Get started with IAM

All examples here are based on the Settings 2.0 service. For a complete list of services supporting policy-based authorization, see IAM service reference.

Built-in policies

For every account, administrators have two built-in policies available for Settings 2.0 services:

Settings Reader: grants permission to read Dynatrace settings
Settings Writer: grants permission to write Dynatrace settings

To verify that you have these policies

REST API authentication

All IAM features can be accessed via REST API. The complete documentation of all the objects used within the API and all exposed endpoints can be found in the REST API Swagger doc. Here we will only cover the aspects regarding authentication of requests, which differs in Dynatrace SaaS and Dynatrace Managed deployments.

Example 1: read and write permission

Suppose you have the following teams in your organization:

The IT team is responsible for configuring the Dynatrace environment and making sure everything works.
The Sales team just needs to read the Dynatrace settings, and never modify them.

The IT team needs read and write access, while the sales team needs only read access.

Create two Dynatrace user groups

First, create a group named IT that has policies Settings Writer and Settings Reader.

Now repeat the above procedure to create a Sales group with read-only access:

Set the group name to Sales
Bind only the Settings Reader policy to it, because the sales team in this example does not need write access to Dynatrace settings.

Bind policies via web UI

Bind policies via REST API

Optionally, you can instead use the REST API to bind policies to a group.

To do so, you need the following values:

ID of each policy you want to bind
ID of each group to which you want to bind policies
ID of the environment for which you want to make changes (for details, see this guide)

In our example, suppose we have the following values:

The Settings Reader policy has ID settings_reader_id
The Settings writer policy has ID settings_writer_id
The Sales group ID is sales_group_id
The IT group ID is it_group_id
The environment has the ID my_environment_id

Now we need to create a body for the request for binding the policies. You can use either a PUT (for replacing policy bindings) or a POST (for appending policy bindings). Let's assume that we want to append the policies and use a POST.

In this example we use the /repo/{level-type}/{level-id}/bindings/{policy-uuid} endpoint from the PAP REST API. We need to proceed in two steps:

Bind the Settings Reader policy to both of our groups (IT and Sales).
Bind the Settings Writer policy only to the IT group.

The first request should then be sent on the /repo/environment/my_environment_id/bindings/settings_reader_id endpoint with the following body:

1{
2  "groups": [
3    "it_group_id",
4    "sales_group_id"
5  ]
6}

This grants read permission to both groups.

To add write permission to the IT group, we need to execute another POST request on the /repo/environment/my_environment_id/bindings/settings_writer_id endpoint with the following body:

1{
2  "groups": [
3    "it_group_id"
4  ]
5}

Congratulations, you've completed the binding of built-in policies via API!

Example 2: allow access to a particular schema

If the built-in policies are not granular enough for your needs, you can manage permissions at the setting level.

Assume that you have a particular Settings 2.0 schema, say settings.apm.my-super-secret-schema, the only one that you want to keep open for the Sales and IT groups.

You want to allow access to the following:

Allow reading of schema settings.apm.my-super-secret-schema
Allow reading and writing of objects belonging to the schema settings.apm.my-super-secret-schema

As before, we present two ways of obtaining this effect.

Create a policy via Dynatrace web UI

This procedure uses the Dynatrace web UI. To use the REST API instead, skip to Create a policy via REST API.

To create a policy

The policy is now added to your table of policies that you can bind to groups.

Create a policy via REST API

This procedure uses the REST API to do the same things we did in Create a policy via Dynatrace web UI.

To create a policy using the API, we will use the /repo/{level-type}/{level-id}/policies endpoint and use a POST method to add a policy.

Assume that the policy name we want to add is my_policy_name and the description is My policy description. As before, assume that we want this policy to apply only on the environment level for environment my_tenant_id.

The request body should be the following:

1{
2   "name":"my_policy_name",
3   "description":"My policy description",
4   "tags":[
5
6   ],
7   "statementQuery": "ALLOW settings:schemas:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:write WHERE settings:schemaId = \"builtin:container.monitoring-rule\";"
8}

Equivalently, using multiple permissions in a single statement, the request body should be the following:

1{
2   "name":"my_policy_name",
3   "description":"My policy description",
4   "tags":[
5
6   ],
7   "statementQuery": "ALLOW settings:schemas:read, settings:objects:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:write WHERE settings:schemaId = \"builtin:container.monitoring-rule\";"
8}

Enforce the policy

Important: Remember that a policy does not take effect until you bind it to a group. For this example, you need to bind it to the IT and Sales groups. See Bind policies via Dynatrace web UI or Bind policies via REST API for details.