IAM Policy reference

Below is a complete reference of IAM permissions and corresponding conditions applicable to Dynatrace services. Refer to it when you need to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.

app-engine

AppEngine

app-engine:apps:install

Grants permission to install and update apps

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The ID of the user that installed the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:apps:run

Grants permission to list and run apps and gives basic access to the Launcher

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The ID of the user that installed the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:apps:delete

Grants permission to uninstall apps

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The ID of the user that installed the app.
    operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:functions:run

Grants permission to use the function-executor

app-engine:edge-connects:read

Grants permission to read EdgeConnects

app-engine:edge-connects:write

Grants permission to write EdgeConnects

app-engine:edge-connects:delete

Grants permission to delete EdgeConnects

app-settings

App Settings service

app-settings:objects:read

Grants permission to read app settings objects belonging to the schema

conditions:

  • settings:schemaId - A string that uniquely identifies a single app settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

app-settings:objects:write

Grants permission to write settings objects belonging to the schema

conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

automation

Automation Server

automation:workflows:read

Grants permission to read workflows

automation:workflows:write

Grants permission to write workflows

automation:workflows:run

Grants permission to execute workflows

automation:workflows:admin

Grant admin permissions for workflows.

automation:rules:read

Grants permission to read scheduling rules

automation:rules:write

Grants permission to write scheduling rules

automation:calendars:read

Grants permission to read business calendars

automation:calendars:write

Grants permission to write business calendars

cloudautomation

Cloud Automation service

cloudautomation:resources:read

Grants permission to read resources stored in the Git repository

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:resources:write

Grants permission to write/edit resources stored in the Git repository

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:resources:delete

Grants permission to delete resources stored in the Git repository

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:metadata:read

Grants permission to read metadata of Cloud Automation

cloudautomation:events:read

Grants permission to read events in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type.
    operators: IN ,= ,!=

cloudautomation:events:write

Grants permission to send events to Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type.
    operators: IN ,= ,!=

cloudautomation:logs:read

Grants permission to read logs of Cloud Automation

cloudautomation:logs:write

Grants permission to write logs for Cloud Automation

cloudautomation:projects:read

Grants permission to read projects in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=

cloudautomation:projects:write

Grants permission to write/edit projects in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=

cloudautomation:projects:delete

Grants permission to delete projects in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=

cloudautomation:stages:read

Grants permission to read stages in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=

cloudautomation:services:read

Grants permission to read services in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:services:write

Grants permission to write/edit services in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:services:delete

Grants permission to delete services in Cloud Automation

conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    operators: IN ,= ,!=

cloudautomation:integrations:read

Grants permission to read integrations used in Cloud Automation

cloudautomation:integrations:write

Grants permission to write/edit integrations used in Cloud Automation

cloudautomation:integrations:delete

Grants permission to delete integrations used in Cloud Automation

cloudautomation:secrets:read

Grants permission to read secrets used in Cloud Automation

cloudautomation:secrets:write

Grants permission to write secrets used in Cloud Automation

cloudautomation:secrets:delete

Grants permission to delete secrets used in Cloud Automation

cloudautomation:instance:manage

Grants permission to manage a Cloud Automation instance

cloudautomation:statistics:read

Grants permission to read the usage statistics of a Cloud Automation instance

davis

Davis service

davis:analyzers:read

Grants permission to view Davis analyzers

davis:analyzers:execute

Grants permission to execute Davis analyzers

davis-copilot

Davis CoPilot exposes generative AI capabilities in Dynatrace

davis-copilot:conversations:execute

Grants permission to interact with the Davis CoPilot conversational interface

davis-copilot:nl2dql:execute

Grants permission to execute the Natural Language to DQL generative AI capability

deployment

Deployment service

deployment:activegates.network-zones:write

Grants permission to write ActiveGate network zones

deployment:activegates.groups:write

Grants permission to write ActiveGate groups

deployment:oneagents.network-zones:write

Grants permission to write OneAgent network zones

deployment:oneagents.host-groups:write

Grants permission to write OneAgent host groups

deployment:oneagents.host-tags:write

Grants permission to write OneAgent host tags

deployment:oneagents.host-properties:write

Grants permission to write OneAgent host properties

deployment:oneagents.communication-settings:write

Grants permission to write OneAgent communication settings

dev-obs

Developer Observability

dev-obs:breakpoint:set

Grants permission to set breakpoint using DevObs live debugger

conditions:

  • dev-obs:k8s.deployment.name - Kubernetes deployment names of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:k8s.namespace.name - Kubernetes namespaces of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:host.group.name - Host groups of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:process.group.name - Process groups of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith

dev-obs:breakpoints:set

Grants permission to set breakpoint using DevObs live debugger

conditions:

  • dev-obs:k8s.deployment.name - Kubernetes deployment names of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:k8s.namespace.name - Kubernetes namespaces of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:host.group.name - Host groups of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith
  • dev-obs:process.group.name - Process groups of the agents where the user is allowed to set breakpoints
    operators: = ,IN ,startsWith ,!= ,NOT IN ,NOT startsWith

dev-obs:breakpoint:manage

Grants permission to manage breakpoints set in DevObs live debugger

dev-obs:breakpoints:manage

Grants permission to manage breakpoints set in DevObs live debugger

document

Document service

document:documents:write

Grants permission to create and update documents of the document service

document:documents:read

Grants permission to read documents of the document service

document:documents:delete

Grants permission to delete documents of the document service

document:documents:admin

Grants admin permissions for documents of the document service

document:environment-shares:read

Grants permission to read environment shares of the document service

document:environment-shares:write

Grants permission to create and update environment shares of the document service

document:environment-shares:claim

Grants permission to claim environment shares of the document service

document:environment-shares:delete

Grants permission to delete environment shares of the document service

document:direct-shares:delete

Grants permission to delete direct shares of the document service

document:direct-shares:read

Grants permission to read direct shares of the document service

document:direct-shares:write

Grants permission to create and update direct shares of the document service

document:trash.documents:read

Grants permission to read deleted documents of the document service

document:trash.documents:delete

Grants permission to remove deleted documents from the trash of the document service

document:trash.documents:restore

Grants permission to restore deleted documents from the trash of the document service

email

API for sending emails

email:emails:send

Grants permission to send emails from @apps.dynatrace.com with send email API

environment

Environment and management zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.

Role IAM permissions work the same way as classic roles do, which means that the environment:roles:viewer permission is a part of any other role permission. For example, a policy granting environment:roles:manage-settings permission also allows a user to access the web UI.

environment:roles:viewer

Grants user the Access environment permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on the management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-settings

Grants user the Change monitoring settings permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:agent-install

Grants user the Download/install OneAgent permission. Users who have this permission assigned are also able to view monitoring data for all management zones.

environment:roles:view-sensitive-request-data

Grants user the View sensitive request data permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:configure-request-capture-data

Grants user the Configure capture of sensitive data permission. Users who have this permission assigned are also able to view monitoring data for all management zones.

environment:roles:replay-sessions-without-masking

Grants user the Replay session data without masking permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:replay-sessions-with-masking

Grants user the Replay session data permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-security-problems

Grants user the Manage security problems permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:view-security-problems

Grants user the View security problems permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:logviewer

Grants user the View logs permission.

conditions:

  • environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
    operators: IN ,startsWith ,NOT startsWith ,= ,!=

extensions

Extensions service

extensions:definitions:read

Grants permission to read extension and environment configurations

conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:definitions:write

Grants permission to write (update/create/delete) extension and environment configurations

conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:configurations:read

Grants permission to read extension monitoring configurations

conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
    operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
    operators: IN ,=
  • extensions:extension-name - A string that uniquely identifies a single extension
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:configurations:write

Grants permission to write (update/create/delete) extension monitoring configurations

conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
    operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
    operators: IN ,=
  • extensions:extension-name - A string that uniquely identifies a single extension
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:configuration.actions:write

Grants permission to execute actions for extension

conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
    operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
    operators: IN ,=
  • extensions:extension-name - A string that uniquely identifies a single extension
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

geolocation

Geolocation Service

geolocation:locations:lookup

Grants permission to lookup geolocations for IP adresses.

hub

Hub provides catalog content, such as Dynatrace Apps, Extensions, and Technologies, in the context of the environment.

hub:catalog:read

Grants permission to read the hub catalog content.

hyperscaler-authentication

Hyperscaler authentication service

hyperscaler-authentication:aws:authenticate

Grants permission to authenticate against AWS.

iam

IAM

iam:service-users:use

Allows (or denies) using service users

conditions:

  • iam:service-user-email - Service users emails
    operators: IN ,=

identity-federation

Identity federation service

identity-federation:account-federation:read

Enables reading federations details and downloading federation Service Provider metadata.

identity-federation:account-federation:write

Enables creating, updating and deleting federations.

identity-federation:account:read

Enables reading the account card to review configuration of the account.

identity-federation:account:write

Enables the setting and clearing of the default federation for the account.

identity-federation:federated-domain:write

Enables the creation, updating, and deletion of federated domains in the account. Federated domains participate in federation discovery.

identity-federation:environment:read

Enables reading the environment card to review the configuration applied to environment.

identity-federation:environment:write

Enables configuring federation discovery on the environment level in the account.

notification

API for sending notifications

notification:self-notifications:read

Grants permission to read self notifications.

notification:self-notifications:write

Grants permission to write self notifications.

oauth2

Authorization of OAuth token issuing actions (token exchange)

oauth2:clients:manage

Allows management of light OAuth clients

conditions:

  • oauth2:scopes - Requested scopes for the generated OAuth clients
    operators: = ,NOT IN

openpipeline

OpenPipeline

openpipeline:configurations:read

Grants permission to read the OpenPipeline configuration

openpipeline:configurations:write

Grants permission to write the OpenPipeline configuration

settings

Settings service

settings:objects:read

Enables reading of settings objects belonging to the schema

conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • environment:management-zone - The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
    operators: IN ,= ,startsWith

settings:objects:write

Enables writing of settings objects belonging to the schema

conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • environment:management-zone - The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
    operators: IN ,= ,startsWith

settings:schemas:read

Enables reading settings schemas

conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    operators: IN ,=

slo

SLO service

slo:slos:read

Grants permission to read Service-Level Objectives

slo:slos:write

Grants permission to write Service-Level Objectives

slo:objective-templates:read

Grants permission to read Service-Level Objectives Templates

state

Platform State Service

state:app-states:read

Grants permission to read app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:app-states:write

Grants permission to write app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:app-states:delete

Grants permission to delete app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:read

Grants permission to read user-app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:write

Grants permission to write user-app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:delete

Grants permission to delete user-app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state-management

State Management - Clear app-states and user-app-states of specific apps.

state-management:app-states:delete

Grants permission to delete all app-states

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state-management:user-app-states:delete

Grants permission to delete user-app-states of the current user

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state-management:user-app-states:delete-all

Grants permission to delete user-app-states of all users

conditions:

  • shared:app-id - The ID of the app.
    operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

storage

Grail

storage:events:read

Grants permission to read records from the events-table

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:event.kind - Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
    operators: = ,IN ,startsWith
  • storage:event.type - The unique type identifier of a given event.
    operators: = ,IN ,startsWith
  • storage:event.provider - Source of the event, for example the name of the component or system that generated the event.
    operators: = ,IN ,startsWith
  • storage:k8s.namespace.name - The name of the namespace that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:k8s.cluster.name - The name of the cluster that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:host.name - Name of the host.
    operators: = ,IN ,startsWith
  • storage:dt.host_group.id - Id of the host group.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith
  • storage:gcp.project.id - Google Cloud Platform Project ID.
    operators: = ,IN ,startsWith
  • storage:aws.account.id - Amazon Web Services Account ID.
    operators: = ,IN ,startsWith
  • storage:azure.subscription - Azure subscription.
    operators: = ,IN ,startsWith
  • storage:azure.resource.group - Azure resource group.
    operators: = ,IN ,startsWith

storage:events:write

Grants permission to write events to Grail

storage:metrics:read

Grants permission to read timeseries from the metrics-table

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:k8s.namespace.name - The name of the namespace that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:k8s.cluster.name - The name of the cluster that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:host.name - Name of the host.
    operators: = ,IN ,startsWith
  • storage:dt.host_group.id - Id of the host group.
    operators: = ,IN ,startsWith
  • storage:metric.key - The identifier of a metric, grouping numeric measurements that share the same measurement semantics (i.e. were measured "the same way".)
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith
  • storage:gcp.project.id - Google Cloud Platform Project ID.
    operators: = ,IN ,startsWith
  • storage:aws.account.id - Amazon Web Services Account ID.
    operators: = ,IN ,startsWith
  • storage:azure.subscription - Azure subscription.
    operators: = ,IN ,startsWith
  • storage:azure.resource.group - Azure resource group.
    operators: = ,IN ,startsWith

storage:metrics:write

Grants permission to write metrics from 2nd gen to Grail & from 3rd gen to 2nd gen storage

storage:logs:read

Grants permission to read records from the logs-table

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:k8s.namespace.name - The name of the namespace that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:k8s.cluster.name - The name of the cluster that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:host.name - Name of the host.
    operators: = ,IN ,startsWith
  • storage:dt.host_group.id - Id of the host group.
    operators: = ,IN ,startsWith
  • storage:log.source - The location where the log comes from.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith
  • storage:gcp.project.id - Google Cloud Platform Project ID.
    operators: = ,IN ,startsWith
  • storage:aws.account.id - Amazon Web Services Account ID.
    operators: = ,IN ,startsWith
  • storage:azure.subscription - Azure subscription.
    operators: = ,IN ,startsWith
  • storage:azure.resource.group - Azure resource group.
    operators: = ,IN ,startsWith

storage:logs:write

Grants permission to write logs to Grail

storage:entities:read

Grants permission to read records from entities

conditions:

  • storage:entity.type - The type of the entity.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith

storage:spans:read

Grants permission to read records from the spans-table

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:k8s.namespace.name - The name of the namespace that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:k8s.cluster.name - The name of the cluster that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:host.name - Name of the host.
    operators: = ,IN ,startsWith
  • storage:dt.host_group.id - Id of the host group.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith
  • storage:gcp.project.id - Google Cloud Platform Project ID.
    operators: = ,IN ,startsWith
  • storage:aws.account.id - Amazon Web Services Account ID.
    operators: = ,IN ,startsWith
  • storage:azure.subscription - Azure subscription.
    operators: = ,IN ,startsWith
  • storage:azure.resource.group - Azure resource group.
    operators: = ,IN ,startsWith

storage:bizevents:read

Grants permission to read records from the bizevents-table

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:event.kind - Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
    operators: = ,IN ,startsWith
  • storage:event.type - The unique type identifier of a given event.
    operators: = ,IN ,startsWith
  • storage:event.provider - Source of the event, for example the name of the component or system that generated the event.
    operators: = ,IN ,startsWith
  • storage:k8s.namespace.name - The name of the namespace that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:k8s.cluster.name - The name of the cluster that the pod is running in.
    operators: = ,IN ,startsWith
  • storage:host.name - Name of the host.
    operators: = ,IN ,startsWith
  • storage:dt.host_group.id - Id of the host group.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith
  • storage:gcp.project.id - Google Cloud Platform Project ID.
    operators: = ,IN ,startsWith
  • storage:aws.account.id - Amazon Web Services Account ID.
    operators: = ,IN ,startsWith
  • storage:azure.subscription - Azure subscription.
    operators: = ,IN ,startsWith
  • storage:azure.resource.group - Azure resource group.
    operators: = ,IN ,startsWith

storage:system:read

Grants permission to read records from all system tables (for example, dt.system.events).

conditions:

  • storage:bucket-name - This condition reduces the effect of the record-level permission to a defined list of buckets.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:event.kind - Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
    operators: = ,IN ,startsWith
  • storage:event.type - The unique type identifier of a given event.
    operators: = ,IN ,startsWith
  • storage:event.provider - Source of the event, for example the name of the component or system that generated the event.
    operators: = ,IN ,startsWith
  • storage:dt.security_context - Custom field for security context.
    operators: = ,IN ,startsWith

storage:buckets:read

Grants permission to read records from Grail buckets. Required additionally to a table permission.

conditions:

  • storage:table-name - Table name of the bucket that can be accessed.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:bucket-name - Name of the bucket that can be accessed.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith

storage:fieldsets:read

Read data from fieldsets

conditions:

  • storage:table-name - Name of the table from which fieldset(s) can be accessed.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:bucket-name - Name of the bucket from which fieldset(s) can be accessed.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith
  • storage:fieldset-name - Name of the fieldset(s) which can be accessed.
    operators: = ,!= ,IN ,NOT IN ,startsWith ,NOT startsWith

storage:bucket-definitions:read

Grants permission to read bucket definitions from Grail

storage:bucket-definitions:write

Grants permission to write bucket definitions to Grail

storage:bucket-definitions:delete

Grants permission to delete bucket definitions from Grail

storage:bucket-definitions:truncate

Grants permission to delete all records from a bucket (not delete the bucket itself) in Grail.

storage:filter-segments:read

Read filter-segments from grail

storage:filter-segments:write

Write filter-segments in grail

storage:filter-segments:delete

Delete own filter-segments in grail

storage:filter-segments:admin

Write and delete all filter-segments in grail

unified-analysis

Unified analysis

unified-analysis:screen-definition:read

Grants permission to read the screen definition of a unified analysis screen

upgrade-assistant

SaaS Upgrade Assistant service

upgrade-assistant:environments:write

Grants permission to use the SaaS Upgrade Assistant app

vulnerability-service

Provides APIs to access vulnerabilities that are affecting customer environments

vulnerability-service:vulnerabilities:read

Allows viewing vulnerabilities

vulnerability-service:vulnerabilities:write

Allows modifying vulnerability related information