Latest Dynatrace
The Workflows app, which is the frontend for the AutomationEngine, enables you to edit, manage, and run workflows in Dynatrace.
We recommend that administrators differentiate between regular users and administrators as follows.
If the required permission for a workflow task is missing, an attempt to execute this task results in a 403 Forbidden error.
Always make sure:
To enable or edit the AutomationEngine authorization settings
A Workflows user creates, edits, runs, and monitors workflows.
To access the Workflows and view workflows, you need at least the following permissions.
app-engine:apps:run
automation:workflows:read
To write and execute workflows, the following additional permissions are required.
app-engine:functions:run
automation:workflows:run
automation:workflows:write
These permissions grant access to workflows themselves. To successfully run workflow tasks, the actor might need additional permissions.
A Workflows administrator can:
To administer workflows, you need the following permission on top of all user permissions.
automation:workflows:admin
To turn on admin mode in Workflows
automation:workflows:admin
permission in addition to all regular user permissions.To stop down from the administrator role and use Workflows as a regular user, disable Admin mode.
The initial owner of a workflow is the user who creates it. Right after a workflow is created, only the owner can view, manage, and execute the workflow.
To let others access a workflow, the owner has the following options:
automation:workflows:*
permissions.Access to an execution depends on the workflow ownership and private/public configuration when the execution was started.
An administrator has access to all workflows and executions in an environment.
Every execution of a workflow task is performed in the context of a user.
To figure out the actor of a workflow
When you run a workflow in an environment for the first time, Dynatrace asks to allow the AutomationEngine to run workflows for you.
A user who updates a workflow is set as the actor automatically. This prevents exploits where a user changes a workflow to achieve something in another user's context.
By default, the workflow actor is the user who created the workflow. However, there is the option to select a non-interactive service user as the actor of a workflow. This makes the workflow independent of the status of the user who maintains it.
We highly recommend using service users as actors for all workflows that are worked on collaboratively and serve a production grade use case.
Service users and their permissions are managed by admins through Identity and Access Management. We highly recommend granting a service user only the permissions that are required for the intended usage scenario.
To set the workflow actor to a service user
The user editing a workflow needs the iam:service-users:use
permission to use a service user as an actor. You can create a policy as follows to allow specific service users.
ALLOW iam:service-users:useWHERE iam:service-user-email IN ("<SERVICE_USER_1_EMAIL>", "<SERVICE_USER_2_EMAIL>");
For more information, see Service users