You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/logs/manage-access.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -245,24 +245,24 @@ The `/read` permission is usually granted from a role that includes _\*/read or_
245
245
246
246
In addition to using the built-in roles for a Log Analytics workspace, you can create custom roles to assign more granular permissions. Here are some common examples.
247
247
248
-
Grant a user access to log data from their resources:
248
+
**Example 1: Grant a user access to log data from their resources.**
249
249
250
250
- Configure the workspace access control mode to *use workspace or resource permissions*.
251
251
- Grant users `*/read` or `Microsoft.Insights/logs/*/read` permissions to their resources. If they're already assigned the [Log Analytics Reader](../../role-based-access-control/built-in-roles.md#reader) role on the workspace, it's sufficient.
252
252
253
-
Grant a user access to log data from their resources and configure their resources to send logs to the workspace:
253
+
**Example 2: Grant a user access to log data from their resources and configure their resources to send logs to the workspace.**
254
254
255
255
- Configure the workspace access control mode to *use workspace or resource permissions*.
256
256
- Grant users the following permissions on the workspace: `Microsoft.OperationalInsights/workspaces/read` and `Microsoft.OperationalInsights/workspaces/sharedKeys/action`. With these permissions, users can't perform any workspace-level queries. They can only enumerate the workspace and use it as a destination for diagnostic settings or agent configuration.
257
257
- Grant users the following permissions to their resources: `Microsoft.Insights/logs/*/read` and `Microsoft.Insights/diagnosticSettings/write`. If they're already assigned the [Log Analytics Contributor](../../role-based-access-control/built-in-roles.md#contributor) role, assigned the Reader role, or granted `*/read` permissions on this resource, it's sufficient.
258
258
259
-
Grant a user access to log data from their resources without being able to read security events and send data:
259
+
**Example 3: Grant a user access to log data from their resources without being able to read security events and send data.**
260
260
261
261
- Configure the workspace access control mode to *use workspace or resource permissions*.
262
262
- Grant users the following permissions to their resources: `Microsoft.Insights/logs/*/read`.
263
263
- Add the following NonAction to block users from reading the SecurityEvent type: `Microsoft.Insights/logs/SecurityEvent/read`. The NonAction shall be in the same custom role as the action that provides the read permission (`Microsoft.Insights/logs/*/read`). If the user inherits the read action from another role that's assigned to this resource or to the subscription or resource group, they could read all log types. This scenario is also true if they inherit `*/read` that exists, for example, with the Reader or Contributor role.
264
264
265
-
Grant a user access to log data from their resources and read all Azure AD sign-in and read Update Management solution log data from the workspace:
265
+
**Example 4: Grant a user access to log data from their resources and read all Azure AD sign-in and read Update Management solution log data from the workspace.**
266
266
267
267
- Configure the workspace access control mode to *use workspace or resource permissions*.
268
268
- Grant users the following permissions on the workspace:
0 commit comments