This blog post will dig into some more depth on what’s really required to share dashboards in Azure from a user rights/security perspective. If you are interested in creating custom dashboards, integrating Log Analytics and customizing dashboards this previous blog post covers those topics. This blog post will discuss:
- Permissions required to share dashboards in Azure
- Changing who can see your shared dashboard
- Permissions required to see content on your dashboard
Sharing dashboards in Azure:
To share a dashboard and be able to add others to be able to share it must be an Owner on the subscription level. The graphic below shows the users tab when you do not have owner rights.
With owner rights on the subscription you have the new Add button shown below.
If you do not have at least contributor rights you will be unable to choose the subscription when trying to share a dashboard as shown in the screenshots below.
“Users who are owners or contributors are able to list, view, create, modify, or delete dashboards within the subscription. Users who are readers are able to list and view dashboards, but cannot modify or delete them. Users with reader access are able to make local edits to a published dashboard (such as, when troubleshooting an issue), but are not able to publish those changes back to the server. They will have the option to make a private copy of the dashboard for themselves” from https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-dashboard-share-access
Based on our testing, to allow a user to create their own dashboard and share it required Owner level permissions so that they were able to manage who else can view that dashboard. If the user only needs to be able to share the dashboard and not control who can view it contributor level is sufficient.
Changing who can see your shared dashboard:
Once you have shared a dashboard, use the “Unshare” option to change permissions on that dashboard.
Clicking on Unshare brings up a new view on the right side where you can now choose “Manage users”.
From this view you can add or remove users and roles.
Permissions required to display objects on a dashboard:
The following are the access permissions which we have seen for the objects on a dashboard:
- Reader rights in the OMS workspace (this is done in OMS)
- Contributor rights in Azure to Log Analytics
- Reader rights to the “mms-eus” resource group (IE: The resource group where the Log Analytics workspace is stored)
- Reader rights to the “dashboards” resource group (IE: The resource group where the dashboards are stored)
From a high level you need to have at least reader rights to any data that you are sharing on the dashboard (and anyone who needs to see those on the dashboard should need permissions well).
Summary: To effectively share and control who has access to your shared dashboard you need owner rights on the subscription. When you want to change who can see your shared dashboard use the “Unshare” option. Finally, you need at least reader rights to the OMS workspace, contributor rights in Azure to Log Analytics, and reader access to the dashboards resource group to view the various objects on your shared dashboard (if you are displaying Log Analytics content as an example).