Prerequisite IAM Policies
Create an IAM policy with the following policy statements to enable access to Oracle Logging Analytics and its resources, and to grant access to user groups.
There are three types of policy statements required:
-
Service Policies: These are the policy statements to make the product usable.
allow service loganalytics to READ loganalytics-features-family in tenancy
-
User Policies: These policy statements are for controlling the users access. Add a user in the group for which the policies are defined. It is recommended to have three groups Logging-Analytics-Users, Logging-Analytics-Admins, and Logging-Analytics-SuperAdmins, but its also possible that you already have groups for which you define policies. For more information on the recommended groups and granting access to them, see Create User Groups to Implement Access Control and Grant Access to User Groups.
The following policy statements provide the access to the user group
Logging-Analytics-Admins
for the resourcesloganalytics-features-family
andcompartments
across the tenancy:allow group Logging-Analytics-Admins to use loganalytics-features-family in tenancy allow group Logging-Analytics-Admins to read compartments in tenancy
The following policy statements provide the access to the user group
Logging-Analytics-Admins
for the resourcesmanagement-dashboard-family
andloganalytics-resources-family
:-
Access across the tenancy:
allow group Logging-Analytics-Admins to use loganalytics-resources-family in tenancy allow group Logging-Analytics-Admins to manage management-dashboard-family in tenancy
-
Access to specific compartments:
allow group Logging-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1 allow group Logging-Analytics-Admins to manage management-dashboard-family in compartment myCompartment2
-
-
Resource Policies: These policy statements are required for any background processes, for example, scheduled tasks, EM Bridges, or log collection using Management Agents. These policies may use dynamic groups to define the set of resources and the policy statements may be written to give access to the dynamic group. See Logging Analytics Features That Require Multiple Policy Statements to Enable Them for Users. For information on individual resource types under the aggregate resources
loganalytics-features-family
andloganalytics-resources-family
and their policies, see Some of the Individual Resource Types and IAM Policies to Use Them.
Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.