Details for Logging
This topic covers details for writing policies to control access to Logging.
Resource-Types
Aggregate Resource-Type
logging-family
Individual Resource-Types
log-objects
log-groups
log-content
log-rules
Comments
A policy that uses <verb> logs
is equivalent to writing one with
a separate <verb> <individual resource-type> statement for each of the
individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of
the API operations covered by each verb, for each individual resource-type included
in logs
.
Supported Variables
Logging supports all the general variables (see General Variables for All Requests), plus additional ones listed here:
Operations for This Resource-Type... | Can Use These Variables... | Variable Type | Comments |
---|---|---|---|
log-groups |
target.loggroup.id |
Entity (OCID) |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the log-groups
resource-type includes the same permissions and API operations as the
inspect
verb, plus the LOG_GROUPS_READ permission and the
corresponding API operations GetLog
and GetLogGroup
.
log-objects
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
LOG_OBJECT_INSPECT | ListLogs |
none |
READ |
INSPECT + LOG_OBJECT_READ |
INSPECT +
|
none |
USE |
READ + LOG_OBJECT_UPDATE LOG_OBJECT_WRITE |
READ +
|
none |
MANAGE |
USE + LOG_OBJECT_CREATE LOG_OBJECT_DELETE |
USE +
|
none |
log-groups
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
LOG_GROUP_INSPECT |
|
none |
READ |
INSPECT + LOG_GROUP_READ |
INSPECT +
|
none |
USE |
READ + LOG_GROUP_UPDATE |
READ +
|
none |
MANAGE |
USE + LOG_GROUP_CREATE LOG_GROUP_DELETE |
USE +
|
none |
log-content
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT | none | none |
none |
READ |
INSPECT + LOG_CONTENT_READ |
INSPECT +
|
none |
USE | none | none | none |
MANAGE | none | none | none |
log-rules
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
LOG_RULE_INSPECT |
|
none |
READ |
INSPECT + LOG_RULE_READ |
INSPECT +
|
none |
USE |
READ + LOG_RULE_UPDATE |
READ +
|
none |
MANAGE |
USE + LOG_RULE_CREATE LOG_RULE_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListSearchLogs |
LOG_CONTENT_READ |
ListLogs |
LOG_GROUP_INSPECT |
GetLog |
LOG_GROUP_READ |
UpdateLog |
LOG_GROUP_UPDATE |
CreateLog |
LOG_GROUP_CREATE |
DeleteLog |
LOG_GROUP_DELETE |
ListLogGroups |
LOG_GROUP_INSPECT |
GetLogGroup |
LOG_GROUP_READ |
UpdateLogGroup |
LOG_GROUP_UPDATE |
CreateLogGroup |
LOG_GROUP_CREATE |
DeleteLogGroup |
LOG_GROUP_DELETE |
ChangeLogGroupCompartment |
LOG_GROUP_UPDATE |
ListLogRules |
LOG_RULE_INSPECT |
GetLogRule |
LOG_RULE_READ |
UpdateLogRule |
LOG_RULE_UPDATE |
CreateLogRule |
LOG_RULE_CREATE |
DeleteLogRule |
LOG_RULE_DELETE |
ChangeLogRuleCompartment |
LOG_RULE_UPDATE |