Latest Dynatrace
The following table describes the required permissions.
Make sure the app is installed in your environment.
Some one-time setup is necessary to make sure Privacy Rights functions correctly. We recommend you create a Privacy Rights request assignees group to assign all
Privacy Rights users to, and a Privacy Rights request reviewers group with additional permissions for reviewers.
You can grant these permissions by assigning the groups the following IAM policies. Each policy should be bound to its group as an environment policy. Replace the placeholder value for iam:service-user-email
with the email of your privacy-rights
service user.
The following policy should be bound to the group as an environment policy. The group should also include the view logs permission for the environment. We recommend restricting app engine and app state permissions to the app ID, unless the user also needs access to other apps.
ALLOW app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';ALLOW email:emails:send;ALLOW storage:buckets:read;ALLOW storage:logs:read;ALLOW storage:fieldsets:read;ALLOW state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';ALLOW app-engine:functions:run;ALLOW storage:logs:write;
The following group should be assigned to both the assignee policy above, and a reviewer-specific policy:
ALLOW storage:records:delete;ALLOW iam:service-users:use WHERE iam:service-user-email = "YOUR-SERVICE-USER-EMAIL-HERE";ALLOW automation:workflows:read;ALLOW automation:workflows:write;
To configure the service user for Privacy Rights, see Create service users.
Make sure to name the user
privacy-rights
. The name must match exactly.
See Create policies based on a service user, to learn how to create a policy that will be assigned to the service user.
Make sure you provide the following policy statement in the Policy statement field:
ALLOW app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';ALLOW storage:records:delete;ALLOW storage:fieldsets:read;ALLOW storage:system:read;ALLOW storage:logs:read;ALLOW storage:events:read;ALLOW storage:bizevents:read;ALLOW storage:spans:read;ALLOW storage:buckets:read;ALLOW state:app-states:read;ALLOW state:app-states:write;ALLOW email:emails:send;ALLOW storage:logs:write;
To find the email of your service user:
In Dynatrace, go to Account Management.
Select Identity & access management > Service users.
You will see an overview table with all of your service users.
In the Actions column, select > View Service User.
The email is listed as Service user email in the Details section.
To prevent users from accessing Privacy Rights, you can create a group with the following policy and add all users who shouldn't be able to export, delete, or access the sensitive data in the app to the group.
ALLOW app-engine:apps:run WHERE shared:app-id != 'dynatrace.privacy.rights';ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id != 'dynatrace.privacy.rights';DENY app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';DENY state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';DENY iam:service-users:use WHERE iam:service-user-email = "YOUR-SERVICE-USER-EMAIL-HERE";
IAM policies are additive, so make sure that no other policies including the
ALLOW app-engine:apps:run
or ALLOW state:app-states:{read, write, delete}
permissions are active for these users.
They should also not have read access to audit logs in the default_logs
or privacy_audit
buckets (depending on your chosen audit logging configuration) or be granted state-management:app-states:delete
, which would allow them to delete requests.
Privacy Rights empowers you to address and manage customer requests related to data subject rights under applicable data protection laws (for example, GDPR and CCPA/CPRA).
Privacy Rights helps you to:
The built-in workflows provide a straightforward method to search for data associated with end users. You can then review the retrieved data and make informed decisions about exporting or deleting it. The system also allows you to track and follow up on these requests through the request dashboard. Each step is documented with an audit trail to ensure compliance with your obligations.
Privacy Rights only supports export, deletion, and cleanup of logs from Grail.
Privacy Rights uses a multi-party access control model to protect your data. This requires setup of policies, groups, and a service user before first use of the app. See Prerequisites to learn more.
We recommend that you restrict access to the app, app state, service user, and audit logs to a small group of trusted users. The service user has extensive permissions and could be mistakenly or deliberately abused, for example, to delete a large volume of data. Users with access to the app state may be able to modify requests even if they don't have access to the app UI. To learn how to restrict access, see Restrict access and Audit Logs.