You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/logs/manage-access.md
+5-9Lines changed: 5 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -301,16 +301,12 @@ In addition to using the built-in roles for a Log Analytics workspace, you can c
301
301
Table-level access settings let you grant specific users or groups read-only permission to data from certain tables. Users with table-level read access can read data from the specified tables in both the workspace and the resource context.
302
302
303
303
> [!NOTE]
304
-
> We recommend using the method described here, which is currently in **preview**, to define table-level access. Alternatively, you can use the [legacy method of setting table-level read access](#legacy-method-of-setting-table-level-read-access), which has some limitations related to custom log tables. During preview, the recommended method described here does not apply to Microsoft Sentinel Detection Rules, which might have access to more tables than intended.
304
+
> We recommend using the method described here, which is currently in **preview**, to define table-level access. Alternatively, you can use the [legacy method of setting table-level read access](#legacy-method-of-setting-table-level-read-access), which has some limitations related to custom log tables. During preview, the recommended method described here does not apply to Microsoft Sentinel Detection Rules, which might have access to more tables than intended. Before using either method, see [Table-level access considerations and limitations](#table-level-access-considerations-and-limitations).
305
305
306
-
To grant a user table-level read access, you make two assignments:
306
+
Granting table-level read access involves assigning a user two roles:
307
307
308
-
- Assign the user a workspace-level custom role that provides limited permissions to read workspace details and run a query in the workspace, but not to read data from any tables.
309
-
- Assign the user read permissions to a specific table subresource. The table is a subresource of workspace. Therefore, workspace admins can also perform actions on a specific table.
310
-
311
-
> [!IMPORTANT]
312
-
> - A user who has other assignments on the workspace, directly or via inheritence (for example, if the user has the **Reader** on the subscription that contains the workspace), might also be able to access all tables in the workspace.
313
-
> - Azure applies table-level RBAC during query execution. It does not apply to metadata retrieval calls. Therefore, the list of tables in the workspace includes tables to which the user might not have access.
308
+
- At the workspace level - a custom role that provides limited permissions to read workspace details and run a query in the workspace, but not to read data from any tables.
309
+
- At the table level - a **Reader** role, scoped to the specific table.
314
310
315
311
To grant a user or group table-level read access to a specific table:
316
312
@@ -447,7 +443,7 @@ Using the legacy method of table-level access, you can't grant access to individ
447
443
],
448
444
```
449
445
450
-
### Table-level access considerations
446
+
### Table-level access considerations and limitations
451
447
452
448
- Azure applies table-level RBAC during query execution. It does not apply to metadata retrieval calls. Therefore, in the Log Analytics UI, users with table-level can see the list of all tables in the workspace, but can only retrieve data from tables to which they have access.
453
449
- The standard Reader or Contributor roles, which include the _\*/read_ action, override table-level access control and give users access to all log data.
0 commit comments