With policy boundaries, you can assign permissions with fine-granular restrictions on the data level.
Policy boundaries enable to restrict user permissions on the record and resource level and are intended to work very well with the Dynatrace default policies.
Policy boundaries allow you to bundle restrictions on the record and/or resource level together for usage in you permission assignments. This allows for easier management of partitions on the data level and enables re-usability. Boundaries alone don't restrict anything, they are always used together with policies in the process of assigning policies to your user groups.
Whenever a boundary is selected in combination with a security policy, it further restricts the existing policy, which can also result in no access for the user.
Policy boundaries support all conditions that are available in the IAM reference.
Use case:
As an account admin I would like to restrict the Read logs default policy for 20 user groups to logs from K8s development namespace.
Solution:
storage:k8s.namespace.name = "DEVELOPMENT";
If you ever want to adopt the boundary because your access requirements have changed, for example you introduce another stage in your development process, you just need to change the boundary like so:
storage:k8s.namespace.name IN ("DEVELOPMENT","HARDENING");
Boundaries allow you to decouple the "What" and "Where" of a policy.
In other words, enable you to externalize the conditions to a separate object for easier management and re-usability.
ALLOW <permissions> WHERE <conditions>
This mechanism is extremely useful in combination with the default policies.
The default policies define a set of permissions to access features and data. As they are generic, they don't restrict the access to a specific records and resources.
Example:
The storage:k8s.namespace.name IN ("DEV","PREPROD")
is a recurring pattern in your policies and can be externalized into a policy boundary.
ALLOW storage:logs:read WHERE storage:k8s.namespace.name IN ("DEV","PREPROD");ALLOW storage:metrics:read WHERE storage:k8s.namespace.name IN ("DEV","PREPROD");
Boundary K8s-dev-preprod:
storage:k8s.namespace.name IN ("DEV","PREPROD");
Of course, this is a basic example and your boundary could consist of more statements that exactly define to what records and resources your users have access.
The boundary management operations listed below are all performed using the Account Management pages.
This opens https://myaccount.dynatrace.com/
, which you can bookmark for easy access to Account Management.
A boundary that is used in policy bindings can not be deleted. Before you can delete the boundary you have to adjust or remove all bindings where the boundary is used.
Policy boundaries can only be assigned to policies, they are not compatible with role-based permissions.
Boundaries work for all services that are covered with the security policies and which are documented in the IAM Policy reference.
When a policy binding contains boundaries the effective policy is calculated according to the following rules:
DENY
statementsTo use your management zones inside of boundaries you just need to reference them as a condition in your policy boundary.
Boundary Kubernetes:
environment:management-zone startsWith "[Kubernetes]";storage:k8s.namespace.name IN ("DEV","PREPROD");
This boundary includes all management zones that start with [Kubernetes]
, as well as all the records stored in Grail for the DEV
and PREPROD
K8s namespaces.
Be aware that the management zones referenced in your boundaries only apply to policy statements that support management zones.
Grail does not support management zones but uses the storage:
fields for record level access control. For more details see What is the difference between management zones and new IAM policies?