Workbook RBAC

Bombbe 1,401 Reputation points
2022-09-29T12:52:45.233+00:00

Hi,
I have following situation: I have subscription A and Subscription B. I create workbook to subscription B and create log analytics queries there where data is pulled from log analytics that is located in subscription A. Even tough I give user Reader role to subscription B he can't access workbook because receives error that he does not have authorization to perform read action over subscription A where Log Analytics is located.

Even though I create workbook and give reader access to it, do user really have read access also to the log analytics where data is located or am I doing something wrong here?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,363 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alistair Ross 7,366 Reputation points Microsoft Employee
    2022-09-29T14:43:47.61+00:00

    Hi @bombe.

    The answer is yes. Workbooks do not have any identity which performs read actions on behalf of the user, they rely on the permissions of the user accessing the workbook to view the underlying data.

    Take this example. You have created a multi workspace workbook that can render data from multiple workspaces into a single chart. User 1 has read permissions to the 1 log analytics workspace and user 2 has read permissions to 2 log analytics workspaces. When user 1 accesses the workbook, they will only see data from one of the workspaces. User 2 can access the same workbook and can view data from both workspaces at the same time.

    Read permissions to the workbook allow the user to view the workbook and access the code which makes up the workbook, not access to data sources. If you want to achieve this, you will need to use a service such as Power BI or Grafana to allow a service principal to access the data.

    One option you have, depending on the data you are trying to access is use resource-context access, allowing the user read access to azure resources, such as Virtual Machines and access the logs for those VM's through a scoped query.

    kind regards

    Alistair Ross

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.