Azure Roles for Log Analytics - Microsoft Engage Center (Services Hub)
Your Services Hub Connector needs to be linked to an Azure Log Analytics workspace to utilize On-Demand Assessments.
Purpose of linking
- Azure Log Analytics workspaces need to be associated with your Services Hub Connector in order to be used for storing assessment data.
- Only certain role holders in Azure can successfully link from Services Hub Connector to Azure Log Analytics workspace. The same user account that has signed in to Services Hub vNext Private Preview will be performing the edits in Azure Log Analytics.
Azure roles
The following sections list the different Azure roles, as well as permissions the roles have in the Microsoft Engage Center in regards to assessments, Services Hub Connector and linking to Log Analytics.
Users who can link their existing Azure Log Analytics workspaces to Services Hub Connector
- Owner, Reader or Contributor at Log Analytics Workspace level
- Owner, Reader or Contributor at Resource Group level
- Owner, Reader, Contributor, Log Analytics Reader or Log Analytics Contributor at Subscription level
Users who can create new Azure Log Analytics workspace under existing Resource Group that are linked to Services Hub Connector
- Owner or Contributor at Resource Group level
- Owner, Contributor or Log Analytics Contributor at Subscription level
Users who can create new Azure Log Analytics workspace under new Resource Group that are linked to Services Hub Connector
- Owner or Contributor at Subscription level
Roles that can Add/Remove solutions from Services Hub Connector
- Owner or Contributor at Log Analytics Workspace level
- Owner or Contributor at Resource Group level
- Owner, Contributor or Log Analytics Contributor at Subscription level
Additional roles are required for assessments deployed using AMA
- In order for a user to view a machine in Services Hub Connector along with the associated assessment data, the user needs to also have access to the machine on the subscription.
- If you're having trouble viewing the assessments in Services Hub Connector, ensure that you have at least Log Analytics reader for the workspace in question, along with permissions to view the machine.
- You can modify machine permissions using IAM for each individual machine if you require granular control for both ARC and Azure VMs.
The minimum level required is Azure Log Analytics Reader.
Note
Add/Remove solutions in Log Analytics Workspace can change the costs incurred by your organization. For that reason, it requires higher levels of permission.
Note
If you don’t know the Azure owner or other roles of your Azure subscriptions, see Role assignments in Azure Subscriptions.