Details for Logging
This topic covers details for writing policies to control access to Logging.
Resource-Types
Aggregate Resource-Type
logging-family
Individual Resource-Types
log-objectslog-groupslog-contentlog-rules
Comments
A policy that uses <verb> logs is equivalent to writing one with
a separate <verb> <individual resource-type> statement for each of the
individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of
the API operations covered by each verb, for each individual resource-type included
in logs.
Supported Variables
Logging supports all the general variables (see General Variables for All Requests), plus additional ones listed here:
| Operations for This Resource-Type... | Can Use These Variables... | Variable Type | Comments |
|---|---|---|---|
log-groups |
target.loggroup.id |
Entity (OCID) |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the log-groups
resource-type includes the same permissions and API operations as the
inspect verb, plus the LOG_GROUPS_READ permission and the
corresponding API operations GetLog and GetLogGroup.
log-objects
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
INSPECT |
LOG_OBJECT_INSPECT | ListLogs |
none |
|
READ |
INSPECT + LOG_OBJECT_READ |
INSPECT +
|
none |
| USE |
READ + LOG_OBJECT_UPDATE LOG_OBJECT_WRITE |
READ +
|
none |
| MANAGE |
USE + LOG_OBJECT_CREATE LOG_OBJECT_DELETE |
USE +
|
none |
log-groups
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT |
LOG_GROUP_INSPECT |
|
none |
| READ |
INSPECT + LOG_GROUP_READ |
INSPECT +
|
none |
| USE |
READ + LOG_GROUP_UPDATE |
READ +
|
none |
| MANAGE |
USE + LOG_GROUP_CREATE LOG_GROUP_DELETE |
USE +
|
none |
log-content
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | none | none |
none |
| READ |
INSPECT + LOG_CONTENT_READ |
INSPECT +
|
none |
| USE | none | none | none |
| MANAGE | none | none | none |
log-rules
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT |
LOG_RULE_INSPECT |
|
none |
| READ |
INSPECT + LOG_RULE_READ |
INSPECT +
|
none |
| USE |
READ + LOG_RULE_UPDATE |
READ +
|
none |
| MANAGE |
USE + LOG_RULE_CREATE LOG_RULE_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListSearchLogs |
LOG_CONTENT_READ |
ListLogs |
LOG_GROUP_INSPECT |
GetLog |
LOG_GROUP_READ |
UpdateLog |
LOG_GROUP_UPDATE |
CreateLog |
LOG_GROUP_CREATE |
DeleteLog |
LOG_GROUP_DELETE |
ListLogGroups |
LOG_GROUP_INSPECT |
GetLogGroup |
LOG_GROUP_READ |
UpdateLogGroup |
LOG_GROUP_UPDATE |
CreateLogGroup |
LOG_GROUP_CREATE |
DeleteLogGroup |
LOG_GROUP_DELETE |
ChangeLogGroupCompartment |
LOG_GROUP_UPDATE |
ListLogRules |
LOG_RULE_INSPECT |
GetLogRule |
LOG_RULE_READ |
UpdateLogRule |
LOG_RULE_UPDATE |
CreateLogRule |
LOG_RULE_CREATE |
DeleteLogRule |
LOG_RULE_DELETE |
ChangeLogRuleCompartment |
LOG_RULE_UPDATE |