Forum Discussion
Shared Dashboard Permissions - LA Queries Across Workspaces
jwrossi Did you try https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#log-analytics-reader? It kind of depends on where you assigned rights, and whether you have a single tenant or multiple. If you assign this right in the root management group to your service desk group, it trickles down to all subscriptions under the same tenant. If you have multiple tenants, then you need to look to Azure Lighthouse.
BTW, I'm curious on how you do the cross subscription query. I know about a query like below (getting AV protection status of machines that aren't healthy across two customers)
union ProtectionStatus,
//customerA
workspace("workspaceid_custA").ProtectionStatus,
//customerB
workspace("workspaceid_custB").ProtectionStatus
| where ProtectionStatusRank != 150
-Akos- Hi, Thanks for the input. I tried Log Analytics Reader but it gives the following permissions: The Log Analytics Reader role includes the following Azure actions: For workspaces, it allows full unrestricted permissions to read the workspace settings and perform query on the data. I would like the Service Desk personnel to be able to see the data from the cross-workspace queries in the Dashboard but I don't want them to be able to perform queries.
Regarding the cross-workspace queries, I am doing what you show in your post. I create a function for the actual union so that I can reuse that function across multiple queries (CPU, Memory, Disk, etc.)
-Akos- Yes, but I only want them to be able to see the results of specific queries that I choose (CPU, Memory, Disk). I don't want them to be able to create their own queries and query for any information they choose to. These are Service Desk personnel and I don't want them to have this capability.
