Azure Roles for Log Analytics and How they Relate to the Services Hub
Your workspace in Services Hub needs to be linked to an Azure Log Analytics workspace.
Purpose of linking
- Azure Log Analytics workspaces need to be associated with ServicesHub in order to be used for storing assessment data.
- Only certain role holders in Azure can successfully link from Services Hub to Azure Log Analytics workspace. The same user account that has signed in to Services Hub will be performing the edits in Azure Log Analytics.
Azure roles
The following sections list the different Azure roles, as well as permissions the roles have in the Services Hub in regards to assessments and linking Services Hub to Log Analytics.
Users who can link their existing Azure Log Analytics workspaces to Services Hub workspace
- Owner, Reader or Contributor at Log Analytics Workspace level
- Owner, Reader or Contributor at Resource Group level
- Owner, Reader, Contributor, Log Analytics Reader or Log Analytics Contributor at Subscription level
Users who can create new Azure Log Analytics workspace under existing Resource Group that are linked to Services Hub workspace
- Owner or Contributor at Resource Group level
- Owner, Contributor or Log Analytics Contributor at Subscription level
Users who can create new Azure Log Analytics workspace under new Resource Group that are linked to Services Hub workspace
- Owner or Contributor at Subscription level
Roles that can Add/Remove solutions from Services Hub workspace
- Owner or Contributor at Log Analytics Workspace level
- Owner or Contributor at Resource Group level
- Owner, Contributor or Log Analytics Contributor at Subscription level
Additional roles are required for assessments deployed using AMA
- In order for a user to view a machine in Services Hub along with the associated assessment data, the user needs to also have access to the machine on the subscription.
- If you're having trouble viewing the assessments in Services Hub, ensure you've been added to the Services Hub workspace and that you have at least Log Analytics reader for the workspace in question, along with permissions to view the machine.
- You can modify machine permissions using IAM for each individual machine if you require granular control for both ARC and Azure VMs.
The minimum level required is Azure Log Analytics Reader.
Note
Add/Remove solutions in Log Analytics Workspace can change the costs incurred by your organization. For that reason, it requires higher levels of permission.
Note
If you don’t know the Azure owner or other roles of your Azure subscriptions, see Role assignments in Azure Subscriptions.
Configure roles in Azure
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for