Log permissions
To view the run history for a function, action, or automation, you must have edit permission on the resource.
To view the Trace and Service logs for an execution you did not invoke, log reading must be enabled on the project of the Source Executor for the workflow execution. You must also have access to all configured markings. The source executor is the first executable resource in the workflow execution and can be a function, action, or automation.
Users with the Information security officer or Enrollment administrator role can configure log access at the project level. To learn more about managing project-level log access for Ontology and AIP workflows, review the Control Panel configure logging documentation.
When log access is not enabled for the project the source executor resides in, selecting View log details for an execution invoked by another user or automation will show the following message: Logs disabled for source execution resource.
Users always have access to logs for their own executions from the past 24 hours, independent of administrator log access settings.
When log access is enabled for the project and marking permissions are satisfied, Source executor log access will show as enabled. Logs will be visible for all executions originating from the enabled project.
Source executor log access override for legacy Ontology permissions
Actions must be migrated to Ontology project-based permissions to be managed at the project level. If your actions are managed by legacy Ontology permissions, review the guide on migrating to project-based permissions. Note that once your actions are migrated, an administrator will need to update the project attribution of each by clearing the legacy ontology resource identifier.
To enable log access for an action with legacy Ontology permissions during this transition period, administrators can create a resource override. This allows enabling access without needing to migrate. Select Edit permissions and then Configure log visibility in the top right corner of the Run history table.
The administrator will be prompted to override the project permissions for the action. For actions with legacy Ontology permissions, the Action's ontology resource identifier will appear as the project. Administrators cannot enable this identifier and do not have access to it through Foundry's project and file system.
When overriding, they can apply necessary markings to restrict the log access and select Next.
Then Apply changes.
Updating the project attribution of a source executor
A source executor is linked to an Attributed project for log access purposes. By default, the attributed project is the project where the source executor was located when it first wrote a log. If a resource is moved after writing its first log, log access is enforced based on both the attributed project and the current project. When these two projects differ, an administrator can update the attributed project to match the resource's current project at any time.
Delete logs
Users with the Information security officer or Enrollment administrator role can also delete logs at any time by selecting Edit permissions, Delete log history, and then Delete logs.
Choosing to delete log history is irreversible and will permanently delete all logs for executions originating from this function.
Required roles
The following table lists the required roles for various operations in AIP Observability.
| Capability | Required role |
|---|---|
| View run history | Edit permission on the Function or Action |
| Configure log visibility | Information security officer or Enrollment administrator role |
| Delete logs | Information security officer or Enrollment administrator role |
| View trace and service logs | Log access must be enabled on the project of the source executor |
Related documentation
- Execution history: View available executions
- Service logs: Access logs once permissions are configured
- AIP security and privacy: Learn about AIP security model