Granular RBAC Arrives in Azure Monitor Logs to Tighten Data Access

Microsoft has rolled out Granular RBAC (Role-Based Access Control) in public preview for Azure Monitor Log Analytics. This new feature provides organizations with precise, row-level control over log data within a shared Log Analytics workspace.

Azure Monitor Logs is a feature that collects and stores log and performance data from various sources, including Azure resources, virtual machines, and applications. This data is centralized in a Log Analytics workspace, where users can analyze it using Kusto Query Language (KQL) to gain insights, troubleshoot issues, monitor system health, and set up alerts. This feature plays an important role in maintaining visibility across cloud and hybrid environments.

What is the problem?

Previously, administrators could only control access at the workspace or table level. Since multiple departments or teams often share the same Log Analytics workspace, it was challenging to restrict access to specific data, enforce least privilege policies, and meet data governance and privacy requirements without more precise controls.

How Granular RBAC enhances security and compliance

The new Granular RBAC feature allows organizations to define row-level access conditions using attributes like resource group, subscription, or custom tags. This capability helps to ensure that users only see the log data they are authorized to access in order to improve security, compliance, and operational efficiency.

“On top of the existing capabilities of workspace and table level access provided over Azure RBAC, you can now maintain all your data in a single Log Analytics workspace and provide least privilege access at any level. This means you can control which users can access which tables and rows, based on your business or security needs and defined criteria, and completely separate data and control plane access, using Azure Attribute-based access control (ABAC) as part of your Azure RBAC role assignment,” Microsoft explained.

How to set granular data access in Azure Monitor Logs

To configure granular access in Azure Monitor Logs, IT admins will need to follow the steps mentioned below:

• First of all, create or edit an Azure role assignment.
• Click the “Add condition” option available under Conditions.
• Select the new DataAction: “Read workspace data” option available in the “Add action” section.
• Finally, navigate to “Build expression” and click “Add expression” to define access rules.

This new Granular RBAC is ideal for scenarios where organizations need to tightly control access to log data within a shared workspace. Moreover, it enables data segregation by allowing access based on various attributes to ensure users only see data relevant to them. This feature also helps protect sensitive information and supports compliance with industry regulations by enforcing strict access policies.

Microsoft notes that administrators can use the “Table Name” and “Column Value” attributes to scope access within their organizations. Once the Granular RBAC rules are configured, users will be restricted to seeing only the log data that fits the exact criteria.