Manage access to Log Analytics workspaces

Question

Hi,   Reading about https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#compare-access-modes and how this could potentially solve my problem. We are deploying all our App Gateways in the hub subscription (a hub and spoke architecture). Occasionally, App Gateways are created without the diagnostic settings enabled on them. However, I’m planning to use the following policy definition provided by the Azure Enterprise Scale project https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json I’ve imported it, tested, works. BUT, as of today all App Gateways are sitting in one resource group, meaning that when app/dev teams want to access the logs, they get to potentially view logs for others as well (different teams, countries etc.). I could split all the App Gateways into separate resource groups and assign individual copies of that policy with settings configured to point to different Log Analytics workspaces but this seams to be a more troublesome process.   Right now, app/dev teams get access on the Log Analytics, they access it through the Log Analytics workspace resource in the poral – I believe this is what the article refers as to workspace-context (they have access to the LAW, they can access all data in all tables in that workspace). I was thinking about removing their RBAC from the Log Analytics and just let them access the logs what the article describes as resource-context access mode. Looking at the table in the article they would require RBAC only at the resource level (AGW in this case), they wouldn’t require access to the workspace. But there’s some nonconsistency in the wording IMHO in that article. Quoting “Resource-context: When you access the workspace for a particular resource, resource group, or subscription, such as when you select Logs from a resource menu in the Azure portal, you can view logs for only resources in all tables that you have access to.”    However, in the table under “How can a user access logs?” under Resource-context “Select Logs from Log Analytics workspaces. Users will have access to data for all resources they have access to.” is listed out …. But how would they be able to access to Log Analytics in first place without having RBAC on it …? Accessing the logs through Log Analytics à Logs is referred as to Workspace-context access mode, so you NEED RBAC on the Log Analytics, and then ONLY the workspace permissions apply.   Could someone please clarify, am I correct in my assumption ?

Answer 1

The default resource context allows resource owners access to see the logs for their resources even if they have not been granted access to the workspace directly. You can also flip this to workspace-context so only those with explicit access can see the logs.

Azure permissions can be a little tricky. Anyone with read access to the subscription, resource group, or workspace will have read access as well. Removing access can be hard when it is inherited.

I would not go to great lengths to divide logs unless there is a major privacy issue. Consolidation makes life easier for everyone. You could create a workbook or saved queries if this is causing confusion.

Answer 2

@AdamBudzinskiAZA-0329 , thank you for your questions.

I am also adding some comments based on your questions/statements in your question. This should also help clarify some of the queries that you may have.

"...as of today all App Gateways are sitting in one resource group, meaning that when app/dev teams want to access the logs, they get to potentially view logs for others as well (different teams, countries etc.)..." - Yes, because you are most probably assigning the policy at Resource Group or Subscription level. Therefore, the target of diagnostic logs will be the "Log Analytics workspace" parameter as chosen when assigning the Policy, i.e., all app gateways forward logs to same workspace.

If you have granted read access to end users to this "LA Workspace" (workspace-context), then they would have access to all the data stored in this workspace.

"...app/dev teams get access on the Log Analytics, they access it through the Log Analytics workspace resource in the poral – I believe this is what the article refers as to workspace-context (they have access to the LAW, they can access all data in all tables in that workspace)" - Yes, you are right. If users are accessing the Workspace directly to query, they are accessing the logs using the workspace-context. In such case, if they have not been assigned table level access, they would be able to see all the logs in all the table. Table level access won't work for scenario described in the question as the diagnostic logs are being forwarded by "App Gateway", hence the logs are going to be in same table and table level access won't work.

"...But how would they be able to access to Log Analytics in first place without having RBAC on it …?" - You are right again. This is an error. If workspace level access has not been granted, users will only have to access log through Azure Monitor/Resource logs menu. I will update the table to remove this line.

Thank you for pointing it out.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.