Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Manage access to Log Analytics workspaces
In this articleThe data in a Log Analytics workspace that you can access is determined by a combination of the following factors:
This article describes how access is managed and how to perform any required configuration. OverviewThe factors that define the data you can access are described in the following table. Each factor is further described in the sections that follow.
Access modeThe access mode refers to how you access a Log Analytics workspace and defines the data you can access during the current session. The mode is determined according to the scope you select in Log Analytics. There are two access modes:
Records are only available in resource-context queries if they're associated with the relevant resource. To check this association, run a query and verify that the _ResourceId column is populated. There are known limitations with the following resources:
Compare access modesThe following table summarizes the access modes:
Access control modeThe access control mode is a setting on each workspace that defines how permissions are determined for the workspace.
Configure access control mode for a workspace
View the current workspace access control mode on the Overview page for the workspace in the Log Analytics workspace menu. Change this setting on the Properties page of the workspace. If you don't have permissions to configure the workspace, changing the setting is disabled. Use the following command to view the access control mode for all workspaces in the subscription:
The output should resemble the following:
A
value of Note If a workspace is returned without a Boolean value and is blank, this result also matches the results of a Use the following script to set the access control mode for a specific workspace to resource-context permission:
Use the following script to set the access control mode for all workspaces in the subscription to resource-context permission:
To configure the access mode in an Azure Resource Manager template, set the enableLogAccessUsingOnlyResourcePermissions feature flag on the workspace to one of the following values:
Azure RBACAccess to a workspace is managed by using Azure RBAC. To grant access to the Log Analytics workspace by using Azure permissions, follow the steps in Assign Azure roles to manage access to your Azure subscription resources. Workspace permissionsEach workspace can have multiple accounts associated with it. Each account can have access to multiple workspaces. The following table lists the Azure permissions for different workspace actions:
Built-in rolesAssign users to these roles to give them access at different scopes:
Create assignments at the resource level (workspace) to assure accurate access control. Use custom roles to create roles with the specific permissions needed. Note To add and remove users to a user role, you must have Log Analytics ReaderMembers of the Log Analytics Reader role can view all monitoring data and monitoring settings, including the configuration of Azure diagnostics on all Azure resources. Members of the Log Analytics Reader role can:
The Log Analytics Reader role includes the following Azure actions:
Log Analytics ContributorMembers of the Log Analytics Contributor role can:
Warning You can use the permission to add a virtual machine extension to a virtual machine to gain full control over a virtual machine. The Log Analytics Contributor role includes the following Azure actions:
Resource permissionsWhen users query logs from a workspace by using resource-context access, they'll have the following permissions on the resource:
The Custom role examplesIn addition to using the built-in roles for a Log Analytics workspace, you can create custom roles to assign more granular permissions. Here are some common examples. Example 1: Grant a user access to log data from their resources.
Example 2: Grant a user access to log data from their resources and configure their resources to send logs to the workspace.
Example 3: Grant a user access to log data from their resources without being able to read security events and send data.
Example 4: Grant a user access to log data from their resources and read all Azure AD sign-in and read Update Management solution log data from the workspace.
Set table-level read accessAzure custom roles let you grant specific users or groups access to specific tables in the workspace. Azure custom roles apply to workspaces with either workspace-context or resource-context access control modes regardless of the user's access mode. To define access to a particular table, create a custom role:
ExamplesHere are examples of custom role actions to grant and deny access to specific tables. Grant access to the Heartbeat and AzureActivity tables:
Grant access to only the SecurityBaseline table:
Grant access to all tables except the SecurityAlert table:
Custom tablesCustom tables store data you collect from data sources such as text logs and the HTTP Data Collector API. To identify the table type, view table information in Log Analytics. You can't grant access to individual custom log tables, but you can grant access to all custom logs. To create a role with access to all custom log tables, create a custom role by using the following actions:
An alternative approach to managing access to custom logs is to assign them to an Azure resource and manage access by using resource-context access control. Include the resource ID by specifying it in the x-ms-AzureResourceId header when data is ingested to Log Analytics via the HTTP Data Collector API. The resource ID must be valid and have access rules applied to it. After the logs are ingested, they're accessible to users with read access to the resource. Some custom logs come from sources that aren't directly associated to a specific resource. In this case, create a resource group to manage access to these logs. The resource group doesn't incur any cost, but it gives you a valid resource ID to control access to the custom logs. For example, if a specific firewall is sending custom logs, create a resource group called MyFireWallLogs. Make sure that the API requests contain the resource ID of MyFireWallLogs. The firewall log records are then accessible only to users who were granted access to MyFireWallLogs or those users with full workspace access. Considerations
Next steps
FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articleWhich blade should you use from the Azure portal?The Service Health blade contains the Planned Maintenance link which opens a blade where you can view a list of planned maintenance events that can affect the availability of an Azure subscription.
Which blade should you identify to monitor the health of Azure services?Azure Monitor is used to monitor the health of Azure services.
Which blade is used to view security recommendations?The Check Point Compliance Blade is a dynamic solution that continuously monitors the Check Point security infrastructure. This unique product examines your Security Gateways, Blades, policies and configuration settings in real time.
Which task can you perform by using Azure Advisor?Azure Advisor analyzes your configurations and usage telemetry and offers personalized, actionable recommendations to help you optimize your Azure resources for reliability, security, operational excellence, performance, and cost.
|