Privacy Rights

Latest Dynatrace

Permissions

The following table describes the required permissions.

Permission
Description
storage:logs:read
Enables the app to query logs
storage:logs:write
Enables the app to write privacy audit logs
storage:buckets:read
Enables the app to list Grail buckets
state:app-states:read
Enables the app to read request data
state:app-states:write
Enables the app to store request data
state:app-states:delete
Enables the app to delete request policies

Installation

Make sure the app is installed in your environment.

Before you begin

Some one-time setup is necessary to make sure Privacy Rights Privacy Rights functions correctly. We recommend you create a Privacy Rights request assignees group to assign all Privacy Rights Privacy Rights users to, and a Privacy Rights request reviewers group with additional permissions for reviewers.

You can grant these permissions by assigning the groups the following IAM policies. Each policy should be bound to its group as an environment policy. Replace the placeholder value for iam:service-user-email with the email of your privacy-rights service user.

Privacy rights request assignees

The following policy should be bound to the group as an environment policy. The group should also include the view logs permission for the environment. We recommend restricting app engine and app state permissions to the app ID, unless the user also needs access to other apps.

ALLOW app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW email:emails:send;
ALLOW storage:buckets:read;
ALLOW storage:logs:read;
ALLOW storage:fieldsets:read;
ALLOW state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW app-engine:functions:run;
ALLOW storage:logs:write;

Privacy Rights request reviewers

The following group should be assigned to both the assignee policy above, and a reviewer-specific policy:

ALLOW storage:records:delete;
ALLOW iam:service-users:use WHERE iam:service-user-email = "YOUR-SERVICE-USER-EMAIL-HERE";
ALLOW automation:workflows:read;
ALLOW automation:workflows:write;

Create service user

To configure the service user for Privacy Rights Privacy Rights, see Create service users. Make sure to name the user privacy-rights. The name must match exactly.

See Create policies based on a service user, to learn how to create a policy that will be assigned to the service user.
Make sure you provide the following policy statement in the Policy statement field:

ALLOW app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW storage:records:delete;
ALLOW storage:fieldsets:read;
ALLOW storage:system:read;
ALLOW storage:logs:read;
ALLOW storage:events:read;
ALLOW storage:bizevents:read;
ALLOW storage:spans:read;
ALLOW storage:buckets:read;
ALLOW state:app-states:read;
ALLOW state:app-states:write;
ALLOW email:emails:send;
ALLOW storage:logs:write;

Service user email

To find the email of your service user:

  1. In Dynatrace, go to Account Management.

  2. Select Identity & access management > Service users.

    You will see an overview table with all of your service users.

  3. In the Actions column, select > View Service User.

  4. The email is listed as Service user email in the Details section.

Restrict access

To prevent users from accessing Privacy Rights Privacy Rights, you can create a group with the following policy and add all users who shouldn't be able to export, delete, or access the sensitive data in the app to the group.

ALLOW app-engine:apps:run WHERE shared:app-id != 'dynatrace.privacy.rights';
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id != 'dynatrace.privacy.rights';
DENY app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';
DENY state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';
DENY iam:service-users:use WHERE iam:service-user-email = "YOUR-SERVICE-USER-EMAIL-HERE";

IAM policies are additive, so make sure that no other policies including the ALLOW app-engine:apps:run or ALLOW state:app-states:{read, write, delete} permissions are active for these users. They should also not have read access to audit logs in the default_logs or privacy_audit buckets (depending on your chosen audit logging configuration) or be granted state-management:app-states:delete, which would allow them to delete requests.

Privacy Rights Privacy Rights empowers you to address and manage customer requests related to data subject rights under applicable data protection laws (for example, GDPR and CCPA/CPRA).

Privacy Rights Privacy Rights helps you to:

The built-in workflows provide a straightforward method to search for data associated with end users. You can then review the retrieved data and make informed decisions about exporting or deleting it. The system also allows you to track and follow up on these requests through the request dashboard. Each step is documented with an audit trail to ensure compliance with your obligations.

Privacy Rights Privacy Rights only supports export, deletion, and cleanup of logs from Grail.

Privacy Rights Privacy Rights uses a multi-party access control model to protect your data. This requires setup of policies, groups, and a service user before first use of the app. See Prerequisites to learn more.
We recommend that you restrict access to the app, app state, service user, and audit logs to a small group of trusted users. The service user has extensive permissions and could be mistakenly or deliberately abused, for example, to delete a large volume of data. Users with access to the app state may be able to modify requests even if they don't have access to the app UI. To learn how to restrict access, see Restrict access and Audit Logs.

Create a request to review and export personal data about a specific end-user. The overview includes details of all requests, including the relevant user identifier, assignees and reviewers, the current status of each request, as well as the defined due date. Audit logs and request policies can be accessed and managed from this page.In the export request form, you specify the user details such as user type, a user identifier to search for matching data in Grail, and the scope of the search in Grail (the timeframe and log buckets).The data matching the executed query are returned and can be viewed by number of log records, volume, data residency, as well as number of systems. The reviewer can then approve or reject export of this data.
1 of 3Create a request to review and export personal data about a specific end-user. The overview includes details of all requests, including the relevant user identifier, assignees and reviewers, the current status of each request, as well as the defined due date. Audit logs and request policies can be accessed and managed from this page.

Learning modules