diff --git a/service.go b/service.go
index d2bd3df219f5013e2def962679f9102d4b209249..c60f5b177c6992bef486f47fa52d39b980c9d9b9 100644
--- a/service.go
+++ b/service.go
@@ -230,6 +230,7 @@ func (s *authService) authorizeUser(ctx context.Context, tx TX, req RequestBase)
 	// Requests are allowed if the SSO ticket corresponds to an admin, or if
 	// it identifies the same user that we're querying.
 	if !s.isAdmin(tkt) && tkt.User != req.Username {
+		log.Printf("unauthorized access from user %s to user %s", tkt.User, req.Username)
 		return nil, nil, ErrUnauthorized
 	}