Dynatrace offers several features to help you understand your Dynatrace Platform Subscription costs (such as Account Management, DQL queries, and cost dashboards). To be able to use some of these features, you'll need to have a user account with specific permissions to retrieve data at the account, environment, or subscription level.
This page describes the permissions that you need to understand your DPS consumption and costs.
The following table gives an overview of the different use cases and required permissions. The sections on this page describe each use case in more detail, such as setup instructions.
| Use case | Method | Required permissions |
|---|---|---|
View DPS usage and cost in the UI | Account Management | Account Management permissions:
|
Query billing usage events with DQL | Billing usage events via Grail | IAM policy statement with:
|
Retrieve usage data programmatically | Query Grail data via API | OAuth bearer token with:
|
Export usage data via API | Account Management API | OAuth client with |
Allocate costs to cost centers or products | Cost Allocation | Account Management permissions:
IAM policy statement with:
|
License managers can view DPS consumption and cost directly in the Dynatrace UI under Account Management > Subscription > Overview > Cost and usage details > Usage summary.
To access this data, your user account must have one of the following Account Management permissions:
| Permission | What you can do |
|---|---|
View account | View DPS consumption, usage, and subscription history. |
View and manage account and billing information | All of the above, plus Cost Management features. |
These permissions are granted in Account Management by a license administrator with the View and manage users and groups permission. For more information, see Account Management permissions.
Billing usage events (billing_usage_event) are system events emitted into the dt.system.events data space. You can query them with DQL to analyze DPS consumption without reapplying billing rules.
To query billing usage events, your user account must have the following IAM policy grants:
| Permission | Purpose |
|---|---|
| Read access to the |
| Read system events, including billing usage events, from Grail. |
To do this, include the following policy statements in the relevant IAM policy.
ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events";ALLOW storage:system:read WHERE storage:event.kind="BILLING_EVENT";
To configure an IAM policy, go to Account Management > Identity & Access Management > Policies, then create or edit a policy and assign it to the relevant user group. For more information, see Identity and access management (IAM).
You can retrieve the same billing usage event data programmatically via the Environment API – Grail Query endpoint, using the same DQL queries as above.
To do this, create an OAuth bearer token that's scoped with the same IAM policies as for Billing usage events via DQL.
ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events";ALLOW storage:system:read WHERE storage:event.kind="BILLING_EVENT";
To set up an OAuth token, go to Account Management > > Platform tokens. For more information about OAuth token setup, see Platform tokens.
You can query DPS consumption programmatically via the Account Management API to integrate into external reportingor automate cost allocation.
To do this, create an OAuth client with the Allow read access for usage and consumption resources (account-uac-read) scope.
To create an OAuth client, go to Account Management > Identity & access management > OAuth clients. For more information, see Dynatrace Platform Subscription API - GET usage.
To view and manage Cost Allocation, you need an Account Management permission and an IAM policy. If you will access lookup data, additional IAM policies are also required.
Account Management: You can grant either read or write access.
| What you want to do | View account | View and manage account and billing information |
|---|---|---|
View Cost Allocation Allow List | ||
Edit Cost Allocation Allow List | ||
View usage/cost extract in Account Management |
These permissions are granted in Account Management by a license administrator with the View and manage users and groups permission. For more information, see Account Management permissions.
IAM policy: The IAM default policy Read System Events needs to be assigned to the relevant user group. To do this, add the following policy statements.
ALLOW storage:buckets:read WHERE storage:table-name = "dt.system.events";ALLOW storage:system:read;
To configure an IAM policy, go to Account Management > Identity & Access Management > Policies, then create or edit a policy and assign it to the relevant user group. For more information, see Identity and access management (IAM).
Lookup data: To access lookup data, you also need to add the following policy statements.
ALLOW storage:files:read WHERE storage:file-path startsWith "/lookups/";ALLOW storage:files:write WHERE storage:file-path startsWith "/lookups/";ALLOW storage:files:delete WHERE storage:file-path startsWith "/lookups/";
For more information about lookup tables, see Lookup data in Grail.