When you perform the prerequisites for deploying Management Agents in the step Install Management Agents, you will create the required compartment, user group for Logging Analytics users, and create IAM policies to install the Management Agents. As part of the prerequisites, ensure that the following policies are created for your user group:

ALLOW GROUP Logging-Analytics-User-Group TO MANAGE management-agents IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group to MANAGE management-agent-install-keys IN TENANCY
ALLOW GROUP Logging-Analytics-User-Group TO READ METRICS IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group TO READ USERS IN TENANCY

In the above example policy statements, Logging-Analytics-User-Group is an example user group.

Also, create a dynamic group for the Management Agents if it already doesn't exist, for example Management-Agent-Dynamic-Group:

ALL {resource.type='managementagent', resource.compartment.id='<management_agent_compartment_OCID>'}

Create IAM policies for Management-Agent-Dynamic-Group to enable log collection and metrics generation:

ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO USE METRICS IN TENANCY
ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN TENANCY

If the dynamic group is under a domain, then include the domain in the policy statement. For example,

ALLOW DYNAMIC-GROUP <identity_domain_name>/Management-Agent-Dynamic-Group TO USE METRICS IN TENANCY
ALLOW DYNAMIC-GROUP <identity_domain_name>/Management-Agent-Dynamic-Group TO {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN TENANCY