OCI IAM policy uses the concept of admit and endorse to enable cross-tenancy access. If you want to grant permission for compute instances of source tenancy (VendorA) to access Log Analytics of destination tenancy (CompanyABC), then the administrators of both the tenancies must create IAM policies as below.

1. Setup instance principal and dynamic group in the source tenancy (VendorA):

   Instance principals capability lets you make service calls from an instance. OCI compute instances are authorized to interact with OCI APIs by creating a dynamic group of the compute instances and a policy that authorizes what operations the instances can perform.

   Create a dynamic group, for example oci_la_dg, to authorize the instances in the compartments with the permissions defined in the policies.

   Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaabcd',instance.compartment.id = 'ocid1.compartment.oc1..aaaaadef'}

2. Create policy in the source tenancy (VendorA):

   Define tenancy CompanyABC as ocid1.tenancy.oc1..aaaaaaaaabc
   Endorse dynamic-group oci_la_dg to manage loganalytics-features-family in tenancy CompanyABC
   Endorse dynamic-group oci_la_dg to manage loganalytics-resources-family in tenancy CompanyABC
   Endorse dynamic-group oci_la_dg to manage management-dashboard-family in tenancy CompanyABC
   Endorse dynamic-group oci_la_dg to read compartments in tenancy CompanyABC

3. Create policy in the destination tenancy (CompanyABC):

   Define tenancy VendorA as ocid1.tenancy.oc1..aaaaavendora
   Define dynamic-group oci_la_dg as ocid1.dynamicgroup.oc1..aaaaaaaavendora
   Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-features-family in tenancy
   Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-resources-family in tenancy
   Admit dynamic-group oci_la_dg of tenancy VendorA to manage management-dashboard-family in tenancy 
   Admit dynamic-group oci_la_dg of tenancy VendorA to read compartments in tenancy

4. Verify that you can now run Log Analytics APIs from the instances that were given permissions.

For information on Endorse, Admit, and Define statements, see Object Storage Documentation. In addition to dynamic groups, these statements can be applied for groups too.