Overview
The permissions grant Lucidity limited and controlled access to enable VM Insights during assessments. These allow fetching VM and disk metadata while creating Log Analytics Workspaces and Data Collection Rules. Lucidity also modifies VMs to enable insights on behalf of the customer efficiently. These specific access rights are strictly scoped for the assessment period.
All changes are fully reverted once the assessment process is completed. This includes deleting any Log Analytics Workspace and the Collection Rules created by assessment tool to ensure no persistent changes remain. For seamless execution, users should have contributor access or specific custom IAM permissions. This follows the principle of least privilege while ensuring successful assessment.
Permission Policy Statement
"permissions": [
{
"actions": [
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.CostManagement/query/read",
"Microsoft.Insights/DataCollectionRuleAssociations/Delete",
"Microsoft.Insights/DataCollectionRuleAssociations/Read",
"Microsoft.Insights/DataCollectionRuleAssociations/Write",
"Microsoft.Insights/DataCollectionRules/Delete",
"Microsoft.Insights/DataCollectionRules/Read",
"Microsoft.Insights/DataCollectionRules/Write",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/MetricDefinitions/Read",
"Microsoft.Insights/Metricnamespaces/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.OperationalInsights/workspaces/delete",
"Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationsManagement/managementAssociations/delete",
"Microsoft.OperationsManagement/managementAssociations/read",
"Microsoft.OperationsManagement/managementAssociations/write",
"Microsoft.OperationsManagement/managementConfigurations/delete",
"Microsoft.OperationsManagement/managementConfigurations/read",
"Microsoft.OperationsManagement/managementConfigurations/write",
"Microsoft.OperationsManagement/register/action",
"Microsoft.OperationsManagement/solutions/delete",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationsManagement/solutions/write",
"Microsoft.RecoveryServices/vaults/read",
"Microsoft.RecoveryServices/vaults/replicationProtectedItems/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/agentPools/machines/read",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
]