Grant access to Dynatrace

  • Latest Dynatrace
  • Tutorial
  • 8-min read

This tutorial shows you how to use Dynatrace default groups and policies to grant users access to platform features and data, and how to refine that access with policy boundaries and dt.security_context to restrict data to specific apps or teams.

Who is this for?

This tutorial is for Dynatrace account administrators who need to grant users access to platform features and data stored inside Dynatrace. It also helps new Dynatrace users who want to understand group-based permissions.

What will you learn?

In this tutorial, you'll learn how to:

  • Use the default groups and policies to grant your users access to Dynatrace.
  • Assign different sets of privileges to your user groups.
  • Refine the access of your users with policy boundaries.
  • Choose between default and custom policies based on your access requirements.
  • Use dt.security_context to restrict data access to specific apps or teams.

Before you begin

Prior knowledge
Prerequisites
  • A Dynatrace account with administrative privileges.
Key terms
Default groups

Predefined user groups in Dynatrace

Permissions

Access rights for different groups

RBAC

Role-based access control; a security model for managing user access

dt.security_context

An attribute you attach to data points—such as logs, metrics, and spans—to identify which app or team they belong to. Use it in policy boundary queries to restrict data access to specific apps or teams.

Policy boundary

A condition you apply to a policy permission that narrows the scope of access to only the resources or data that match the boundary query.

Steps

1. Invite users to your account

This step adds users to Dynatrace so that you can assign roles and access rights to them.

  1. Go to Account Management. If you have more than one account, select the account you want to manage.

    This opens https://myaccount.dynatrace.com/, which you can bookmark for easy access to Account Management.

  2. Go to Identity & access management > User management.
  3. Select Invite users.
  4. In Enter Details, add required details.
  5. In Assign permissions, assign permissions Through existing groups or Directly.
  6. Select Invite.

2. Assign users to default groups

Assigning a user to a default group is the fastest way to give them access to Dynatrace features and data. This step also lays the baseline for applying advanced controls, such as creating custom groups and policy boundaries.

To assign users to default groups:

  1. Go to Dynatrace Account Management > Identity & access management > User management.
  2. Select the user you want to assign and select > Edit.
  3. In the Edit user page, select a user to assign groups.
  4. Select one or more appropriate groups from the list.
  5. Select Save.

3. Create a custom group

Use this step when default groups don't align with your internal structure or access needs. Custom groups let you tailor access to specific organizational needs by combining default and custom policies.

Use default policies as your first choice. They are maintained by Dynatrace and automatically updated as new features are released. Only switch to a custom policy when a default policy doesn't meet your specific requirements.

To create a custom group:

  1. Go to Dynatrace Account Management > Identity & access management > Group management.
  2. Select Create Group.
  3. In the New group page, enter the details for Group name and Description.
  4. To add permissions, select the Permissions tab, then select Add permissions.
    • Select one or more permissions from Dynatrace access or Data access.
  5. To add members, select the Members tab, then select Add members.
  6. Select Create.

Example: Read-only group using default policies

To grant a team read-only access to Dynatrace and their app's data, add the following two permissions to the group:

PermissionCategoryWhat it grants

Standard User

Dynatrace access

Access to the Dynatrace environment and the ability to run apps

All Grail data read access

Data access

Read access to all data across Grail Buckets and Tables

Example: Add settings write access using a custom policy

To allow a team to update monitoring configuration—such as alerting thresholds or OneAgent settings:

  1. Create the custom policy and assign it to the required group.
  2. Then, add a custom Settings Writers policy in addition to the read permissions from the previous example.

4. Create a policy boundary

You can use policy boundaries to refine access further and restrict policies. Policy boundaries limit access to specific apps, workflows, or data partitions, narrowing the policy's scope to only the defined conditions.

To create a policy boundary:

  1. Go to Dynatrace Account Management > Identity & access management > Policy boundaries.
  2. Select the Boundaries tab.
  3. Select Create boundary and enter a Boundary name and a Boundary query.
  4. Select Save.

Example: Restrict data access by app or team using dt.security_context

Use dt.security_context in your boundary query to limit data access to a specific app or team. Before applying this boundary, ensure your data ingestion pipeline sets the dt.security_context attribute on the relevant logs, metrics, and spans.

The following example restricts access to data for a single application. It covers both the Grail storage attribute and the management zone name used for monitored entities:

storage:dt.security_context IN ("my-app", "MyApp");
// "MyApp" matches the management zone name used as the Grail security context for monitored entities
environment:management-zone IN ("MyApp");

To match values that share a common prefix, use the MATCH operator instead of IN. For example: storage:dt.security_context MATCH ("my-app-*");

To apply the boundary to a group policy:

  1. Go to Dynatrace Account Management > Identity & access management > Group management.
  2. Select a group and select View group.
  3. In the Permissions tab, to apply a boundary, you can edit an existing permission or add a new permission.
  4. In the Boundaries section, select the required boundary from the dropdown.
  5. Select to Preview the policy.
  6. Select Save to apply the boundary to the policy.

To learn more about policy boundaries, see Policy boundaries.

5. Create a custom policy

Create a custom policy when a default policy doesn't meet your requirements—for example, when you need write access to specific settings without granting full administrative permissions. Unlike default policies, which Dynatrace maintains and updates automatically, custom policies require you to keep them current as new features are released.

To create a custom policy:

  1. Go to Dynatrace Account Management > Identity & access management > Policy management.
  2. In the Policies tab, select Create policy.
  3. Enter Policy name, Policy description, and Policy statements.
  4. Select Save.

Example: Settings writer policy

Use the following policy statements to grant write access to monitoring configuration without full administrative privileges. This is useful when teams manage alerting thresholds or OneAgent settings for their own apps but should not have access to pipeline routing or other administrative settings:

ALLOW settings:schemas:read;
ALLOW settings:objects:read, settings:objects:write;
ALLOW environment:roles:manage-settings;

Apply a policy boundary to this permission to limit write access to the team's own data scope.

6. Verify effective permissions

After you assign groups and apply boundaries, confirm that users have the expected access by reviewing their effective policies.

To verify effective permissions:

  1. Go to Dynatrace Account Management > Identity & access management > Policy management.
  2. Select the Effective policies tab.
  3. Enter the user's email address and select their environment.
  4. Select Find permissions to see all policies and boundaries applied to the user.

Use Effective policies to troubleshoot unexpected access denials. You can see which policy granted or restricted a specific permission and which boundary condition was applied.

Congratulations!

You've successfully set up user access in Dynatrace. You now know how to:

  • Invite users and assign them to default or custom groups.
  • Use policy boundaries to refine and restrict access.
  • Create custom policies for advanced access control.

Related topics

Related tags
Dynatrace Platform