Details for Logging

This topic covers details for writing policies to control access to Logging.

Resource-Types

Aggregate Resource-Type

logging-family

Individual Resource-Types

log-groups
log-content
unified-configuration

Comments

A policy that uses <verb> logs is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in logs.

Supported Variables

Logging supports all the general variables (see General Variables for All Requests), plus additional ones listed here:


Operations for This Resource-Type...	Can Use These Variables...	Variable Type	Comments
`log-groups`	`target.loggroup.id`	Entity (OCID)
`log-content`	`target.loggroup.id`	Entity (OCID)

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the log-groups resource-type includes the same permissions and API operations as the inspect verb, plus the LOG_GROUPS_READ permission and the corresponding API operations GetLog and GetLogGroup.

log-groups


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	LOG_GROUP_INSPECT	`ListLogGroups` `ListLogs`	none
READ	INSPECT + LOG_GROUP_READ	INSPECT + `GetLogGroup` `GetLog` `ListSearchLogs`	none
USE	READ + LOG_GROUP_UPDATE	READ + `UpdateLogGroup` `ChangeLogGroupCompartment` `UpdateLog`	none
MANAGE	USE + LOG_GROUP_CREATE LOG_GROUP_DELETE	USE + `CreateLogGroup` `DeleteLogGroup` `CreateLog` `DeleteLog`	none

log-content


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	none	none	none
READ	INSPECT + LOG_CONTENT_READ	INSPECT + `ListSearchLogs`	none
USE	READ + LOG_CONTENT_PUSH UNIFIED_AGENT_CONFIG_GENERATE	none	none
MANAGE	READ + LOG_CONTENT_PUSH UNIFIED_AGENT_CONFIG_GENERATE	none	none

unified-configuration


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	UNIFIED_AGENT_CONFIG_INSPECT	`ListUnifiedAgentConfiguration`	none
READ	INSPECT + UNIFIED_AGENT_CONFIG_READ	INSPECT + `GetUnifiedAgentConfiguration`	none
USE	READ + UNIFIED_AGENT_CONFIG_UPDATE	READ + `UpdateUnifiedAgentConfiguration`	none
MANAGE	USE + UNIFIED_AGENT_CONFIG_CREATE UNIFIED_AGENT_CONFIG_DELETE	USE + `CreateUnifiedAgentConfiguration` `DeleteUnifiedAgentConfiguration`	none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListSearchLogs`	LOG_CONTENT_READ
`ListLogs`	LOG_GROUP_INSPECT
`GetLog`	LOG_GROUP_READ
`UpdateLog`	LOG_GROUP_UPDATE
`CreateLog`	LOG_GROUP_CREATE
`DeleteLog`	LOG_GROUP_DELETE
`ListLogGroups`	LOG_GROUP_INSPECT
`GetLogGroup`	LOG_GROUP_READ
`UpdateLogGroup`	LOG_GROUP_UPDATE
`CreateLogGroup`	LOG_GROUP_CREATE
`DeleteLogGroup`	LOG_GROUP_DELETE
`ChangeLogGroupCompartment`	LOG_GROUP_UPDATE
`CreateUnifiedAgentConfiguration`	UNIFIED_AGENT_CONFIG_CREATE
`GetUnifiedAgentConfiguration`	UNIFIED_AGENT_CONFIG_READ
`UpdateUnifiedAgentConfiguration`	UNIFIED_AGENT_CONFIG_UPDATE
`DeleteUnifiedAgentConfiguration`	UNIFIED_AGENT_CONFIG_DELETE
`ListUnifiedAgentConfigurations`	UNIFIED_AGENT_CONFIG_INSPECT