Public Preview: Granular RBAC in Azure Monitor Logs

We are happy to announce our public preview for Granular RBAC in Azure Monitor Log Analytics!

What is Granular RBAC in Azure Monitor Logs?

Many organizations emphasize the need to segregate and control access to data in a fine-grained manner, while maintaining a centralized and consolidated logging platform. 

On top of the existing capabilities of workspace and table level access provided over Azure RBAC, you can now maintain all your data in a single Log Analytics workspace and provide least privilege access at any level.

This means you can control which users can access which tables and rows, based on your business or security needs and defined criteria, and completely separate data and control plane access, using Azure Attribute-based access control (ABAC) as part of your Azure RBAC role assignment.

Granular RBAC in Azure Monitor Logs allows you to filter the data that each user can view or query, based on the conditions that you specify.

Common examples are characteristics such as organizational roles and units, geographical locations, or data sensitivity levels. 

How to set granular data access in Azure Monitor Logs

To set up granular access:

1. Create or edit an Azure role assignment.
2. Under “Conditions”, select “Add condition”.
3. In “Add action”, choose the new DataAction: “Read workspace data”.
4. Under “Build expression”, click “Add expression” to define your access rules.

You can use any combination of the “Table Name” and “Column Value” attributes to scope access, leveraging a wide range of supported operators to match your criteria.

Once applied, users will only be able to access the data that matches the conditions you've configured. 

Get started with Granular RBAC in Azure Monitor Logs

Learn more about Granular RBAC and how to set it up in Azure Monitor Logs

We hope you enjoy this new addition to Azure Monitor Log Analytics.