Audit trail
H2O AI Engine Manager (AIEM) records an audit event for every authenticated API request. The audit trail lets administrators verify that access patterns and administrative changes match expectations, and supports compliance reviews by providing a complete record of who did what and when.
How auditing works
AIEM records an audit event for every authenticated request:
- A user sends an authenticated request to the AIEM REST API.
- AIEM validates the bearer token and identifies the caller.
- AIEM executes the operation and records the authorization action and target resource.
- AIEM writes the audit event to the platform's audit trail service.
Data captured per event
Each audit event records the following fields:
| Field | Description | Example |
|---|---|---|
| Event time | Timestamp of the request. | 2026-06-22T14:30:00Z |
| Action | The authorization action the request required. Format: actions/enginemanager/<resource>/<VERB>. | actions/enginemanager/daiEngines/CREATE |
| Read-only | Whether the operation was read-only (GET, LIST) or a mutation. | true |
| Resource | The full resource name of the target. Format: //engine-manager/<resource-path>. | //engine-manager/workspaces/ws1/daiEngines/abc123 |
| Principal | The authenticated user who made the request. | users/jane.doe@example.com |
| Status code | The status code of the response. | OK, PermissionDenied, NotFound |
| Status message | Error message when the request failed; empty on success. | |
| Source IP | The client IP address. When the request passes through a proxy, the proxy-reported IP is used. | 10.0.1.5 |
| User agent | The HTTP User-Agent header value. | python-requests/2.31.0 |
Action identifier format
Every AIEM authorization action follows the pattern:
actions/enginemanager/<resourceType>/<VERB>
For example:
actions/enginemanager/daiEngines/CREATE— creating a Driverless AI engineactions/enginemanager/h2oEngineProfiles/UPDATE— updating an H2O-3 engine profileactions/enginemanager/notebookEngineImages/DELETE— deleting a notebook imageactions/enginemanager/sandboxEngineTemplates/LIST— listing sandbox templates
The RBAC roles and permissions page lists every action and which roles include it.
What is audited
Auditing spans every resource type AIEM manages, and both read and state-changing operations generate events. The following table summarizes the audited operations for each resource type:
| Resource type | Audited operations |
|---|---|
| Engines (DAI, H2O-3, Notebook, Sandbox) | Create, get, list, update, pause, resume, terminate, delete, download logs, access, resize storage |
| Engine profiles (DAI, H2O-3, Notebook) | Create, get, list, list assigned, update, delete |
| Engine versions (DAI, H2O-3) | Create, get, list, update, delete, assign aliases |
| Engine images (Notebook, Sandbox) | Create, get, list, update, delete |
| Sandbox templates | Create, get, list, update, delete |
Related topics
- RBAC roles and permissions — the authorization actions that appear in audit events.
- Engine profile security configuration — the administrative settings whose changes are recorded in the audit trail.
Feedback
- Submit and view feedback for this page
- Send feedback about AI Engine Manager to cloud-feedback@h2o.ai