You're viewing OCI IAM documentation for tenancies in regions that have not been updated to use identity domains.

Details for Logging

This topic covers details for writing policies to control access to Logging.

Resource-Types

Aggregate Resource-Type

  • logging-family

Individual Resource-Types

  • log-groups
  • log-content
  • unified-configuration

Comments

A policy that uses <verb> logs is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in logs.

Supported Variables

Logging supports all the general variables (see General Variables for All Requests), plus additional ones listed here:

Operations for This Resource-Type... Can Use These Variables... Variable Type Comments
log-groups target.loggroup.id Entity (OCID)
log-content target.loggroup.id Entity (OCID)

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the log-groups resource-type includes the same permissions and API operations as the inspect verb, plus the LOG_GROUPS_READ permission and the corresponding API operations GetLog and GetLogGroup.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListSearchLogs LOG_CONTENT_READ
ListLogs LOG_GROUP_INSPECT
GetLog LOG_GROUP_READ
UpdateLog LOG_GROUP_UPDATE
CreateLog LOG_GROUP_CREATE
DeleteLog LOG_GROUP_DELETE
ListLogGroups LOG_GROUP_INSPECT
GetLogGroup LOG_GROUP_READ
UpdateLogGroup LOG_GROUP_UPDATE
CreateLogGroup LOG_GROUP_CREATE
DeleteLogGroup LOG_GROUP_DELETE
ChangeLogGroupCompartment LOG_GROUP_UPDATE
CreateUnifiedAgentConfiguration UNIFIED_AGENT_CONFIG_CREATE
GetUnifiedAgentConfiguration UNIFIED_AGENT_CONFIG_READ
UpdateUnifiedAgentConfiguration UNIFIED_AGENT_CONFIG_UPDATE
DeleteUnifiedAgentConfiguration UNIFIED_AGENT_CONFIG_DELETE
ListUnifiedAgentConfiguration UNIFIED_AGENT_CONFIG_INSPECT