Oracle Cloud Infrastructure Documentation

Oracle-Defined Policy Templates for Common Use Cases

You can use the readily available templates to create a policy for a user group or dynamic group to perform a specific operation or a collection of operations.

  1. In your console, under Identity & Security, click Policies under Identity menu, and click Create Policy. The Create Policy page opens.

  2. Provide a name and description for the policy.

  3. In the Policy Builder, from the Policy use cases menu, select Logging Analytics. From the Common policy templates menu, select one of the below options:

    Select the identity domain, group or dynamic group depending on your use case, and the compartment to define the scope of the permission.

    For detailed steps to create a policy using the Oracle-defined templates in the policy builder, see Writing Policy Statements with the Policy Builder.

    For an example of customizing a policy using the manual editor, see Customizing Policies.

  4. Click Create.

Let operators search logs, view enrichment configurations and view dashboards

Allow the user group to query the logs, see various configurations, and view dashboards. The policy template does not include the ability to enable or disable log collection, change configurations, delete logs, or manage dashboards.

Policy statements included in the template:

Allow group {group name} to read loganalytics-features-family in tenancy
Allow group {group name} to read loganalytics-resources-family in {location}
Allow group {group name} to read management-dashboard-family in {location}
Allow group {group name} to read compartments in tenancy
Allow service loganalytics to read loganalytics-features-family in tenancy
  • {group name}: Select the user group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Let Logging Analytics users search logs, view enrichment configurations and manage dashboards

Allow the user group to query the logs, see various configurations, and manage the dashboards. The policy template does not include the ability to enable or disable log collection, change configurations, or delete logs.

Policy statements included in the template:

Allow group {group name} to read loganalytics-features-family in tenancy
Allow group {group name} to read loganalytics-resources-family in {location}
Allow group {group name} to manage management-dashboard-family in {location}
Allow group {group name} to read compartments in tenancy
Allow service loganalytics to read loganalytics-features-family in tenancy
  • {group name}: Select the user group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Let Logging Analytics admins search logs, configure enrichments, collect logs and manage dashboards

Allow the user group to create or edit sources, parsers, entities, log groups, and manage the dashboards. The policy statements also allow the user group to enable or disable log collection. However, the permissions don't include the ability to delete logs.

Policy statements included in the template:

Allow group {group name} to use loganalytics-features-family in tenancy
Allow group {group name} to use loganalytics-resources-family in {location}
Allow group {group name} to manage management-dashboard-family in {location}
Allow group {group name} to read compartments in tenancy
Allow group {group name} TO MANAGE management-agents in {location}
Allow group {group name} to MANAGE management-agent-install-keys in {location}
Allow group {group name} TO READ METRICS in {location}
Allow group {group name} TO READ USERS in tenancy
Allow group {group name} to {BUCKET_UPDATE, BUCKET_READ} in {location}
Allow service loganalytics to READ loganalytics-features-family in tenancy
  • {group name}: Select the user group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Let Logging Analytics super admins control all aspects of Logging Analytics and purge logs

Allow the user group to query the logs, manage various configurations, enable or disable log collection, and delete logs. The user group also has the ability to perform lifecycle activities like offboarding and onboarding from Oracle Logging Analytics.

Policy statements included in the template:

Allow group {group name} to MANAGE loganalytics-features-family in tenancy
Allow group {group name} to MANAGE loganalytics-resources-family in {location}
Allow group {group name} to MANAGE management-dashboard-family in {location}
Allow group {group name} to read compartments in tenancy
Allow group {group name} TO MANAGE management-agents in {location}
Allow group {group name} to MANAGE management-agent-install-keys in {location}
Allow group {group name} TO READ METRICS in {location}
Allow group {group name} TO READ USERS in tenancy
Allow group {group name} to {BUCKET_UPDATE, BUCKET_READ} in {location}
Allow service loganalytics to READ loganalytics-features-family in tenancy
  • {group name}: Select the user group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Allow purge policy dynamic groups to run

Allow the purge action for log data.

Policy statements included in the template:

Allow dynamic-group {group name} to read compartments in tenancy
Allow dynamic-group {group name} to {LOG_ANALYTICS_STORAGE_PURGE} in tenancy
Allow dynamic-group {group name} to {LOG_ANALYTICS_STORAGE_WORK_REQUEST_CREATE} in {location}
Allow dynamic-group {group name} to {LOG_ANALYTICS_LOG_GROUP_DELETE_LOGS} in {location}
Allow dynamic-group {group name} to {LOG_ANALYTICS_QUERY_VIEW} in tenancy
Allow dynamic-group {group name} to {LOG_ANALYTICS_QUERYJOB_WORK_REQUEST_READ} in {location}
  • {group name}: Select the dynamic group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Allow continuous log collection using management agent dynamic groups

Allow the user group to collect logs continuously using management agents.

Policy statements included in the template:

Allow dynamic-group {group name} to use METRICS in {location}
Allow dynamic-group {group name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in {location}
  • {group name}: Select the dynamic group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Allow detection rule dynamic groups to run

Allow the scheduled task detection rules and ingest time detection rules to run.

Policy statements included in the template:

Allow dynamic-group {group name} to use metrics in {location}
Allow dynamic-group {group name} to read management-saved-search in {location}
Allow dynamic-group {group name} to {LOG_ANALYTICS_QUERY_VIEW} in {location}
Allow dynamic-group {group name} to {LOG_ANALYTICS_QUERYJOB_WORK_REQUEST_READ} in {location}
Allow dynamic-group {group name} to READ loganalytics-log-group in {location}
Allow dynamic-group {group name} to read compartments in tenancy
Allow service loganalytics to use metrics in {location}
  • {group name}: Select the dynamic group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.

Allow log collection from object storage

Allow the user group to collect logs from object storage.

Policy statements included in the template:

Allow service loganalytics to read buckets in {location}
Allow service loganalytics to read objects in {location}
Allow service loganalytics to manage cloudevents-rules in {location}
Allow service loganalytics to inspect compartments in tenancy
Allow service loganalytics to use tag-namespaces in tenancy where all {target.tag-namespace.name = /oracle-tags/}
  • {group name}: Select the user group that must be given the access.
  • {location}: Select the compartment for the scope of the permission.