Services Hub Connector - Azure Role Requirements

  • Article

This document outlines the Azure roles required to perform the various operations exposed by the Services Hub Extension in Azure.

To perform all required operations, the minimum roles required are Services Hub Operator and Log Analytics Contributor. These can be applied at the subscription or resource group level, and the user will be able to create a new Services Hub Connector and perform all other related operations. Operation-Specific requirements are listed below.

Create new Connector

  • Owner, Contributor, or Services Hub Operator on Subscription AND
  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource (this dropdown is optional during creation, so you can optionally not select a Log Analytics workspace during creation, in which case you don't need this permission)

Change the Connection to Log Analytics workspace for an existing Services Hub Connector

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource AND
  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource

Create new Log Analytics workspace and Connect Log Analytics to Services Hub Connector

  • Owner, Contributor or Log Analytics Contributor on Subscription/ResourceGroup the new Log Analytics workspace is being created under AND
  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource the Services Hub Connector is created under

Add assessments to Services Hub connector

  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource AND
  • Owner, Contributor or Log Analytics Contributor on Log Analytics Workspace Subscription/ResourceGroup/Resource

View Services Hub Connector -> Overview

  • Owner, Contributor, Reader or Services Hub Operator on Subscription/ResourceGroup/Resource the Services Hub Connector is created under

View Services Hub Connector -> On Demand Assessments Blade

  • Owner, Contributor, Reader or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource AND
  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource

View Assessment Results in Log Analytics Workspace

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource