IAM Policy reference
Below is a complete reference of IAM permissions and corresponding conditions applicable to Dynatrace services. Refer to it when you need to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.
app-engine
AppEngine
app-engine:apps:install
Grants permission to install and update apps
conditions:
shared:app-id
- The ID of the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:app-installer
- The ID of the user that installed the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:apps:run
Grants permission to list and run apps and gives basic access to the Launcher
conditions:
shared:app-id
- The ID of the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:app-installer
- The ID of the user that installed the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:apps:delete
Grants permission to uninstall apps
conditions:
shared:app-id
- The ID of the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:app-installer
- The ID of the user that installed the app.
operators:IN
,=
,!=
,startsWith
,NOT IN
,NOT startsWith
app-engine:functions:run
Grants permission to use the function-executor
app-engine:edge-connects:read
Grants permission to read EdgeConnects
app-engine:edge-connects:write
Grants permission to write EdgeConnects
app-engine:edge-connects:delete
Grants permission to delete EdgeConnects
app-settings
App Settings service
app-settings:objects:read
Grants permission to read app settings objects belonging to the schema
conditions:
settings:schemaId
- A string that uniquely identifies a single app settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
app-settings:objects:write
Grants permission to write settings objects belonging to the schema
conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
automation
Automation Server
automation:workflows:read
Grants permission to read workflows
automation:workflows:write
Grants permission to write workflows
automation:workflows:run
Grants permission to execute workflows
automation:workflows:admin
Grant admin permissions for workflows.
automation:rules:read
Grants permission to read scheduling rules
automation:rules:write
Grants permission to write scheduling rules
automation:calendars:read
Grants permission to read business calendars
automation:calendars:write
Grants permission to write business calendars
cloudautomation
Cloud Automation service
cloudautomation:resources:read
Grants permission to read resources stored in the Git repository
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:resources:write
Grants permission to write/edit resources stored in the Git repository
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:resources:delete
Grants permission to delete resources stored in the Git repository
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:metadata:read
Grants permission to read metadata of Cloud Automation
cloudautomation:events:read
Grants permission to read events in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:event
- A string that uniquely identifies your Cloud Automation event type.
operators:IN
,=
,!=
cloudautomation:events:write
Grants permission to send events to Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:event
- A string that uniquely identifies your Cloud Automation event type.
operators:IN
,=
,!=
cloudautomation:logs:read
Grants permission to read logs of Cloud Automation
cloudautomation:logs:write
Grants permission to write logs for Cloud Automation
cloudautomation:projects:read
Grants permission to read projects in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:projects:write
Grants permission to write/edit projects in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:projects:delete
Grants permission to delete projects in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stages:read
Grants permission to read stages in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:services:read
Grants permission to read services in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:services:write
Grants permission to write/edit services in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:services:delete
Grants permission to delete services in Cloud Automation
conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.
operators:IN
,=
,!=
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.
operators:IN
,=
,!=
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.
operators:IN
,=
,!=
cloudautomation:integrations:read
Grants permission to read integrations used in Cloud Automation
cloudautomation:integrations:write
Grants permission to write/edit integrations used in Cloud Automation
cloudautomation:integrations:delete
Grants permission to delete integrations used in Cloud Automation
cloudautomation:secrets:read
Grants permission to read secrets used in Cloud Automation
cloudautomation:secrets:write
Grants permission to write secrets used in Cloud Automation
cloudautomation:secrets:delete
Grants permission to delete secrets used in Cloud Automation
cloudautomation:instance:manage
Grants permission to manage a Cloud Automation instance
cloudautomation:statistics:read
Grants permission to read the usage statistics of a Cloud Automation instance
davis
Davis service
davis:analyzers:read
Grants permission to view Davis analyzers
davis:analyzers:execute
Grants permission to execute Davis analyzers
davis-copilot
Davis CoPilot exposes generative AI capabilities in Dynatrace
davis-copilot:conversations:execute
Grants permission to interact with the Davis CoPilot conversational interface
davis-copilot:nl2dql:execute
Grants permission to execute the Natural Language to DQL generative AI capability
deployment
Deployment service
deployment:activegates.network-zones:write
Grants permission to write ActiveGate network zones
deployment:activegates.groups:write
Grants permission to write ActiveGate groups
deployment:oneagents.network-zones:write
Grants permission to write OneAgent network zones
deployment:oneagents.host-groups:write
Grants permission to write OneAgent host groups
deployment:oneagents.host-tags:write
Grants permission to write OneAgent host tags
deployment:oneagents.host-properties:write
Grants permission to write OneAgent host properties
deployment:oneagents.communication-settings:write
Grants permission to write OneAgent communication settings
dev-obs
Developer Observability
dev-obs:breakpoint:set
Grants permission to set breakpoint using DevObs live debugger
conditions:
dev-obs:k8s.deployment.name
- Kubernetes deployment names of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:k8s.namespace.name
- Kubernetes namespaces of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:host.group.name
- Host groups of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:process.group.name
- Process groups of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:breakpoints:set
Grants permission to set breakpoint using DevObs live debugger
conditions:
dev-obs:k8s.deployment.name
- Kubernetes deployment names of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:k8s.namespace.name
- Kubernetes namespaces of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:host.group.name
- Host groups of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:process.group.name
- Process groups of the agents where the user is allowed to set breakpoints
operators:=
,IN
,startsWith
,!=
,NOT IN
,NOT startsWith
dev-obs:breakpoint:manage
Grants permission to manage breakpoints set in DevObs live debugger
dev-obs:breakpoints:manage
Grants permission to manage breakpoints set in DevObs live debugger
document
Document service
document:documents:write
Grants permission to create and update documents of the document service
document:documents:read
Grants permission to read documents of the document service
document:documents:delete
Grants permission to delete documents of the document service
document:documents:admin
Grants admin permissions for documents of the document service
document:environment-shares:read
Grants permission to read environment shares of the document service
document:environment-shares:write
Grants permission to create and update environment shares of the document service
document:environment-shares:claim
Grants permission to claim environment shares of the document service
document:environment-shares:delete
Grants permission to delete environment shares of the document service
document:direct-shares:delete
Grants permission to delete direct shares of the document service
document:direct-shares:read
Grants permission to read direct shares of the document service
document:direct-shares:write
Grants permission to create and update direct shares of the document service
document:trash.documents:read
Grants permission to read deleted documents of the document service
document:trash.documents:delete
Grants permission to remove deleted documents from the trash of the document service
document:trash.documents:restore
Grants permission to restore deleted documents from the trash of the document service
API for sending emails
email:emails:send
Grants permission to send emails from @apps.dynatrace.com with send email API
environment
Environment and management zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.
Role IAM permissions work the same way as classic roles do, which means that the environment:roles:viewer
permission is a part of any other role permission. For example, a policy granting environment:roles:manage-settings
permission also allows a user to access the web UI.
environment:roles:viewer
Grants user the Access environment permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on the management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:manage-settings
Grants user the Change monitoring settings permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:agent-install
Grants user the Download/install OneAgent permission. Users who have this permission assigned are also able to view monitoring data for all management zones.
environment:roles:view-sensitive-request-data
Grants user the View sensitive request data permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:configure-request-capture-data
Grants user the Configure capture of sensitive data permission. Users who have this permission assigned are also able to view monitoring data for all management zones.
environment:roles:replay-sessions-without-masking
Grants user the Replay session data without masking permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:replay-sessions-with-masking
Grants user the Replay session data permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:manage-security-problems
Grants user the Manage security problems permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:view-security-problems
Grants user the View security problems permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
environment:roles:logviewer
Grants user the View logs permission.
conditions:
environment:management-zone
- A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators:IN
,startsWith
,NOT startsWith
,=
,!=
extensions
Extensions service
extensions:definitions:read
Grants permission to read extension and environment configurations
conditions:
extensions:extension-name
- A string that uniquely identifies a single extension
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
extensions:definitions:write
Grants permission to write (update/create/delete) extension and environment configurations
conditions:
extensions:extension-name
- A string that uniquely identifies a single extension
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
extensions:configurations:read
Grants permission to read extension monitoring configurations
conditions:
extensions:host
- A string that uniquely identifies a single host for monitoring configuration assignment
operators:IN
,=
extensions:host-group
- A string that uniquely identifies a single host group for monitoring configuration assignment
operators:IN
,=
extensions:ag-group
- A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators:IN
,=
extensions:management-zone
- A string that uniquely identifies a single management zone for monitoring configuration assignment
operators:IN
,=
extensions:extension-name
- A string that uniquely identifies a single extension
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
extensions:configurations:write
Grants permission to write (update/create/delete) extension monitoring configurations
conditions:
extensions:host
- A string that uniquely identifies a single host for monitoring configuration assignment
operators:IN
,=
extensions:host-group
- A string that uniquely identifies a single host group for monitoring configuration assignment
operators:IN
,=
extensions:ag-group
- A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators:IN
,=
extensions:management-zone
- A string that uniquely identifies a single management zone for monitoring configuration assignment
operators:IN
,=
extensions:extension-name
- A string that uniquely identifies a single extension
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
extensions:configuration.actions:write
Grants permission to execute actions for extension
conditions:
extensions:host
- A string that uniquely identifies a single host for monitoring configuration assignment
operators:IN
,=
extensions:host-group
- A string that uniquely identifies a single host group for monitoring configuration assignment
operators:IN
,=
extensions:ag-group
- A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators:IN
,=
extensions:management-zone
- A string that uniquely identifies a single management zone for monitoring configuration assignment
operators:IN
,=
extensions:extension-name
- A string that uniquely identifies a single extension
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
geolocation
Geolocation Service
geolocation:locations:lookup
Grants permission to lookup geolocations for IP adresses.
hub
Hub provides catalog content, such as Dynatrace Apps, Extensions, and Technologies, in the context of the environment.
hub:catalog:read
Grants permission to read the hub catalog content.
hyperscaler-authentication
Hyperscaler authentication service
hyperscaler-authentication:aws:authenticate
Grants permission to authenticate against AWS.
iam
IAM
iam:service-users:use
Allows (or denies) using service users
conditions:
iam:service-user-email
- Service users emails
operators:IN
,=
identity-federation
Identity federation service
identity-federation:account-federation:read
Enables reading federations details and downloading federation Service Provider metadata.
identity-federation:account-federation:write
Enables creating, updating and deleting federations.
identity-federation:account:read
Enables reading the account card to review configuration of the account.
identity-federation:account:write
Enables the setting and clearing of the default federation for the account.
identity-federation:federated-domain:write
Enables the creation, updating, and deletion of federated domains in the account. Federated domains participate in federation discovery.
identity-federation:environment:read
Enables reading the environment card to review the configuration applied to environment.
identity-federation:environment:write
Enables configuring federation discovery on the environment level in the account.
notification
API for sending notifications
notification:self-notifications:read
Grants permission to read self notifications.
notification:self-notifications:write
Grants permission to write self notifications.
oauth2
Authorization of OAuth token issuing actions (token exchange)
oauth2:clients:manage
Allows management of light OAuth clients
conditions:
oauth2:scopes
- Requested scopes for the generated OAuth clients
operators:=
,NOT IN
openpipeline
OpenPipeline
openpipeline:configurations:read
Grants permission to read the OpenPipeline configuration
openpipeline:configurations:write
Grants permission to write the OpenPipeline configuration
settings
Settings service
settings:objects:read
Enables reading of settings objects belonging to the schema
conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
operators:IN
,=
settings:entity.hostGroup
- The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
operators:IN
,=
,!=
settings:scope
- The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
environment:management-zone
- The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
operators:IN
,=
,startsWith
settings:objects:write
Enables writing of settings objects belonging to the schema
conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
operators:IN
,=
settings:entity.hostGroup
- The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
operators:IN
,=
,!=
settings:scope
- The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
environment:management-zone
- The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
operators:IN
,=
,startsWith
settings:schemas:read
Enables reading settings schemas
conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
operators:IN
,=
,!=
,startsWith
,NOT startsWith
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
operators:IN
,=
slo
SLO service
slo:slos:read
Grants permission to read Service-Level Objectives
slo:slos:write
Grants permission to write Service-Level Objectives
slo:objective-templates:read
Grants permission to read Service-Level Objectives Templates
state
Platform State Service
state:app-states:read
Grants permission to read app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state:app-states:write
Grants permission to write app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state:app-states:delete
Grants permission to delete app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state:user-app-states:read
Grants permission to read user-app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state:user-app-states:write
Grants permission to write user-app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state:user-app-states:delete
Grants permission to delete user-app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state-management
State Management - Clear app-states and user-app-states of specific apps.
state-management:app-states:delete
Grants permission to delete all app-states
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state-management:user-app-states:delete
Grants permission to delete user-app-states of the current user
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
state-management:user-app-states:delete-all
Grants permission to delete user-app-states of all users
conditions:
shared:app-id
- The ID of the app.
operators:IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
storage
Grail
storage:events:read
Grants permission to read records from the events-table
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:event.kind
- Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
operators:=
,IN
,startsWith
storage:event.type
- The unique type identifier of a given event.
operators:=
,IN
,startsWith
storage:event.provider
- Source of the event, for example the name of the component or system that generated the event.
operators:=
,IN
,startsWith
storage:k8s.namespace.name
- The name of the namespace that the pod is running in.
operators:=
,IN
,startsWith
storage:k8s.cluster.name
- The name of the cluster that the pod is running in.
operators:=
,IN
,startsWith
storage:host.name
- Name of the host.
operators:=
,IN
,startsWith
storage:dt.host_group.id
- Id of the host group.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:gcp.project.id
- Google Cloud Platform Project ID.
operators:=
,IN
,startsWith
storage:aws.account.id
- Amazon Web Services Account ID.
operators:=
,IN
,startsWith
storage:azure.subscription
- Azure subscription.
operators:=
,IN
,startsWith
storage:azure.resource.group
- Azure resource group.
operators:=
,IN
,startsWith
storage:events:write
Grants permission to write events to Grail
storage:metrics:read
Grants permission to read timeseries from the metrics-table
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:k8s.namespace.name
- The name of the namespace that the pod is running in.
operators:=
,IN
,startsWith
storage:k8s.cluster.name
- The name of the cluster that the pod is running in.
operators:=
,IN
,startsWith
storage:host.name
- Name of the host.
operators:=
,IN
,startsWith
storage:dt.host_group.id
- Id of the host group.
operators:=
,IN
,startsWith
storage:metric.key
- The identifier of a metric, grouping numeric measurements that share the same measurement semantics (i.e. were measured "the same way".)
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:gcp.project.id
- Google Cloud Platform Project ID.
operators:=
,IN
,startsWith
storage:aws.account.id
- Amazon Web Services Account ID.
operators:=
,IN
,startsWith
storage:azure.subscription
- Azure subscription.
operators:=
,IN
,startsWith
storage:azure.resource.group
- Azure resource group.
operators:=
,IN
,startsWith
storage:metrics:write
Grants permission to write metrics from 2nd gen to Grail & from 3rd gen to 2nd gen storage
storage:logs:read
Grants permission to read records from the logs-table
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:k8s.namespace.name
- The name of the namespace that the pod is running in.
operators:=
,IN
,startsWith
storage:k8s.cluster.name
- The name of the cluster that the pod is running in.
operators:=
,IN
,startsWith
storage:host.name
- Name of the host.
operators:=
,IN
,startsWith
storage:dt.host_group.id
- Id of the host group.
operators:=
,IN
,startsWith
storage:log.source
- The location where the log comes from.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:gcp.project.id
- Google Cloud Platform Project ID.
operators:=
,IN
,startsWith
storage:aws.account.id
- Amazon Web Services Account ID.
operators:=
,IN
,startsWith
storage:azure.subscription
- Azure subscription.
operators:=
,IN
,startsWith
storage:azure.resource.group
- Azure resource group.
operators:=
,IN
,startsWith
storage:logs:write
Grants permission to write logs to Grail
storage:entities:read
Grants permission to read records from entities
conditions:
storage:entity.type
- The type of the entity.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:spans:read
Grants permission to read records from the spans-table
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:k8s.namespace.name
- The name of the namespace that the pod is running in.
operators:=
,IN
,startsWith
storage:k8s.cluster.name
- The name of the cluster that the pod is running in.
operators:=
,IN
,startsWith
storage:host.name
- Name of the host.
operators:=
,IN
,startsWith
storage:dt.host_group.id
- Id of the host group.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:gcp.project.id
- Google Cloud Platform Project ID.
operators:=
,IN
,startsWith
storage:aws.account.id
- Amazon Web Services Account ID.
operators:=
,IN
,startsWith
storage:azure.subscription
- Azure subscription.
operators:=
,IN
,startsWith
storage:azure.resource.group
- Azure resource group.
operators:=
,IN
,startsWith
storage:bizevents:read
Grants permission to read records from the bizevents-table
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:event.kind
- Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
operators:=
,IN
,startsWith
storage:event.type
- The unique type identifier of a given event.
operators:=
,IN
,startsWith
storage:event.provider
- Source of the event, for example the name of the component or system that generated the event.
operators:=
,IN
,startsWith
storage:k8s.namespace.name
- The name of the namespace that the pod is running in.
operators:=
,IN
,startsWith
storage:k8s.cluster.name
- The name of the cluster that the pod is running in.
operators:=
,IN
,startsWith
storage:host.name
- Name of the host.
operators:=
,IN
,startsWith
storage:dt.host_group.id
- Id of the host group.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:gcp.project.id
- Google Cloud Platform Project ID.
operators:=
,IN
,startsWith
storage:aws.account.id
- Amazon Web Services Account ID.
operators:=
,IN
,startsWith
storage:azure.subscription
- Azure subscription.
operators:=
,IN
,startsWith
storage:azure.resource.group
- Azure resource group.
operators:=
,IN
,startsWith
storage:system:read
Grants permission to read records from all system tables (for example, dt.system.events
).
conditions:
storage:bucket-name
- This condition reduces the effect of the record-level permission to a defined list of buckets.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:event.kind
- Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
operators:=
,IN
,startsWith
storage:event.type
- The unique type identifier of a given event.
operators:=
,IN
,startsWith
storage:event.provider
- Source of the event, for example the name of the component or system that generated the event.
operators:=
,IN
,startsWith
storage:dt.security_context
- Custom field for security context.
operators:=
,IN
,startsWith
storage:buckets:read
Grants permission to read records from Grail buckets. Required additionally to a table permission.
conditions:
storage:table-name
- Table name of the bucket that can be accessed.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:bucket-name
- Name of the bucket that can be accessed.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:fieldsets:read
Read data from fieldsets
conditions:
storage:table-name
- Name of the table from which fieldset(s) can be accessed.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:bucket-name
- Name of the bucket from which fieldset(s) can be accessed.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:fieldset-name
- Name of the fieldset(s) which can be accessed.
operators:=
,!=
,IN
,NOT IN
,startsWith
,NOT startsWith
storage:bucket-definitions:read
Grants permission to read bucket definitions from Grail
storage:bucket-definitions:write
Grants permission to write bucket definitions to Grail
storage:bucket-definitions:delete
Grants permission to delete bucket definitions from Grail
storage:bucket-definitions:truncate
Grants permission to delete all records from a bucket (not delete the bucket itself) in Grail.
storage:filter-segments:read
Read filter-segments from grail
storage:filter-segments:write
Write filter-segments in grail
storage:filter-segments:delete
Delete own filter-segments in grail
storage:filter-segments:admin
Write and delete all filter-segments in grail
unified-analysis
Unified analysis
unified-analysis:screen-definition:read
Grants permission to read the screen definition of a unified analysis screen
upgrade-assistant
SaaS Upgrade Assistant service
upgrade-assistant:environments:write
Grants permission to use the SaaS Upgrade Assistant app
vulnerability-service
Provides APIs to access vulnerabilities that are affecting customer environments
vulnerability-service:vulnerabilities:read
Allows viewing vulnerabilities
vulnerability-service:vulnerabilities:write
Allows modifying vulnerability related information