Forum Discussion

jwrossi's avatar
jwrossi
Copper Contributor
Sep 28, 2020

Shared Dashboard Permissions - LA Queries Across Workspaces

Hi,

We have numerous subscriptions (one per customer) in Azure. Each subscription has its own Log Analytics workspace. We have a governance subscription where I have created Log Analytics alerts (CPU, Memory, Disk) that query across all workspaces and I pin that query to a Dashboard. I give our Service Desk permissions to the Dashboard and they can see the Dashboard but they can't see the results of the queries. What are the least privileges I can give them so they can see the results of the queries in the Dashboard.

azure monitor

6 Replies

  • -Akos-'s avatar
    -Akos-
    Brass Contributor
    Sep 29, 2020

    jwrossi Did you try https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#log-analytics-reader? It kind of depends on where you assigned rights, and whether you have a single tenant or multiple. If you assign this right in the root management group to your service desk group, it trickles down to all subscriptions under the same tenant. If you have multiple tenants, then you need to look to Azure Lighthouse.

     

    BTW, I'm curious on how you do the cross subscription query. I know about a query like below (getting AV protection status of machines that aren't healthy across two customers) 

     

    union ProtectionStatus,
//customerA
workspace("workspaceid_custA").ProtectionStatus,
//customerB
workspace("workspaceid_custB").ProtectionStatus
| where ProtectionStatusRank != 150

     

    • jwrossi's avatar
      jwrossi
      Copper Contributor
      Sep 30, 2020

      -Akos-  Hi, Thanks for the input. I tried Log Analytics Reader but it gives the following permissions: The Log Analytics Reader role includes the following Azure actions: For workspaces, it allows full unrestricted permissions to read the workspace settings and perform query on the data.  I would like the Service Desk personnel to be able to see the data from the cross-workspace queries in the Dashboard but I don't want them to be able to perform queries.

      Regarding the cross-workspace queries, I am doing what you show in your post. I create a function for the actual union so that I can reuse that function across multiple queries (CPU, Memory, Disk, etc.)

      • -Akos-'s avatar
        -Akos-
        Brass Contributor
        Sep 30, 2020

        jwrossi But isn't a dashboard just the graphical version of the query?