Prerequisite IAM Policies
Create an IAM policy with the following policy statements to enable access to Oracle Logging Analytics and its resources, and to grant access to user groups.
There are three types of policy statements required:
-
Service Policies: These are the policy statements to make the product usable.
allow service loganalytics to READ loganalytics-features-family in tenancy
-
User Policies: These policy statements are for controlling the users access. Add a user in the group for which the policies are defined. It is recommended to have three groups, but its also possible that you already have groups for which you define policies. For the recommended groups, see Create User Groups to Implement Access Control.
Use the following policy statements to provide the access to the user groups for the resources
loganalytics-features-family
andcompartments
across the tenancy:allow group Logging-Analytics-Admins to use loganalytics-features-family in tenancy allow group Logging-Analytics-Admins to read compartments in tenancy
Use the following policy statements to provide the access to the user groups for the resources
management-dashboard-family
andloganalytics-resources-family
:-
Access across the tenancy:
allow group Logging-Analytics-Admins to use loganalytics-resources-family in tenancy allow group Logging-Analytics-Admins to manage management-dashboard-family in tenancy
-
Access to specific compartments:
allow group Logging-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1 allow group Logging-Analytics-Admins to manage management-dashboard-family in compartment myCompartment2
-
-
Resource Policies: These policy statements are required for any background processes, for example, scheduled tasks, EM Bridges, or log collection using Management Agents. These policies use dynamic groups to define the set of resources. The policy statements are written to give access to the dynamic group. For information on individual resource types and their policies, see IAM Policies Catalog for Logging Analytics.
In the above policy statements,
Logging-Analytics-Admins
is a user group. For more
information on these policy statements, see Enable Access from Logging Analytics to Its Features Family and Grant Access to User Groups.