This article contains information on the required permissions to perform specific actions. The format of the policy statements is
ALLOW <table permission> WHERE <conditions>;
To learn how to set permissions, see Permissions in Grail.
Policy scope
Table permission
Where
Access to trace data
storage:buckets:read, storage:spans:read, storage:entities:read, storage:fieldsets:read
storage:bucket-name = "spans"
storage:fieldsets:read
storage:fieldset-name="builtin-sensitive-spans" IN ("<bucket-name>")
View confidential request attributes trace data 2
storage:fieldsets:read
storage:fieldset-name="builtin-request-attributes-spans" IN ("<bucket-name>")
View segments in the Distributed Tracing app
storage:filter-segments:read
storage:bucket-name = "spans"
View log data in the Distributed Tracing app
storage:logs:read
storage:bucket-name = "spans"
Manage facet in the Distributed Tracing app
state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete
storage:bucket-name = "spans"
Sensitive attributes for spans are tagged as sensitive-spans in Global field reference.
To learn more about restricted view access to personal data and confidential request attributes, see Masking at display.