Custom Role for Surface Hub Logs in Log ANalytics Workspace

Iron Contributor

Hi All,

 

I created a custom Role for the Read Access of the Surface Hub Logs, that are ingested to our Log Analytics Workspace with the Surface Hub Solution. I can see the Logs and Query them with my Admin Account.

Cause of Security Reasons, we need a custom Role, that only can access the Surface Hub Logs, but none of the other Logs.

 

Here is the JSON i used:

 

  {
    "Name": "Surface Hub Log Reader",
    "Description": "Custom Log Analytics Reader Role that can only view Surface Hub Logs",
    "Actions": [
          "Microsoft.OperationalInsights/workspaces/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHealth/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceAppCrash/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceAppLaunch/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceCalendar/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceCleanup/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceConnectSession/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceEtw/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHardwareHealth/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHeartbeat/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSkypeHeartbeat/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSkypeSignIn/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSleepState/read"
        ],
    "dataActions": [],
    "notActions": [
          "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
        ],
    "notDataActions": [],
    "AssignableScopes": [
        "/subscriptions/****"
    ]
  }
 
That works well, but when i would like to add any of the SurfaceHub Tables to the Actions, there comes and error. I can also not see them in the Permissions for the Custom Role.
 
'Microsoft.OperationalInsights/workspaces/SurfaceHubEtw/read' does not match any of the actions supported by the providers.
 
Would be great if anybody has been through this, or maybe can tell me where i can address the Surface Hub Logs:
 
SurfaceHubCalendar
SurfaceHubConnectSessions
SurfaceHubEtw
SurfaceHubHeartbeat
SurfaceHubSkypeSignIn
 
Thanks & Regards, Peter
2 Replies

@Peter_Beckendorf 

 

I am not an expert for the Surface Hub solution, but the SurfaceHub* tables you mention are not part of the Azure Monitor reference for LA tables. However, the Device* tables are all there. Are you maybe trying to use deprecated tables?

 

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/tables-category

Hi @hspinto,

 

Thanks for your response.

I know those tables, but i'm not able to find those referenced in my Log Analytics.

 

Thanks & Kind Regards,

 

Peter