Forum Discussion

jwrossi's avatar
jwrossi
Copper Contributor
Sep 28, 2020

Shared Dashboard Permissions - LA Queries Across Workspaces

Hi, We have numerous subscriptions (one per customer) in Azure. Each subscription has its own Log Analytics workspace. We have a governance subscription where I have created Log Analytics alerts (CP...
azure monitor
-Akos-'s avatar
-Akos-
Brass Contributor
Sep 29, 2020

jwrossi Did you try https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#log-analytics-reader? It kind of depends on where you assigned rights, and whether you have a single tenant or multiple. If you assign this right in the root management group to your service desk group, it trickles down to all subscriptions under the same tenant. If you have multiple tenants, then you need to look to Azure Lighthouse.

 

BTW, I'm curious on how you do the cross subscription query. I know about a query like below (getting AV protection status of machines that aren't healthy across two customers) 

 

union ProtectionStatus,
//customerA
workspace("workspaceid_custA").ProtectionStatus,
//customerB
workspace("workspaceid_custB").ProtectionStatus
| where ProtectionStatusRank != 150

 

jwrossi's avatar
jwrossi
Copper Contributor
Sep 30, 2020

-Akos-  Hi, Thanks for the input. I tried Log Analytics Reader but it gives the following permissions: The Log Analytics Reader role includes the following Azure actions: For workspaces, it allows full unrestricted permissions to read the workspace settings and perform query on the data.  I would like the Service Desk personnel to be able to see the data from the cross-workspace queries in the Dashboard but I don't want them to be able to perform queries.

Regarding the cross-workspace queries, I am doing what you show in your post. I create a function for the actual union so that I can reuse that function across multiple queries (CPU, Memory, Disk, etc.)

  • -Akos-'s avatar
    -Akos-
    Brass Contributor
    Sep 30, 2020

    jwrossi But isn't a dashboard just the graphical version of the query?

    • jwrossi's avatar
      jwrossi
      Copper Contributor
      Oct 01, 2020

      -Akos-  Yes, but I only want them to be able to see the results of specific queries that I choose (CPU, Memory, Disk). I don't want them to be able to create their own queries and query for any information they choose to. These are Service Desk personnel and I don't want them to have this capability.

      • -Akos-'s avatar
        -Akos-
        Brass Contributor
        Oct 02, 2020

        jwrossi Hmm, It doesn't seem like that would be possible, but you could create an RBAC role that would only limit access to certain tables, (see https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access), alternatively you could push the data to PowerBI, and create a report there, and then you can keep the service desk away from Log Analytics altogether.