Global Read Only Permissions and Table Level RBAC

1
votes

I want to deny acccess to specific tables on my log analytics workspaces, however on the microsoft site it says:

"Considerations  If a user is granted global read permission with the standard Reader or Contributor roles that include the */read action, it will override the per-table access control and give them access to all log data. "

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access

what exactly is global read permission ? is this the reader permission applied at the subscription level? if you apply for the read permission at the resource group level will this affect the table level RBAC?

1
azureazure-active-directoryazure-rbac

1 Answers

0
votes

what exactly is global read permission?

It means the rbac role has the */read action, e.g. Owner, Contributor, Reader, Log Analytics Reader, Log Analytics Contributor. You could check the doc for the details of the roles' permissions.

Note: not only the built-in roles, but also the custom role created by you with the */read action.

is this the reader permission applied at the subscription level?

It can be applied at both subscription and resource group level.

If it was applied at the subscription level, it will affect all the workspaces in the subscription. If it was applied at the resource group level, it just affects the workspace in the specific resource group, will not affect other workspaces in the other resource groups.

if you apply for the read permission at the resource group level will this affect the table level RBAC?

Yes, if the role was applied at group A, and your workspace is in group A, it will affect the table level rbac. But if your workspace is in group B, it will not affect.

For more details, you could refer to RBAC - Scope.