Afi data access events in the Google Workspace audit log¶
Due to Google Workspace API specifics, Afi needs to impersonate under a certain Google Workspace user for all activities that require Google Workspace access:
- User backup and recovery activites are performed on behalf of the corresponding user account.
- Shared drive backup and recovery activities are performed on behalf of one of its Manager or Content Manager members.
- Google Directory backup and recovery activities are performed on behalf of one of the tenant’s Super Admins.
- Periodic resource discovery for a Google Workspace tenant is performed on behalf of one of the tenant’s Super Admins.
Because Afi impersonates a Google Workspace user to access data, these activities (for example, file downloads) appear as if they are initiated by that user in the Google Workspace audit log. You can distinguish Afi-generated events from user-generated events via the App ID field in the audit log.

To filter out Afi-initiated audit events in the Google Workspace audit log, use the following client IDs:
115846343276804004958
- Afi Google Workspace backup108171606594064979307
- Afi Google Chats backup