Sep 28 2020
- last edited on
Apr 08 2022
We have numerous subscriptions (one per customer) in Azure. Each subscription has its own Log Analytics workspace. We have a governance subscription where I have created Log Analytics alerts (CPU, Memory, Disk) that query across all workspaces and I pin that query to a Dashboard. I give our Service Desk permissions to the Dashboard and they can see the Dashboard but they can't see the results of the queries. What are the least privileges I can give them so they can see the results of the queries in the Dashboard.
Sep 29 2020 07:37 AM
@jwrossi Did you try Log Analytics Reader? It kind of depends on where you assigned rights, and whether you have a single tenant or multiple. If you assign this right in the root management group to your service desk group, it trickles down to all subscriptions under the same tenant. If you have multiple tenants, then you need to look to Azure Lighthouse.
BTW, I'm curious on how you do the cross subscription query. I know about a query like below (getting AV protection status of machines that aren't healthy across two customers)
union ProtectionStatus, //customerA workspace("workspaceid_custA").ProtectionStatus, //customerB workspace("workspaceid_custB").ProtectionStatus | where ProtectionStatusRank != 150
Sep 30 2020 12:48 PM
@-Akos- Hi, Thanks for the input. I tried Log Analytics Reader but it gives the following permissions: The Log Analytics Reader role includes the following Azure actions: For workspaces, it allows full unrestricted permissions to read the workspace settings and perform query on the data. I would like the Service Desk personnel to be able to see the data from the cross-workspace queries in the Dashboard but I don't want them to be able to perform queries.
Regarding the cross-workspace queries, I am doing what you show in your post. I create a function for the actual union so that I can reuse that function across multiple queries (CPU, Memory, Disk, etc.)
Oct 01 2020 06:12 AM
@-Akos- Yes, but I only want them to be able to see the results of specific queries that I choose (CPU, Memory, Disk). I don't want them to be able to create their own queries and query for any information they choose to. These are Service Desk personnel and I don't want them to have this capability.
Oct 02 2020 05:08 AM
@jwrossi Hmm, It doesn't seem like that would be possible, but you could create an RBAC role that would only limit access to certain tables, (see here), alternatively you could push the data to PowerBI, and create a report there, and then you can keep the service desk away from Log Analytics altogether.