Details for Logging

This topic covers details for writing policies to control access to Logging.

Resource-Types

Aggregate Resource-Type

  • logging-family

Individual Resource-Types

  • log-objects
  • log-groups
  • log-content
  • log-rules

Comments

A policy that uses <verb> logs is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in logs.

Supported Variables

Logging supports all the general variables (see General Variables for All Requests), plus additional ones listed here:

Operations for This Resource-Type... Can Use These Variables... Variable Type Comments
log-groups target.loggroup.id Entity (OCID)

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the log-groups resource-type includes the same permissions and API operations as the inspect verb, plus the LOG_GROUPS_READ permission and the corresponding API operations GetLog and GetLogGroup.

log-objects

Verbs Permissions APIs Fully Covered APIs Partially Covered

INSPECT

LOG_OBJECT_INSPECT ListLogs

none

READ

INSPECT +

LOG_OBJECT_READ

INSPECT +

GetLog

none
USE

READ +

LOG_OBJECT_UPDATE

LOG_OBJECT_WRITE

READ +

UpdateLog

none
MANAGE

USE +

LOG_OBJECT_CREATE

LOG_OBJECT_DELETE

USE +

CreateLog

DeleteLog

none

log-groups

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT

LOG_GROUP_INSPECT

ListLogGroups

ListLogs

none

READ

INSPECT +

LOG_GROUP_READ

INSPECT +

GetLogGroup

GetLog

ListSearchLogs

none
USE

READ +

LOG_GROUP_UPDATE

READ +

UpdateLogGroup

ChangeLogGroupCompartment

UpdateLog

none
MANAGE

USE +

LOG_GROUP_CREATE

LOG_GROUP_DELETE

USE +

CreateLogGroup

DeleteLogGroup

CreateLog

DeleteLog

none

log-content

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT none none

none

READ

INSPECT +

LOG_CONTENT_READ

INSPECT +

ListSearchLogs

none
USE none none none
MANAGE none none none

log-rules

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT

LOG_RULE_INSPECT

ListLogRules

none

READ

INSPECT +

LOG_RULE_READ

INSPECT +

GetLogRule

none
USE

READ +

LOG_RULE_UPDATE

READ +

UpdateLogRules

ChangeLogRuleCompartment

none
MANAGE

USE +

LOG_RULE_CREATE

LOG_RULE_DELETE

USE +

CreateLogRules

DeleteLogRules

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListSearchLogs LOG_CONTENT_READ
ListLogs LOG_GROUP_INSPECT
GetLog LOG_GROUP_READ
UpdateLog LOG_GROUP_UPDATE
CreateLog LOG_GROUP_CREATE
DeleteLog LOG_GROUP_DELETE
ListLogGroups LOG_GROUP_INSPECT
GetLogGroup LOG_GROUP_READ
UpdateLogGroup LOG_GROUP_UPDATE
CreateLogGroup LOG_GROUP_CREATE
DeleteLogGroup LOG_GROUP_DELETE
ChangeLogGroupCompartment LOG_GROUP_UPDATE
ListLogRules LOG_RULE_INSPECT
GetLogRule LOG_RULE_READ
UpdateLogRule LOG_RULE_UPDATE
CreateLogRule LOG_RULE_CREATE
DeleteLogRule LOG_RULE_DELETE
ChangeLogRuleCompartment LOG_RULE_UPDATE