arg share_name_arg workspace_id metastore_id
listInboundSharedNotebookFiles	Recipient requests a list of notebook files shared in a catalog.	catalog_name workspace_id metastore_id
getInboundSharedNotebookFile	Recipient requests details about a shared notebook file.	catalog_name notebook_file_name_arg workspace_id metastore_id
listSharedCatalogs	Provider requests a list of shared catalogs.	provider_ids workspace_id metastore_id

Delta Sharing recipient events

These events are logged in the data recipient's account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

• recipient_name: The name of the recipient in the data provider's system.
• metastore_id: The name of the metastore in the data provider's system.
• sourceIPAddress: The IP address where the request originated.

These events are logged under the service_name of unityCatalog.

action_name	Description	request_params
deltaSharingProxyGetTableVersion	A data recipient requests details on a shared table version.	share_name: The name of the share. catalog_name: The name of the catalog mounted to the share. schema: The name of the table's parent schema. name: The name of the table.
deltaSharingProxyGetTableMetadata	A data recipient requests details on a shared table's metadata.	share_name: The name of the share. catalog_name: The name of the catalog mounted to the share. schema: The name of the table's parent schema. name: The name of the table.
deltaSharingProxyQueryTable	A data recipient queries a shared table.	share_name: The name of the share. catalog_name: The name of the catalog mounted to the share. schema: The name of the table's parent schema. name: The name of the table. limitHints: The maximum number of rows to return. predicateHints: The predicates included in the query. version: Table version, if change data feed is enabled.
deltaSharingProxyQueryTableChanges	A data recipient queries change data for a table.	share_name: The name of the share. catalog_name: The name of the catalog mounted to the share. schema: The name of the table's parent schema. name: The name of the table. cdf_options: Change data feed options.
createProvider	A data recipient creates a provider object.	name: The name of the provider. comment: The comment for the provider.
updateProvider	A data recipient updates a provider object.	name: The name of the provider. updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner (new owner), and comment.
deleteProvider	A data recipient deletes a provider object.	name: The name of the provider.
getProvider	A data recipient requests details about a provider object.	name: The name of the provider.
listProviders	A data recipient requests a list of providers.	none
activateProvider	A data recipient activates a provider object.	name: The name of the provider.
listProviderShares	A data recipient requests a list of a provider's shares.	name: The name of the provider.

Delta Sharing external Iceberg client events

Preview

This feature is in Preview.

These events are logged at the account level for external Iceberg clients accessing shared data using the Apache Iceberg REST Catalog API. To learn more, see Enable sharing to external Iceberg clients.

These events are logged when external Iceberg clients (such as Snowflake or other non-Databricks systems) access shared data.

These events are logged under the service_name of dataSharing.

action_name	Description	request_params
icebergGetConfig	An external Iceberg client requests configuration information.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id
icebergListNamespaces	An external Iceberg client requests a list of namespaces.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id
icebergGetNamespace	An external Iceberg client requests details about a namespace.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id
icebergListTables	An external Iceberg client requests a list of tables in a namespace.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id
icebergLoadTable	An external Iceberg client loads table metadata.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id
icebergReportMetrics	An external Iceberg client reports metrics.	recipient_id recipient_name recipient_authentication_type user_agent share_id share_name namespace_name table_name metastore_id