管理对 Azure Monitor 中的日志数据和工作区的访问Manage access to log data and workspaces in Azure Monitor

Azure Monitor 将日志数据存储在 Log Analytics 工作区中。Azure Monitor stores log data in a Log Analytics workspace. 工作区是包含数据和配置信息的容器。A workspace is a container that includes data and configuration information. 若要管理对日志数据的访问,需要对工作区执行各种管理任务。To manage access to log data, you perform various administrative tasks related to your workspace.

本文介绍如何管理对日志的访问,以及如何管理包含日志的工作区,包括如何执行以下操作:This article explains how to manage access to logs and to administer the workspaces that contain them, including how to grant access to:

  • 使用工作区权限授予对工作区的访问权限。The workspace using workspace permissions.
  • 需要使用 Azure 基于角色的访问控制 (Azure RBAC)(也称为资源上下文)访问特定资源中的日志数据的用户Users who need access to log data from specific resources using Azure role-based access control (Azure RBAC) - also known as resource-context
  • 使用 Azure RBAC 对需要访问工作区中特定表中的日志数据的用户授予访问权限。Users who need access to log data in a specific table in the workspace using Azure RBAC.

要了解有关 RBAC 和访问策略的日志概念,请阅读设计 Azure Monitor 日志部署To understand the Logs concepts around RBAC and access strategies, read designing your Azure Monitor Logs deployment

配置访问控制模式Configure access control mode

可以通过 Azure 门户或 Azure PowerShell 查看对工作区配置的访问控制模式You can view the access control mode configured on a workspace from the Azure portal or with Azure PowerShell. 可使用以下支持的方法之一更改此设置:You can change this setting using one of the following supported methods:

  • Azure 门户Azure portal

  • Azure PowerShellAzure PowerShell

  • Azure Resource Manager 模板Azure Resource Manager template

通过 Azure 门户From the Azure portal

可以在工作区“概述”页上的“Log Analytics 工作区”菜单中查看当前的工作区访问控制模式。 You can view the current workspace access control mode on the Overview page for the workspace in the Log Analytics workspace menu.

查看工作区访问控制模式

  1. https://portal.azure.cn 中登录 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.
  2. 在 Azure 门户中,选择“Log Analytics 工作区”> 你的工作区。In the Azure portal, select Log Analytics workspaces > your workspace.

可以在工作区的“属性”页中更改此设置。You can change this setting from the Properties page of the workspace. 如果你无权配置工作区,则会禁止更改此设置。Changing the setting will be disabled if you don't have permissions to configure the workspace.

更改工作区访问模式

使用 PowerShellUsing PowerShell

使用以下命令检查订阅中所有工作区的访问控制模式:Use the following command to examine the access control mode for all workspaces in the subscription:

Get-AzResource -ResourceType Microsoft.OperationalInsights/workspaces -ExpandProperties | foreach {$_.Name + ": " + $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions}

输出应如下所示:The output should resemble the following:

DefaultWorkspace38917: True
DefaultWorkspace21532: False

False 值表示使用工作区上下文访问模式配置了工作区。A value of False means the workspace is configured with the workspace-context access mode. True 值表示使用资源上下文访问模式配置了工作区。A value of True means the workspace is configured with the resource-context access mode.

备注

如果返回的工作区不包含布尔值且为空,这也符合 False 值的结果。If a workspace is returned without a boolean value and is blank, this also matches the results of a False value.

使用以下脚本将特定工作区的访问控制模式设置为资源上下文权限:Use the following script to set the access control mode for a specific workspace to the resource-context permission:

$WSName = "my-workspace"
$Workspace = Get-AzResource -Name $WSName -ExpandProperties
if ($Workspace.Properties.features.enableLogAccessUsingOnlyResourcePermissions -eq $null)
    { $Workspace.Properties.features | Add-Member enableLogAccessUsingOnlyResourcePermissions $true -Force }
else
    { $Workspace.Properties.features.enableLogAccessUsingOnlyResourcePermissions = $true }
Set-AzResource -ResourceId $Workspace.ResourceId -Properties $Workspace.Properties -Force

使用以下脚本将订阅中所有工作区的访问控制模式设置为资源上下文权限:Use the following script to set the access control mode for all workspaces in the subscription to the resource-context permission:

Get-AzResource -ResourceType Microsoft.OperationalInsights/workspaces -ExpandProperties | foreach {
if ($_.Properties.features.enableLogAccessUsingOnlyResourcePermissions -eq $null)
    { $_.Properties.features | Add-Member enableLogAccessUsingOnlyResourcePermissions $true -Force }
else
    { $_.Properties.features.enableLogAccessUsingOnlyResourcePermissions = $true }
Set-AzResource -ResourceId $_.ResourceId -Properties $_.Properties -Force
}

使用资源管理器模板Using a Resource Manager template

若要在 Azure 资源管理器模板中配置访问模式,请将工作区中的 enableLogAccessUsingOnlyResourcePermissions 功能标志设置为以下值之一。To configure the access mode in an Azure Resource Manager template, set the enableLogAccessUsingOnlyResourcePermissions feature flag on the workspace to one of the following values.

  • false:将工作区设置为工作区上下文权限。false: Set the workspace to workspace-context permissions. 如果未设置该标志,则这是默认设置。This is the default setting if the flag isn't set.
  • true:将工作区设置为资源上下文权限。true: Set the workspace to resource-context permissions.

使用工作区权限管理访问Manage access using workspace permissions

每个工作区可有多个与其关联的帐户,每个帐户可访问多个工作区。Each workspace can have multiple accounts associated with it, and each account can have access to multiple workspaces. 使用 Azure 基于角色的访问控制 (Azure RBAC) 来管理访问权限。Access is managed using Azure role-based access control (Azure RBAC).

以下活动也需要 Azure 权限:The following activities also require Azure permissions:

操作Action 所需 Azure 权限Azure Permissions Needed 注释Notes
添加和删除监视解决方案Adding and removing monitoring solutions Microsoft.Resources/deployments/*
Microsoft.OperationalInsights/*
Microsoft.OperationsManagement/*
Microsoft.Automation/*
Microsoft.Resources/deployments/*/write
需要在资源组或订阅级别授予这些权限。These permissions need to be granted at resource group or subscription level.
更改定价层Changing the pricing tier Microsoft.OperationalInsights/workspaces/*/write
查看备份Site Recovery 解决方案磁贴中的数据Viewing data in the Backup and Site Recovery solution tiles 管理员/共同管理员Administrator / Co-administrator 访问通过经典部署模型部署的资源Accesses resources deployed using the classic deployment model
在 Azure 门户中创建工作区Creating a workspace in the Azure portal Microsoft.Resources/deployments/*
Microsoft.OperationalInsights/workspaces/*
查看工作区基本属性并进入门户中的工作区边栏选项卡View workspace basic properties and enter the workspace blade in the portal Microsoft.OperationalInsights/workspaces/read
使用任何接口查询日志Query logs using any interface Microsoft.OperationalInsights/workspaces/query/read
使用查询访问所有日志类型Access all log types using queries Microsoft.OperationalInsights/workspaces/query/*/read
访问特定的日志表Access a specific log table Microsoft.OperationalInsights/workspaces/query/<table_name>/read
读取工作区密钥,以便能够将日志发送到此工作区Read the workspace keys to allow sending logs to this workspace Microsoft.OperationalInsights/workspaces/sharedKeys/action

使用 Azure 权限管理访问Manage access using Azure permissions

若要使用 Azure 权限授予对 Log Analytics 工作区的访问权限,请执行使用角色分配来管理对 Azure 订阅资源的访问权限中的步骤。To grant access to the Log Analytics workspace using Azure permissions, follow the steps in use role assignments to manage access to your Azure subscription resources. 如需自定义角色的示例,请参阅 自定义角色示例For example custom roles, see Example custom roles

Azure 有两个适用于 Log Analytics 工作区的内置用户角色:Azure has two built-in user roles for Log Analytics workspaces:

  • Log Analytics 读者Log Analytics Reader
  • Log Analytics 参与者Log Analytics Contributor

Log Analytics 读者角色的成员可以:Members of the Log Analytics Reader role can:

  • 查看和搜索所有监视数据View and search all monitoring data
  • 查看监视设置,包括查看 Azure 诊断在所有 Azure 资源上的配置。View monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.

Log Analytics 读者角色包括以下 Azure 操作:The Log Analytics Reader role includes the following Azure actions:

类型Type 权限Permission 说明Description
操作Action */read 能够查看所有 Azure 资源和资源配置。Ability to view all Azure resources and resource configuration. 包括查看:Includes viewing:
虚拟机扩展状态Virtual machine extension status
Azure 诊断在资源上的配置Configuration of Azure diagnostics on resources
所有资源的所有属性和设置。All properties and settings of all resources.
对于工作区,它允许使用完全不受限制的权限来读取工作区设置,并对数据执行查询。For workspaces, it allows full unrestricted permissions to read the workspace settings and perform query on the data. 请参阅上述更细化的选项。See more granular options above.
操作Action Microsoft.OperationalInsights/workspaces/analytics/query/action 已弃用,无需将其分配给用户。Deprecated, no need to assign them to users.
操作Action Microsoft.OperationalInsights/workspaces/search/action 已弃用,无需将其分配给用户。Deprecated, no need to assign them to users.
操作Action Microsoft.Support/* 能够打开支持案例Ability to open support cases
非操作Not Action Microsoft.OperationalInsights/workspaces/sharedKeys/read 防止读取工作区密钥,该密钥是使用数据集合 API 和安装代理所必需的。Prevents reading of workspace key required to use the data collection API and to install agents. 这可以防止用户向工作区添加新资源This prevents the user from adding new resources to the workspace

Log Analytics 参与者角色的成员可以:Members of the Log Analytics Contributor role can:

  • 包括“Log Analytics 读取者角色”的所有特权,允许用户读取所有监视数据Includes all the privileges of the Log Analytics Reader role, allowing the user to read all monitoring data

  • 创建和配置自动化帐户Create and configure Automation accounts

  • 添加和删除管理解决方案Add and remove management solutions

    备注

    若要成功执行最后两个操作,需要在资源组或订阅级别授予此权限。In order to successfully perform the last two actions, this permission needs to be granted at the resource group or subscription level.

  • 读取存储帐户密钥Read storage account keys

  • 从 Azure 存储配置日志收集Configure the collection of logs from Azure Storage

  • 编辑 Azure 资源的监视设置,包括Edit monitoring settings for Azure resources, including

    • 将 VM 扩展添加到 VMAdding the VM extension to VMs
    • 在所有 Azure 资源上配置 Azure 诊断Configuring Azure diagnostics on all Azure resources

备注

可以使用此功能向虚拟机添加虚拟机扩展,获取对虚拟机的完全控制。You can use the ability to add a virtual machine extension to a virtual machine to gain full control over a virtual machine.

Log Analytics 参与者角色包括以下 Azure 操作:The Log Analytics Contributor role includes the following Azure actions:

权限Permission 说明Description
*/read 能够查看所有资源和资源配置。Ability to view all resources and resource configuration. 包括查看:Includes viewing:
虚拟机扩展状态Virtual machine extension status
Azure 诊断在资源上的配置Configuration of Azure diagnostics on resources
所有资源的所有属性和设置。All properties and settings of all resources.
对于工作区,它允许使用完全不受限制的权限来读取工作区设置,并对数据执行查询。For workspaces, it allows full unrestricted permissions to read the workspace setting and perform query on the data. 请参阅上述更细化的选项。See more granular options above.
Microsoft.Automation/automationAccounts/* 能够创建和配置 Azure 自动化帐户,包括添加和编辑 runbookAbility to create and configure Azure Automation accounts, including adding and editing runbooks
Microsoft.ClassicCompute/virtualMachines/extensions/*
Microsoft.Compute/virtualMachines/extensions/*
添加、更新和删除虚拟机扩展,包括 Microsoft Monitoring Agent 扩展和 OMS Agent for Linux 扩展Add, update and remove virtual machine extensions, including the Microsoft Monitoring Agent extension and the OMS Agent for Linux extension
Microsoft.ClassicStorage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/listKeys/action
查看存储帐户密钥。View the storage account key. 在将 Log Analytics 配置为从 Azure 存储帐户读取日志时需要Required to configure Log Analytics to read logs from Azure storage accounts
Microsoft.Insights/alertRules/* 添加、更新和删除警报规则Add, update, and remove alert rules
Microsoft.Insights/diagnosticSettings/* 添加、更新和删除 Azure 资源上的诊断设置Add, update, and remove diagnostics settings on Azure resources
Microsoft.OperationalInsights/* 添加、更新和删除 Log Analytics 工作区的配置。Add, update, and remove configuration for Log Analytics workspaces. 若要编辑工作区高级设置,用户需要 Microsoft.OperationalInsights/workspaces/writeTo edit workspace advanced settings, user needs Microsoft.OperationalInsights/workspaces/write.
Microsoft.OperationsManagement/* 添加和删除管理解决方案Add and remove management solutions
Microsoft.Resources/deployments/* 创建和删除部署。Create and delete deployments. 添加和删除解决方案、工作区和自动化帐户所必需Required for adding and removing solutions, workspaces, and automation accounts
Microsoft.Resources/subscriptions/resourcegroups/deployments/* 创建和删除部署。Create and delete deployments. 添加和删除解决方案、工作区和自动化帐户所必需Required for adding and removing solutions, workspaces, and automation accounts

若要添加和删除用户角色的用户,必须拥有 Microsoft.Authorization/*/DeleteMicrosoft.Authorization/*/Write 权限。To add and remove users to a user role, it is necessary to have Microsoft.Authorization/*/Delete and Microsoft.Authorization/*/Write permission.

使用这些角色为用户提供不同范围的访问权限:Use these roles to give users access at different scopes:

  • 订阅 - 访问订阅中的所有工作区Subscription - Access to all workspaces in the subscription
  • 资源组 - 访问资源组中的所有工作区Resource Group - Access to all workspace in the resource group
  • 资源 - 仅访问指定工作区Resource - Access to only the specified workspace

我们建议在资源级别(工作区)执行分配,以确保准确的访问控制。We recommend performing assignments at the resource level (workspace) to assure accurate access control. 使用自定义角色,创建具有所需的特定权限的角色。Use custom roles to create roles with the specific permissions needed.

资源权限Resource permissions

当用户使用资源上下文访问权限查询工作区中的日志时,他们对资源拥有以下权限:When users query logs from a workspace using resource-context access, they'll have the following permissions on the resource:

权限Permission 说明Description
Microsoft.Insights/logs/<tableName>/read

示例:Examples:
Microsoft.Insights/logs/*/read
Microsoft.Insights/logs/Heartbeat/read
可以查看资源的所有日志数据。Ability to view all log data for the resource.
Microsoft.Insights/diagnosticSettings/write 可配置诊断设置以允许设置此资源的日志。Ability to configure diagnostics setting to allow setting up logs for this resource.

/read 权限通常是从含有 */read 或 * 权限的角色授予的,例如内置的读取者参与者角色。/read permission is usually granted from a role that includes */read or * permissions such as the built-in Reader and Contributor roles. 包含特定操作的自定义角色或专用内置角色可能没有此权限。Custom roles that include specific actions or dedicated built-in roles might not include this permission.

若要针对不同的表创建不同的访问控制,请参阅下面的定义按表进行的访问控制See Defining per-table access control below if you want to create different access control for different tables.

自定义角色示例Custom role examples

  1. 若要授予用户从其资源访问日志数据的权限,请执行以下操作:To grant a user access to log data from their resources, perform the following:

    • 将工作区访问控制模式配置为使用工作区或资源权限Configure the workspace access control mode to use workspace or resource permissions

    • 向用户授予对其资源的 */readMicrosoft.Insights/logs/*/read 权限。Grant users */read or Microsoft.Insights/logs/*/read permissions to their resources. 如果已经为用户分配了对工作区的“Log Analytics 读取者”角色,则不需要执行额外的操作。If they are already assigned the Log Analytics Reader role on the workspace, it is sufficient.

  2. 若要授予用户从其资源访问日志数据的权限并将其资源配置为向工作区发送日志,请执行以下操作:To grant a user access to log data from their resources and configure their resources to send logs to the workspace, perform the following:

    • 将工作区访问控制模式配置为使用工作区或资源权限Configure the workspace access control mode to use workspace or resource permissions

    • 为用户授予对工作区的以下权限:Microsoft.OperationalInsights/workspaces/readMicrosoft.OperationalInsights/workspaces/sharedKeys/actionGrant users the following permissions on the workspace: Microsoft.OperationalInsights/workspaces/read and Microsoft.OperationalInsights/workspaces/sharedKeys/action. 用户无法使用这些权限执行任何工作区级别的查询。With these permissions, users cannot perform any workspace-level queries. 他们只能枚举工作区,并将其用作诊断设置或代理配置的目标。They can only enumerate the workspace and use it as a destination for diagnostic settings or agent configuration.

    • 为用户授予对其资源的以下权限:Microsoft.Insights/logs/*/readMicrosoft.Insights/diagnosticSettings/writeGrant users the following permissions to their resources: Microsoft.Insights/logs/*/read and Microsoft.Insights/diagnosticSettings/write. 如果已经为用户分配了 Log Analytics 参与者角色、“读取者”角色或者为其授予了对此资源的 */read 权限,则不需要执行额外的操作。If they are already assigned the Log Analytics Contributor role, assigned the Reader role, or granted */read permissions on this resource, it is sufficient.

  3. 若要为用户授予从其资源访问日志数据的权限,但不允许他们读取安全事件和发送数据,请执行以下操作:To grant a user access to log data from their resources without being able to read security events and send data, perform the following:

    • 将工作区访问控制模式配置为使用工作区或资源权限Configure the workspace access control mode to use workspace or resource permissions

    • 为用户授予对其资源的以下权限:Microsoft.Insights/logs/*/readGrant users the following permissions to their resources: Microsoft.Insights/logs/*/read.

    • 添加以下 NonAction 以阻止用户读取 SecurityEvent 类型:Microsoft.Insights/logs/SecurityEvent/readAdd the following NonAction to block users from reading the SecurityEvent type: Microsoft.Insights/logs/SecurityEvent/read. NonAction 应该与提供读取权限的操作 (Microsoft.Insights/logs/*/read) 包含在同一个自定义角色中。The NonAction shall be in the same custom role as the action that provides the read permission (Microsoft.Insights/logs/*/read). 如果用户从已分配到此资源或已分配到订阅或资源组的另一个角色继承读取操作,他们将能够读取所有日志类型。If the user inherent the read action from another role that is assigned to this resource or to the subscription or resource group, they would be able to read all log types. 如果他们继承 */read(例如,“读取者”或“参与者”角色存在的此操作),也是如此。This is also true if they inherit */read, that exist for example, with the Reader or Contributor role.

  4. 若要授予用户从其资源访问日志数据,以及从工作区读取所有 Azure AD 登录和更新管理解决方案日志数据的权限,请执行以下操作:To grant a user access to log data from their resources and read all Azure AD sign-in and read Update Management solution log data from the workspace, perform the following:

    • 将工作区访问控制模式配置为使用工作区或资源权限Configure the workspace access control mode to use workspace or resource permissions

    • 为用户授予对工作区的以下权限:Grant users the following permissions on the workspace:

      • Microsoft.OperationalInsights/workspaces/read - 需要此权限用户才可以枚举工作区并在 Azure 门户中打开工作区边栏选项卡Microsoft.OperationalInsights/workspaces/read - required so the user can enumerate the workspace and open the workspace blade in the Azure portal
      • Microsoft.OperationalInsights/workspaces/query/read - 需要此权限每位用户才可以执行查询Microsoft.OperationalInsights/workspaces/query/read - required for every user that can execute queries
      • Microsoft.OperationalInsights/workspaces/query/SigninLogs/read - 需要此权限以读取 Azure AD 登录日志Microsoft.OperationalInsights/workspaces/query/SigninLogs/read - to be able to read Azure AD sign-in logs
      • Microsoft.OperationalInsights/workspaces/query/Update/read - 需要此权限以读取更新管理解决方案日志Microsoft.OperationalInsights/workspaces/query/Update/read - to be able to read Update Management solution logs
      • Microsoft.OperationalInsights/workspaces/query/UpdateRunProgress/read - 需要此权限以读取更新管理解决方案日志Microsoft.OperationalInsights/workspaces/query/UpdateRunProgress/read - to be able to read Update Management solution logs
      • Microsoft.OperationalInsights/workspaces/query/UpdateSummary/read - 需要此权限以读取更新管理日志Microsoft.OperationalInsights/workspaces/query/UpdateSummary/read - to be able to read Update management logs
      • Microsoft.OperationalInsights/workspaces/query/Heartbeat/read - 需要此权限以使用更新管理解决方案Microsoft.OperationalInsights/workspaces/query/Heartbeat/read - required to be able to use Update Management solution
      • Microsoft.OperationalInsights/workspaces/query/ComputerGroup/read - 需要此权限以使用更新管理解决方案Microsoft.OperationalInsights/workspaces/query/ComputerGroup/read - required to be able to use Update Management solution
    • 为用户授予对其资源的以下权限:分配给“读取者”角色的 */read,或 Microsoft.Insights/logs/*/readGrant users the following permissions to their resources: */read, assigned to the Reader role, or Microsoft.Insights/logs/*/read.

表级 RBACTable level RBAC

使用表级 RBAC 可以针对 Log Analytics 工作区中的数据定义更精细的控制,此外还能分配其他权限。Table level RBAC allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions. 使用此控制措施可以定义仅供特定一组用户访问的特定数据类型。This control allows you to define specific data types that are accessible only to a specific set of users.

使用 Azure 自定义角色实现表访问控制,以授予对工作区中特定的访问权限。You implement table access control with Azure custom roles to either grant access to specific tables in the workspace. 无论用户的访问模式是什么,这些角色都会应用到使用工作区上下文或者资源上下文访问控制模式的工作区。These roles are applied to workspaces with either workspace-context or resource-context access control modes regardless of the user's access mode.

使用以下操作创建自定义角色,以定义对表访问控制的访问权限。Create a custom role with the following actions to define access to table access control.

  • 若要授予对某个表的访问权限,请将该表包含在角色定义的 Actions 节中。To grant access to a table, include it in the Actions section of the role definition. 若要从允许的操作中减去访问权限,请将其包含在 NotActions 节中。To subtract access from the allowed Actions, include it in the NotActions section.
  • 使用“Microsoft.OperationalInsights/workspaces/query/*”指定所有表。Use Microsoft.OperationalInsights/workspaces/query/* to specify all tables.

例如,若要创建一个有权访问 HeartbeatAzureActivity 表的角色,请使用以下操作创建自定义角色:For example, to create a role with access to the Heartbeat and AzureActivity tables, create a custom role using the following actions:

"Actions":  [
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/query/Heartbeat/read",
    "Microsoft.OperationalInsights/workspaces/query/AzureActivity/read"
  ],

若要创建只能访问 SecurityBaseline 表的角色,请使用以下操作创建自定义角色:To create a role with access to only the SecurityBaseline table, create a custom role using the following actions:

"Actions":  [
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/query/SecurityBaseline/read"
],

以上示例定义了允许的表的允许列表。The examples above define a whitelist of tables that are allowed. 此示例显示了当用户可以访问除 SecurityAlert 表之外的所有表时的阻止列表定义:This example shows blacklist definition when a user can access all tables but the SecurityAlert table:

"Actions":  [
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/query/*/read"
],
"notActions":  [
    "Microsoft.OperationalInsights/workspaces/query/SecurityAlert/read"
],

自定义日志Custom logs

自定义日志是基于自定义日志和 HTTP 数据收集器 API 等数据源创建的。Custom logs are created from data sources such as custom logs and HTTP Data Collector API. 识别日志类型的最简单方法是查看日志架构中的自定义日志下所列的表。The easiest way to identify the type of log is by checking the tables listed under Custom Logs in the log schema.

无法授予对单个自定义日志的访问权限,但可以授予对所有自定义日志的访问权限。You can't grant access to individual custom logs, but you can grant access to all custom logs. 若要创建一个有权访问所有自定义日志的角色,请使用以下操作创建自定义角色:To create a role with access to all custom logs, create a custom role using the following actions:

"Actions":  [
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read"
],

管理对自定义日志访问权限的另一种方法是将其分配给 Azure 资源,然后使用资源上下文范例管理访问权限。An alternative approach to manage access to custom logs is to assign them to an Azure resource and manage access using the resource-context paradigm. 若要使用此方法,必须在通过 HTTP 数据收集器 API 将数据引入到 Log Analytics 时,通过在 x-ms-AzureResourceId 标头中指定资源 ID 来将其包含在内。To use this method, you must include the resource ID by specifying it in the x-ms-AzureResourceId header when data is ingested to Log Analytics via the HTTP Data Collector API. 资源 ID 必须有效,并且具有适用的访问规则。The resource ID must be valid and have access rules applied to it. 如此处所述,引入日志后,对资源具有读取访问权限的用户可对其进行访问。After the logs are ingested, they are accessible to those with read access to the resource, as explained here.

有时,自定义日志来自与特定资源不直接关联的源。Sometimes custom logs come from sources that are not directly associated to a specific resource. 在这种情况下,只需创建一个资源组来管理对这些日志的访问权限。In this case, create a resource group just to manage access to these logs. 资源组不会产生任何费用,但会提供有效的资源 ID 来控制对自定义日志的访问。The resource group does not incur any cost, but gives you a valid resource ID to control access to the custom logs. 例如,如果特定防火墙正在发送自定义日志,创建一个名为“MyFireWallLogs”的资源组,并确保 API 请求中包含资源 ID“MyFireWallLogs”。For example, if a specific firewall is sending custom logs, create a resource group called "MyFireWallLogs" and make sure that the API requests contain the resource ID of "MyFireWallLogs". 然后,仅有权访问 MyFireWallLogs 或具有完整工作区访问权限的用户才能访问防火墙日志记录。The firewall log records are then accessible only to users that were granted access to either MyFireWallLogs or those with full workspace access.

注意事项Considerations

  • 如果为某个用户授予全局读取权限以及含有 */read 操作的标准“读取者”或“参与者”角色,则会替代按表进行的访问控制,并向该用户授予所有日志数据的访问权限。If a user is granted global read permission with the standard Reader or Contributor roles that include the */read action, it will override the per-table access control and give them access to all log data.
  • 如果为某个用户授予按表访问权限但未授予其他任何权限,则该用户可以通过 API 访问日志数据,但不能通过 Azure 门户进行访问。If a user is granted per-table access but no other permissions, they would be able to access log data from the API but not from the Azure portal. 若要从 Azure 门户提供访问权限,请使用“Log Analytics 读取者”作为用户的基本角色。To provide access from the Azure portal, use Log Analytics Reader as its base role.
  • 无论任何其他权限设置如何,订阅管理员和所有者都有权访问所有数据类型。Administrators and owners of the subscription will have access to all data types regardless of any other permission settings.
  • 应用按表进行的访问控制时,工作区所有者被视为类似于其他任何用户。Workspace owners are treated like any other user for per-table access control.
  • 我们建议将角色分配到安全组而不是个人用户,以减少分配数目。We recommend assigning roles to security groups instead of individual users to reduce the number of assignments. 这还有助于使用现有的组管理工具来配置和验证访问权限。This will also help you use existing group management tools to configure and verify access.

后续步骤Next steps