Configure data access and retantion for Distributed Tracing

Distributed traces are stored in Grail buckets with a retention period from 10 days up to 10 years. Traces might contain personal and sensitive data, for which you can configure user access. Buckets can improve query performance by reducing query execution time and the scope of data read.

This article contains information on how to modify user access to trace data and sensitive information and how to configure trace data storage.

Who is this for

This article is intended for administrators controlling identity and access management.

Prerequisites

  • Dynatrace SaaS environment powered by Grail and AppEngine.
  • Dynatrace Platform Subscription (DPS) with Traces powered by Grail capabilities.
  • openpipeline:configurations:write and openpipeline:configurations:read permissions

Data access

Configure user permissions for trace data

To configure user permission to fetch span data from buckets and tables in Grail and for Distributed Tracing Distributed Tracing data

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. Go to Identity & access management > Policies.
  3. Select Create policy.
  4. Add the policy details:
    • Name
    • Description
    • Policy statement—use the following: 
      ALLOW storage:buckets:read WHERE storage:bucket-name = "spans";
      ALLOW storage:spans:read;
      ALLOW storage:entities:read;
      ALLOW storage:fieldsets:read
  5. Select Create policy.

Users can now access all stored trace data and leverage it in Grail according to sensitive information permissions. To change which data users can access, you can modify environment-level data storage and user access to sensitive information.

Configure access to sensitive data

To configure access to sensitive information in compliance with your company's privacy policies

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. Go to Identity & access management > Policies.
  3. Select Create policy.
  4. Add the policy details:
    • Name
    • Description
    • Policy statement—use the following:
      • To give access to all sensitive fields 
        ALLOW storage:fieldsets:read WHERE storage:fieldset-name="builtin-sensitive-spans"

        The fields' attributes are client.ip, db.connection_string, http.request.header.referer, url.full, url.query, and db.query.parameters. To learn more about the attributes, see Global field reference.

      • To give access to fields containing confidential request attributes 
        ALLOW storage:fieldsets:read WHERE storage:fieldset-name="builtin-request-attributes-spans"
  5. Select Create policy.

Users can now access sensitive data according to the configured permissions.

Manage Distributed Tracing app

To grant permissions to manage Distributed Tracing app options

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. Go to Identity & access management > Policies.
  3. Select Create policy.
  4. Add the policy details:
    • Name
    • Description
    • Policy statement—use the following:

      • To view segments

        ALLOW storage:filter-segments:read

      • To view log data

        ALLOW storage:logs:read

      • To manage facets

        ALLOW state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete
  5. Select Create policy.

Data storage and retention

Configure forwarding data to Grail

To configure which span data is stored and available in your latest Dynatrace environment

  1. Go to Settings > Server-side service monitoring > Attribute capturing.
  2. Select Blocked attributes > Add item.
  3. Enter the attribute key.
  4. Select Save changes.

Only attributes that are not blocked will be forwarded to Grail.

Create a custom bucket

Dynatrace default retention period for spans is 10 days (default_span). You can create new buckets with custom retention periods to store trace data for specific purposes or for longer time, up to 10 years.

  1. Go to Settings Settings > Storage management > Bucket storage management > Bucket.
  2. Define the new bucket
    1. Enter a bucket name and the custom retention period (days).
    2. Choose the span bucket table type.
  3. Select Create.
  4. Select to refresh the bucket list.

You created a new bucket with a custom retention period for records of the data type span. Assign trace data to it to start retaining it according to your selection.

Assign trace data to a bucket

To store trace data in Grail you need to assign it to a bucket via OpenPipeline.

  1. Go to OpenPipeline app OpenPipeline > Spans.
  2. Set the bucket as storage.
    1. Go to Pipelines.
    2. Choose an existing pipeline or create a new one.
    3. In the Storage stage, select Processor > Bucket assignement.
    4. Define the new processor
      1. Enter the processor name and the matching condition.
      2. Choose a bucket from the Storage drop-down list.
    5. Select Save.
  3. Route data to the bucket.
    1. Go to Dynamic routing.
    2. Choose an existing dynamic route or create a new one.
    3. Define the route
      1. Set the matching condition.
      2. Choose the pipeline containing the bucket.
    4. Select Save.

Trace data that matches the route and the pipeline conditions is assigned to the bucket and stored according to the specified retention period.

Related topics