Enable Access to Logging Analytics and Its Resources

Enable Access from Logging Analytics to Its Features Family

A service-level IAM policy must be created to enable the Oracle Logging Analytics service to operate. Create policies by using standard Oracle Cloud Infrastructure IAM Policies and add the following policy statement to it.

Policy Statement	Description
`allow service loganalytics to READ loganalytics-features-family in tenancy`	Allow the Oracle Logging Analytics service READ access rights of the family loganalytics-features-family across the tenancy.

Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.

For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.

Note

If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.

Identify OCI Compartments to Place the Logging Analytics Resources

Use compartments to create resources of Oracle Logging Analytics like entities and log groups. Fine tune the access to the compartments for better user access control.

You can use existing compartments or you can create new ones specifically forOracle Logging Analytics. You can create multiple compartments to give different sets of users access to different parts of the product or log data. For more guidance on how compartments work, see Managing Compartments in Oracle Cloud Infrastructure Documentation.

Resources in Oracle Logging Analytics must reside in the compartments. When you create any of the following resources, you must select the compartment that they will be in:

Resource	Access Control Using Oracle IAM Policies
Entities	You can control who can enable or disable log collection for a specific entity
Log Groups	You can control who can search the logs after they have been collected, enriched, and indexed.
Purge Policies	You can control who can stop or change the purge policy definition.
Object Storage Collection Rules	You can control who can stop or change the collection rule.

For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.

Note

If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.

Create User Groups to Implement Access Control

Create one or more user groups to grant varying levels of access to the users depending on how you want to use Oracle Logging Analytics.

Topics:

A user who is a member of Administrators group will have full access to all the features of Oracle Logging Analytics.

Recommended User Groups

It is recommended that you create the user groups similar to the following examples to get started:

Logging-Analytics-Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
Logging-Analytics-Admins: The users that you add to this group will have Logging-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
Logging-Analytics-SuperAdmins: The users in this group have the privileges of Logging-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Logging Analytics, and purging logs.

Note that the above groups are shown as examples, and will be used for creating IAM policies in this documentation. However, you can create the user groups based on your needs.

Aggregate Resource-Types in Logging Analytics

The following two families allow you to grant bulk access without having to assign individual permissions to each user group. For most cases, you can use these to simplify the management of your Oracle Logging Analytics policies.

loganalytics-features-family to control the features that a user has access to, and the actions that the user can perform using Console, REST API, CLI, or SDK.
loganalytics-features-family and the resources contained in it can be set only at the tenancy level, not per compartment.
loganalytics-resources-family to control the access that the user has for creating, reading, updating, and deleting the resources such as entities, log groups, purge policies, and object store collection rules.
This family and the resources contained in it can be granted access for the whole tenancy or for a specific compartment.

For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.

Note

If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.

Grant Access to User Groups

Create policies by using standard Oracle Cloud Infrastructure IAM Policies to define how your user groups can use Oracle Logging Analytics.

Note

If you want to quickly try out Oracle Logging Analytics without managing groups and policies, a user who is a member of the Administrators group will have full access to all features.

To set up the policy according to the example groups in Create User Groups to Implement Access Control, apply the following sets of policies in Oracle Cloud Infrastructure IAM Policies feature:

Policy	Description
For Logging-Analytics-SuperAdmins user group:
`allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-features-family in tenancy`	Allow the group Logging-Analytics-SuperAdmins to have the MANAGE access rights of the family loganalytics-features-family across the tenancy. This policy will enable rights to perform every task in the service including offboarding, deleting logs, setting up archiving, etc.
`allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-resources-familY in tenancy` OR `allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-resources-family in compartment myCompartment1`	Allow the group Logging-Analytics-SuperAdmins to have MANAGE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment. This policy will enable rights to perform any task in the service on any resource-type that belongs to the family loganalytics-resources-family.
`allow group Logging-Analytics-SuperAdmins to MANAGE management-dashboard-family in tenancy`	Allow the group Logging-Analytics-SuperAdmins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.
`allow group Logging-Analytics-SuperAdmins to read compartments in tenancy`	Allow the group Logging-Analytics-SuperAdmins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.
For Logging-Analytics-Admins user group:
`allow group Logging-Analytics-Admins to use loganalytics-features-family in tenancy`	Allow the group Logging-Analytics-Admins to have the USE access rights of the family loganalytics-features-family across the tenancy.
`allow group Logging-Analytics-Admins to use loganalytics-resources-family in tenancy` OR `allow group Logging-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1`	Allow the group Logging-Analytics-Admins to have USE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment. Allow this group to view, create, edit, or delete the resources in the family loganalytics-resources-family.
`allow group Logging-Analytics-Admins to manage management-dashboard-family in tenancy` OR `allow group Logging-Analytics-Admins to manage management-dashboard-family in compartment myCompartment2`	Allow the group Logging-Analytics-Admins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.
`allow group Logging-Analytics-Admins to read compartments in tenancy`	Allow the group Logging-Analytics-Admins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.
For Logging-Analytics-Users user group:
`allow group Logging-Analytics-Users to read loganalytics-features-family in tenancy`	Allow the group Logging-Analytics-Users to have the READ access rights of the family loganalytics-features-family across the tenancy.
`allow group Logging-Analytics-Users to read loganalytics-resources-family in tenancy` OR `allow group Logging-Analytics-Users to read loganalytics-resources-family in compartment myCompartment1`	Allow the group Logging-Analytics-Users to have READ access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments. Allow this group to view details of the resources in the family loganalytics-resources-family. User cannot create, edit, or delete any of them.
`allow group Logging-Analytics-Users to use management-dashboard-family in tenancy` OR `allow group Logging-Analytics-Users to use management-dashboard-family in compartment myCompartment2`	Allow the group Logging-Analytics-Users to have the USE access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.
`allow group Logging-Analytics-Users to read compartments in tenancy`	Allow the group Logging-Analytics-Users to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

You can add compartment-specific policy statements for any number of compartments that you want to create for organizing the resources like entities and log groups. These resources can also be in different compartments altogether. It is not necessary that all the resource instances of different types be in the same compartment. However, you may find it easier to manage if you can minimize the number of compartments used.

Instead of using the resources family, you can also specify a policy that is at the individual resource level. For example:

Policy	Description
`allow group DBA to use loganalytics-entity in compartment Databases`	Users in DBA group can create, edit, or delete entities and enable or disable log collection for entities in Databases compartment.
`allow group DBA to use loganalytics-log-group in compartment Databases`	Users in DBA group can create, edit, or delete log groups and query the logs that are stored in Databases compartment.

Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.

For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.

Note

If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.

Enable Logging Analytics

After completing the prerequisite tasks such as creating user groups, creating compartments, and defining access policies for the user groups, you can access Oracle Logging Analytics and enable it for use.

To enable Oracle Logging Analytics, you must be a member of the Administrators group.

Open the navigation menu, click Observability & Management, and then click Logging Analytics.
If this is the first time that you are using the service in this region, you will land on an on-boarding page that will give you some high level details of the service and an option to start using Oracle Logging Analytics service. Click Start Using Logging Analytics.

The Enable Logging Analytics dialog box is displayed. Here, the minimum required policies and log group are created if they don't exist already.
Click Next. The OCI Audit Log collection is configured.

The check box Include _Audit in subcompartments is enabled by default. You can disable it, if required. Based on your preference, the policies are created and suitable actions performed.

Click Next.
After the on-boarding is complete, click Take me to Log Explorer.

You can now explore Oracle Logging Analytics.

Note

To view the list of policies created in the above process, see Policies Created While Onboarding Logging Analytics.