IAM Policies Catalog for Logging Analytics

Here you can find all the policies that you need for using the various features and resources in Oracle Logging Analytics.

Some of the points that you must note while creating IAM policies for Oracle Logging Analytics:

  • Learn about the IAM components like RESOURCE, USER, GROUP, DYNAMIC GROUP, NETWORK SOURCE, COMPARTMENT, TENANCY, POLICY, HOME REGION, and FEDERATION that are used in the IAM policy statements. See Oracle Cloud Infrastructure Documentation.

  • You can create IAM policy for each resource-type in Oracle Logging Analytics using one of the verbs Inspect, Read, Use, or Manage, listed in the increasing order of number of permissions you can provide. See Oracle Cloud Infrastructure Documentation.

  • To view the exact permissions and the API operations that you can perform using each verb for each resource type, see Logging Analytics Policy Reference.

  • Oracle Logging Analytics service in your tenancy requires a service level IAM policy at tenancy or root level.

  • User/Group access polices for loganalytics-features-family aggregated resource type and any of its individual resources must be created at tenancy or root level.

  • User/Group access policies for loganalytics-resources-family aggregated resource type and any of its individual resources can be set at compartment or tenancy level as needed.

  • You can use the readily available templates to create a policy for a user group or dynamic group to perform a specific operation or a collection of operations. See Oracle-defined Policy Templates for Common Use Cases.

Note

If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.

Some of the Individual Resource Types and IAM Policies to Use Them

Oracle Logging Analytics has two aggregate resource-types loganalytics-features-family and loganalytics-resources-family. Each of these aggregate resource types have several individual resource-types as part of them. If you create a blanket policy for the aggregate resource-type, then that policy provides the permission to perform the tasks on all the individual resource-types under that policy. The example blanket policies which cover all the resource-types of the corresponding aggregate:

allow group Logging-Analytics-SuperAdmins to USE loganalytics-features-family in tenancy
allow group Logging-Analytics-SuperAdmins to USE loganalytics-resources-family in tenancy

These policy statements are included in the onboarding work flow available in Oracle Logging Analytics when you access it the first time. However, if you want to provide a more grannular access control to the individual resource types, then you might want to explore the policy statements of each of the individual resource-types.

Following are some of the individual resource-types in loganalytics-features-family and loganalytics-resources-family:

Individual Resource-Type Belongs to Aggregate Resource-Type Example Policy Statements

Entity Type (Resource-type: loganalytics-entity-type)

loganalytics-features-family

Allow Users to Perform All Operations on Entity Type Resource

Field (Resource-type: loganalytics-field)

loganalytics-features-family

Allow Users to Perform All Operations on Fields

Label (Resource-type: loganalytics-label)

loganalytics-features-family

Allow Users to Perform All Operations on Labels

Lifecycle (Resource-type: loganalytics-lifecycle)

loganalytics-features-family

Allow Users to View Namespace Details and Tenant Preferences

Lookup (Resource-type: loganalytics-lookup)

loganalytics-features-family

Allow Users to Register Lookups

Parser (Resource-type: loganalytics-parser)

loganalytics-features-family

Allow Users to Perform All Operations on Parsers

Source (Resource-type: loganalytics-source)

loganalytics-features-family

Allow Users to Perform All Operations on Sources

Storage (Resource-type: loganalytics-storage)

loganalytics-features-family

Allow Users to View Storage Information and Archive Logs

Entity (Resource-type: loganalytics-entity)

loganalytics-resources-family

Allow Users to Perform Entity Operations

Log Group (Resource-type: loganalytics-log-group)

loganalytics-resources-family

Allow Users to Perform All Operations on Log Groups

Ingest Time Rule (Resource-type: loganalytics-ingesttime-rule)

loganalytics-resources-family

Allow Users to Perform Ingest Time Alert Rule Operations

Allow Users to Perform All Operations on Entity Type Resource

Individual resource-type: loganalytics-entity-type

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

The Entity Type resource can be in the tenancy

allow group <user_group> to USE loganalytics-entity-type in tenancy

The above example provides USE permission for loganalytics-entity-type in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-entity-type:

Inspect Read Use Manage

List the entity types

Get details about an entity type

Create, delete, or update an entity type

Manage has the same level of permissions and API operations as Use.

Allow Users to Perform All Operations on Fields

Individual resource-type: loganalytics-field

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Field can be in the tenancy

allow group <user_group> to USE loganalytics-field in tenancy

The above example provides USE permission for loganalytics-field in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-entity:

Inspect Read Use Manage

List the fields

Get details about a field

Create, delete, or update a field

Manage has the same level of permissions and API operations as Use.

Allow Users to Perform All Operations on Labels

Individual resource-type: loganalytics-label

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Label can be in the tenancy

allow group <user_group> to USE loganalytics-label in tenancy

The above example provides USE permission for loganalytics-label in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-label:

Inspect Read Use Manage

List the labels

Get details about a label including the sources in which it is used

Create, delete, or update a label

Manage has the same level of permissions and API operations as Use.

Allow Users to View Namespace Details and Tenant Preferences

Individual resource-type: loganalytics-lifecycle

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

The loganalytics-lifecycle resource can be in the tenancy

allow group <user_group> to USE loganalytics-lifecycle in tenancy

The above example provides USE permission for loganalytics-lifecycle in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-lifecycle:

Inspect Read Use Manage

List the namespaces

Get details about a namespace, and the preferences in the tenant

Use has the same level of permissions and API operations as Read.

Offboard or onboard a namespace, update or delete tenant preferences.

Allow Users to Register Lookups

Individual resource-type: loganalytics-lookup

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Lookup can be in the tenancy

allow group <user_group> to USE loganalytics-lookup in tenancy

The above example provides USE permission for loganalytics-lookup in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-lookup:

Inspect Read Use Manage

NA

NA

Register a lookup

Manage has the same level of permissions and API operations as Use.

Allow Users to Perform All Operations on Parsers

Individual resource-type: loganalytics-parser

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Parsers can be in the tenancy

allow group <user_group> to USE loganalytics-parser in tenancy

The above example provides USE permission for loganalytics-parser in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-parser:

Inspect Read Use Manage

List the parsers and get their summary

Get details about a parser, list the parser functions, test a parser, extract the paths of the header and fields from the log content

Create, delete, or update a parser

Manage has the same level of permissions and API operations as Use.

Allow Users to Perform All Operations on Sources

Individual resource-type: loganalytics-source

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Source can be in the tenancy

allow group <user_group> to USE loganalytics-source in tenancy

The above example provides USE permission for loganalytics-source in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-source:

Inspect Read Use Manage

List the sources, know about source types, entity associations for each source, labels used in the sources, and source functions.

Get details about a source, including associations, extended field definitions (EFD), patterns. Validate association parameters and EFD details.

Create, delete, or update sources or associations, and validate a source.

Manage has the same level of permissions and API operations as Use.

Allow Users to View Storage Information and Archive Logs

Individual resource-type: loganalytics-storage

Part of aggregate resource-type: loganalytics-features-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Storage resource can be in the tenancy

allow group <user_group> to MANAGE loganalytics-storage in tenancy

The above example provides MANAGE permission for loganalytics-storage in the tenancy.

The following operations can be performed with each verb when you create IAM policy for loganalytics-storage:

Inspect Read Use Manage

NA

Get details of the storage and its usage.

With some additional permissions, you can recall the archived data and release the recalled data. See the Logging Analytics Policy Reference.

Enable and disable archiving, update the storage, and get the purge data size.

Allow Users to Perform Entity Operations

Individual resource-type: loganalytics-entity

Part of aggregate resource-type: loganalytics-resources-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Entity can be in any compartment in the tenancy

allow group <user_group> to USE loganalytics-entity in tenancy

Entity can be in a specific compartment

allow group <user_group> to USE loganalytics-entity in compartment id <compartment_OCID>

The above examples provide USE permission for loganalytics-entity in the tenancy or in a specific compartment.

The following operations can be performed with each verb when you create IAM policy for loganalytics-entity:

Inspect Read Use Manage

List the entities, list their associations with sources

Get details about an entity

Create, delete, or update an entity, move it to a different compartment, add or remove association with a source

Manage has the same level of permissions and API operations as Use.

Allow Users to Perform All Operations on Log Groups

Individual resource-type: loganalytics-log-group

Part of aggregate resource-type: loganalytics-resources-family

Resource Policy Statement if Family Policy Not Defined:

Use Case IAM Policies

Log groups can be in any compartment in the tenancy

allow group <user_group> to MANAGE loganalytics-log-group in tenancy

Log groups are in a specific compartment

allow group <user_group> to MANAGE loganalytics-log-group in compartment id <compartment_OCID>

The above examples provide MANAGE permission for loganalytics-log-group in the tenancy or in a specific compartment.

The following operations can be performed with each verb when you create IAM policy for loganalytics-log-group:

Inspect Read Use Manage

List the log groups and get the summary

Get details of a log group.

Create and update a log group, change its compartment

Delete a log group