Audit and monitor data access using Delta Sharing (for recipients)

This article describes how data recipients can use Databricks audit logs to understand who is accessing which data using Delta Sharing.

For information about how data providers can audit Delta Sharing events, see Audit and monitor data sharing using Delta Sharing (for providers).

Requirements

• You must have a Databricks account.

• You need to enable audit logs in your account. For more information, see Configure audit log delivery.

View Delta Sharing shared table access events in the audit log

You need to know the path where you audit logs are stored. Delta Sharing events have unityCatalog as their serviceName.

The requestParams section of each event includes the following fields, which you can share with the data provider to help them troubleshoot issues.

• recipient_name: The name of the recipient in the data provider’s system.

• metastore_id: The name of the metastore in the data provider’s system.

• sourceIPAddress: The IP address where the request originated.

For example, the following audit event shows that a recipient successfully listed the shares that were available to them. In this example, redacted values are replaced with <redacted>.

{
  "Version": "2.0",
  "auditLevel": "ACCOUNT_LEVEL",
  "Timestamp": 1635235341950,
  "orgId": "0",
  "shardName": "<redacted>",
  "accountId": "<redacted>",
  "sourceIPAddress": "<redacted>",
  "userAgent": null,
  "sessionId": null,
  "userIdentity": null,
  "serviceName": "unityCatalog",
  "actionName": "deltaSharingListShares",
  "requestId": "ServiceMain-cddd3114b1b40003",
  "requestParams": {
    "Metastore_id": "<redacted>",
    "Options": "{}",
    "Recipient_name": "<redacted>"
  },
  "Response": {
    "statusCode": 200,
    "errorMessage": null,
    "Result": null
  },
  "MAX_LOG_MESSAGE_LENGTH": 16384
}

The following table lists audited actions that are delivered to data recipients. These actions record recipient access of shared tables and management of providers.

action	requestParams
deltaSharingProxyGetTableVersion	share: The name of the share. schema: The name of the schema. name: The name of the table.
deltaSharingProxyGetTableMetadata	share: The name of the share. schema: The name of the schema. name: The name of the table.
deltaSharingProxyQueryTable	share: The name of the share. schema: The name of the schema. name: The name of the table. predicateHints: The predicates included in the query. limitHint: The maximum number of rows to return. version: Table version, if change data feed is enabled.
deltaSharingProxyQueryTableChanges	share: The name of the share. schema: The name of the schema. name: The name of the table. cdf_options: Change data feed options.
createProvider	name: The name of the provider. comment: The comment for the provider.
updateProvider	name: The name of the provider. updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner(new owner), and comment.
deleteProvider	name: The name of the provider.
getProvider	name: The name of the provider.
listProviders	none
activateProvider	name: The name of the provider.
listProviderShares	name: The name of the provider.

Logged errors

The following Delta Sharing errors are logged for the data recipient. Items between < and > characters represent placeholder text.

• The user attempted to access a share they do not have permission to access.

  DatabricksServiceException: PERMISSION_DENIED:
  User does not have SELECT on Share <share-name>`
  

• The user attempted to access a share that does not exist.

  DatabricksServiceException: SHARE_DOES_NOT_EXIST: Share <share-name> does not exist.
  

• The user attempted to access a table that does not exist in the share.

  DatabricksServiceException: TABLE_DOES_NOT_EXIST: <table-name> does not exist.
  

For a list of auditable events and errors logged for data providers, see Audit and monitor data sharing using Delta Sharing (for providers).