Try it free

DPS permissions

  • Latest Dynatrace
  • Reference
  • Published Jun 26, 2026

Dynatrace offers several features to help you understand your Dynatrace Platform Subscription costs (such as Account Management, DQL queries, and cost dashboards). To be able to use some of these features, you'll need to have a user account with specific permissions to retrieve data at the account, environment, or subscription level.

This page describes the permissions that you need to understand your DPS consumption and costs.

DPS permissions overview

The following table gives an overview of the different use cases and required permissions. The sections on this page describe each use case in more detail, such as setup instructions.

Use caseMethodRequired permissions

View DPS usage and cost in the UI

Account Management

Account Management permissions:

  • View account (read only)
  • View and manage account and billing information (read/write)

Query billing usage events with DQL

Billing usage events via Grail

IAM policy statement with:

  • storage:buckets:read (scoped to system events)
  • storage:system:read (scoped to billing events)

Retrieve usage data programmatically

Query Grail data via API

OAuth bearer token with:

  • storage:buckets:read (scoped to system events)
  • storage:system:read (scoped to billing events)

Export usage data via API

Account Management API

OAuth client with account-uac-read scope and subject user with account-viewer or account-company-info permission.

Allocate costs to cost centers or products

Cost Allocation

Account Management permissions:

  • View account (read only), or
  • View and manage account and billing information (read/write)

IAM policy statement with:

  • storage:buckets:read (scoped to system events)
  • storage:system:read (scoped to billing events)
  • Additional policies if you will access lookup tables

How to configure permissions

Account Management

License managers can view DPS consumption and cost directly in the Dynatrace UI under Account Management > Subscription > Overview > Cost and usage details > Usage summary.

To access this data, your user account must have one of the following Account Management permissions:

PermissionWhat you can do

View account

View DPS consumption, usage, and subscription history.

View and manage account and billing information

All of the above, plus Cost Management features.

These permissions are granted in Account Management by a license administrator with the View and manage users and groups permission. For more information, see Account Management permissions.

Billing usage events via DQL

Billing usage events (billing_usage_event) are system events emitted into the dt.system.events data space. You can query them with DQL to analyze DPS consumption without reapplying billing rules.

To query billing usage events, your user account must have the following IAM policy grants:

PermissionPurpose

storage:buckets:read

Read access to the dt_system_events bucket in Grail.

storage:system:read

Read system events, including billing usage events, from Grail.

To do this, include the following policy statements in the relevant IAM policy.

ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events";
ALLOW storage:system:read WHERE storage:event.kind="BILLING_EVENT";

To configure an IAM policy, go to Account Management > Identity & Access Management > Policies, then create or edit a policy and assign it to the relevant user group. For more information, see Identity and access management (IAM).

Environment API - Grail Query

You can retrieve the same billing usage event data programmatically via the Environment API – Grail Query endpoint, using the same DQL queries as above.

To do this, create an OAuth bearer token that's scoped with the same IAM policies as for Billing usage events via DQL.

ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events";
ALLOW storage:system:read WHERE storage:event.kind="BILLING_EVENT";

To set up an OAuth token, go to Account Management > > Platform tokens. For more information about OAuth token setup, see Platform tokens.

Account Management API

You can query DPS consumption programmatically via the Account Management API to integrate into external reportingor automate cost allocation.

To do this, create an OAuth client with the Allow read access for usage and consumption resources (account-uac-read) scope.

To create an OAuth client, go to Account Management > Identity & access management > OAuth clients. For more information, see Dynatrace Platform Subscription API - GET usage.

Cost Allocation

To view and manage Cost Allocation, you need an Account Management permission and an IAM policy. If you will access lookup data, additional IAM policies are also required.

  • Account Management: You can grant either read or write access.

    What you want to doView accountView and manage account and billing information

    View Cost Allocation Allow List

    Edit Cost Allocation Allow List

    View usage/cost extract in Account Management

    These permissions are granted in Account Management by a license administrator with the View and manage users and groups permission. For more information, see Account Management permissions.

  • IAM policy: The IAM default policy Read System Events needs to be assigned to the relevant user group. To do this, add the following policy statements.

    ALLOW storage:buckets:read WHERE storage:table-name = "dt.system.events";
    ALLOW storage:system:read;

    To configure an IAM policy, go to Account Management > Identity & Access Management > Policies, then create or edit a policy and assign it to the relevant user group. For more information, see Identity and access management (IAM).

  • Lookup data: To access lookup data, you also need to add the following policy statements.

    ALLOW storage:files:read WHERE storage:file-path startsWith "/lookups/";
    ALLOW storage:files:write WHERE storage:file-path startsWith "/lookups/";
    ALLOW storage:files:delete WHERE storage:file-path startsWith "/lookups/";

    For more information about lookup tables, see Lookup data in Grail.

Related topics

  • Account Management permissions
  • About Dynatrace licenses, accounts, environments, and users
  • Identity and access management (IAM)
  • Account Management
Related tags
Dynatrace PlatformDynatrace SignetDynatrace Platform Subscription