Microsoft adds new access control options to Azure Monitor Logs
To save people from the hassle of having to use complex logs, Microsoft has announced a number of new capabilities for Azure Monitor Logs.
These capabilities will enable resource-centric logging, by allowing users to have their monitor logs centralized while staying integrated into Azure and its role-based access control mechanisms (RBAC).
Previously, due to the complexity of logs architecture, the organizations were not able to maintain access control on their own. This not only lowered the usage of data but also resulted in inaccurate decision making as these decisions were generally not taken on the basis of data.
To tackle that, Microsoft has unveiled two new access control options: Workspace-centric and Resource-centric.
“We have recently announced a new set of Azure Monitor Logs capabilities that allow customers to benefit from the advantages of both paradigms. We plan to enhance and complete alignment of all Azure Monitor’s components over the next few months,” wrote Microsoft in a blog post.
The Workspace-centric mode will provide centralized teams the full access to all the logs from all workspaces regardless of the resource permissions. There will soon be a new option that will also allow them to use this mode for the components that don’t provide support for resource-centric or off-Azure resources.
On the other hand, the resource-centric mode will enable query of the logs that are related to a source. This mode will work for a specific resource, all the resources in a specific group, or all the resources in a specific subscription.
“Logs will be served from all workspaces that contain data for that resource without the need to specify them. If workspace access control allows it, there is no need to grant the users access to the workspace,” explained Microsoft.
The new features will have simpler models with fewer workspaces that will now allow the administrators to govern their environments better and in a secured manner.
Additionally, Microsoft introduced an automated capability to Azure Monitor that quickly decides on the right mode on the scope a user opts. If the user chooses a workspace, queries will be sent in workspace-centric mode. Alternatively, if the user selects a resource option, resource group, or subscription, the resource-centric is used.
Microsoft also mentioned the capability to set permissions per table that store the logs. The users who have permission to access workspace or resources, can read details of their log types. Admins can use custom roles to limit the user access.
Microsoft added that the Azure Monitor will soon be able to scope queries for an entire subscription.