IAM Policies Catalog for Logging Analytics
Here you can find all the policies that you need for using the various features and resources in Oracle Logging Analytics.
Some of the points that you must note while creating IAM policies for Oracle Logging Analytics:
-
Learn about the IAM components like RESOURCE, USER, GROUP, DYNAMIC GROUP, NETWORK SOURCE, COMPARTMENT, TENANCY, POLICY, HOME REGION, and FEDERATION that are used in the IAM policy statements. See Oracle Cloud Infrastructure Documentation.
-
You can create IAM policy for each resource-type in Oracle Logging Analytics using one of the verbs Inspect, Read, Use, or Manage, listed in the increasing order of number of permissions you can provide. See Oracle Cloud Infrastructure Documentation.
-
To view the exact permissions and the API operations that you can perform using each verb for each resource type, see Logging Analytics Policy Reference.
-
Oracle Logging Analytics service in your tenancy requires a service level IAM policy at tenancy or root level.
-
User/Group access polices for
loganalytics-features-familyaggregated resource type and any of its individual resources must be created at tenancy or root level. -
User/Group access policies for
loganalytics-resources-familyaggregated resource type and any of its individual resources can be set at compartment or tenancy level as needed. -
You can use the readily available templates to create a policy for a user group or dynamic group to perform a specific operation or a collection of operations. See Oracle-defined Policy Templates for Common Use Cases.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Topics:
Logging Analytics Features That Require Multiple Policy Statements to Enable Them for Users
- Prerequisite IAM Policies
which includes Enable Access from Logging Analytics to Its Features Family and Grant Access to User Groups
- Allow Users to Manage OCI Console Personalization in the Tenancy
- Allow Users to Manage Group Preferences in Logging Analytics
- Set Up Compute Instances to Access Logging Analytics Cross Tenancy
- Configure Management Dashboard
- Allow Users to Access Sample Log Data Across Tenancies
- Allow Continuous Log Collection Using Management Agents
- Allow Users to Perform On-Demand Upload Create, Get, and List Operations
- Allow Users to Perform On-Demand Upload Delete Operation
- Permissions Required to Upload Event Logs
- Allow Log Collection from Object Storage
- Allow Cross-Tenancy Log Collection from Object Storage
- Allow Collection of Logs from OCI Logging Service
- Allow Cross-Tenancy Log Collection from OCI Logging Service
- Allow Collection of Logs from OCI Streaming Service
- Allow Users to Perform EM Bridge Operations
- Allow Auto-Discovery of Entities and Log Collection
- Allow Users to Purge Log Data
- Allow Users to Perform All Operations on Scheduled Tasks
- Allow the Use of Customer-Provided Keys for Encrypting Logs
- Allow All Kubernetes Solution Operations
Some of the Individual Resource Types and IAM Policies to Use Them
Oracle Logging Analytics has two aggregate
resource-types loganalytics-features-family and
loganalytics-resources-family. Each of these aggregate resource
types have several individual resource-types as part of them. If you create a
blanket policy for the aggregate resource-type, then that policy provides the
permission to perform the tasks on all the individual resource-types under that
policy. The example blanket policies which cover all the resource-types of the
corresponding aggregate:
allow group Logging-Analytics-SuperAdmins to USE loganalytics-features-family in tenancyallow group Logging-Analytics-SuperAdmins to USE loganalytics-resources-family in tenancyThese policy statements are included in the onboarding work flow available in Oracle Logging Analytics when you access it the first time. However, if you want to provide a more grannular access control to the individual resource types, then you might want to explore the policy statements of each of the individual resource-types.
Following are some of the individual resource-types in
loganalytics-features-family and
loganalytics-resources-family:
| Individual Resource-Type | Belongs to Aggregate Resource-Type | Example Policy Statements |
|---|---|---|
|
Entity Type (Resource-type:
|
|
Allow Users to Perform All Operations on Entity Type Resource |
|
Field (Resource-type: |
|
|
|
Label (Resource-type: |
|
|
|
Lifecycle (Resource-type:
|
|
Allow Users to View Namespace Details and Tenant Preferences |
|
Lookup (Resource-type: |
|
|
|
Parser (Resource-type: |
|
|
|
Source (Resource-type: |
|
|
|
Storage (Resource-type:
|
|
|
|
Entity (Resource-type: |
|
|
|
Log Group (Resource-type:
|
|
|
|
Ingest Time Rule (Resource-type:
|
|
Allow Users to Perform All Operations on Entity Type Resource
Individual resource-type:
loganalytics-entity-type
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
The Entity Type resource can be in the tenancy |
allow group <user_group> to USE
loganalytics-entity-type in tenancy |
The above example provides USE permission for
loganalytics-entity-type in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-entity-type:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the entity types |
Get details about an entity type |
Create, delete, or update an entity type |
Manage has the same level of permissions and API operations as Use. |
Allow Users to Perform All Operations on Fields
Individual resource-type: loganalytics-field
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Field can be in the tenancy |
allow group <user_group> to USE
loganalytics-field in tenancy |
The above example provides USE permission for
loganalytics-field in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-entity:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the fields |
Get details about a field |
Create, delete, or update a field |
Manage has the same level of permissions and API operations as Use. |
Allow Users to Perform All Operations on Labels
Individual resource-type: loganalytics-label
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Label can be in the tenancy |
allow group <user_group> to USE
loganalytics-label in tenancy |
The above example provides USE permission for
loganalytics-label in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-label:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the labels |
Get details about a label including the sources in which it is used |
Create, delete, or update a label |
Manage has the same level of permissions and API operations as Use. |
Allow Users to View Namespace Details and Tenant Preferences
Individual resource-type: loganalytics-lifecycle
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
The |
allow group <user_group> to USE
loganalytics-lifecycle in tenancy |
The above example provides USE permission for
loganalytics-lifecycle in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-lifecycle:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the namespaces |
Get details about a namespace, and the preferences in the tenant |
Use has the same level of permissions and API operations as Read. |
Offboard or onboard a namespace, update or delete tenant preferences. |
Allow Users to Register Lookups
Individual resource-type: loganalytics-lookup
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Lookup can be in the tenancy |
allow group <user_group> to USE
loganalytics-lookup in tenancy |
The above example provides USE permission for
loganalytics-lookup in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-lookup:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
NA |
NA |
Register a lookup |
Manage has the same level of permissions and API operations as Use. |
Allow Users to Perform All Operations on Parsers
Individual resource-type: loganalytics-parser
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Parsers can be in the tenancy |
allow group <user_group> to USE
loganalytics-parser in tenancy |
The above example provides USE permission for
loganalytics-parser in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-parser:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the parsers and get their summary |
Get details about a parser, list the parser functions, test a parser, extract the paths of the header and fields from the log content |
Create, delete, or update a parser |
Manage has the same level of permissions and API operations as Use. |
Allow Users to Perform All Operations on Sources
Individual resource-type: loganalytics-source
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Source can be in the tenancy |
allow group <user_group> to USE
loganalytics-source in tenancy |
The above example provides USE permission for
loganalytics-source in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-source:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the sources, know about source types, entity associations for each source, labels used in the sources, and source functions. |
Get details about a source, including associations, extended field definitions (EFD), patterns. Validate association parameters and EFD details. |
Create, delete, or update sources or associations, and validate a source. |
Manage has the same level of permissions and API operations as Use. |
Allow Users to View Storage Information and Archive Logs
Individual resource-type: loganalytics-storage
Part of aggregate resource-type:
loganalytics-features-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Storage resource can be in the tenancy |
allow group <user_group> to MANAGE
loganalytics-storage in tenancy |
The above example provides MANAGE permission for
loganalytics-storage in the tenancy.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-storage:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
NA |
Get details of the storage and its usage. |
With some additional permissions, you can recall the archived data and release the recalled data. See the Logging Analytics Policy Reference. |
Enable and disable archiving, update the storage, and get the purge data size. |
Allow Users to Perform Entity Operations
Individual resource-type: loganalytics-entity
Part of aggregate resource-type:
loganalytics-resources-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Entity can be in any compartment in the tenancy |
allow group <user_group> to USE
loganalytics-entity in tenancy |
|
Entity can be in a specific compartment |
allow group <user_group> to USE
loganalytics-entity in compartment id
<compartment_OCID> |
The above examples provide USE permission for loganalytics-entity
in the tenancy or in a specific compartment.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-entity:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the entities, list their associations with sources |
Get details about an entity |
Create, delete, or update an entity, move it to a different compartment, add or remove association with a source |
Manage has the same level of permissions and API operations as Use. |
Allow Users to Perform All Operations on Log Groups
Individual resource-type: loganalytics-log-group
Part of aggregate resource-type:
loganalytics-resources-family
Resource Policy Statement if Family Policy Not Defined:
| Use Case | IAM Policies |
|---|---|
|
Log groups can be in any compartment in the tenancy |
allow group <user_group> to MANAGE
loganalytics-log-group in tenancy |
|
Log groups are in a specific compartment |
allow group <user_group> to MANAGE
loganalytics-log-group in compartment id
<compartment_OCID> |
The above examples provide MANAGE permission for
loganalytics-log-group in the tenancy or in a specific
compartment.
The following operations can be performed with each verb when you create IAM
policy for loganalytics-log-group:
Inspect |
Read |
Use |
Manage |
|---|---|---|---|
|
List the log groups and get the summary |
Get details of a log group. |
Create and update a log group, change its compartment |
Delete a log group |