Grant access to Dynatrace

This tutorial shows how to use the Dynatrace default policies to grant access to features and services inside of Dynatrace. The default policies are managed and maintained by Dynatrace and provide pre-built access to Dynatrace.

The Dynatrace default policies don't cover access to the monitoring data of your environment stored in Grail. To grant access to monitoring data, see Grant access to Grail.

Who this is for

This tutorial is for Dynatrace account administrators who need to grant users access to platform features.

What you will learn

In this tutorial, you'll learn

  1. Which default policies are available for Dynatrace access
  2. How to use policies and roles to grant access to Dynatrace features

Default policies and roles for controlling access to Dynatrace

The following default policies are relevant to grant users access to the new Dynatrace platform features of AppEngine and AutomationEngine:

  • AppEngine User
  • AppEngine Admin
  • AppEngine Developer
  • AutomationEngine Access

The AppEngine permissions are needed to use the new Dynatrace Launcher.

In addition, the following roles exist to control access to existing features of Dynatrace:

  • View environment
  • View sensitive request data
  • View logs
  • Replay session data with masking
  • Replay session data without masking
  • Install OneAgent
  • Manage monitoring settings
  • Manage capturing of sensitive request data
  • Manage security problems
  • View security problems
  • Manage support tickets

For a full description of the role-based permissions, see Role-based permissions .

Coming soon: In the near future, to make it easier to assign access rights, both the role-based permissions and permissions to AppEngine and AutomationEngine will be combined in a new default policy set.

For guidance on how to use default policies and roles with your user groups, please also see Grant access to Dynatrace through default groups and permissions.

Grant users basic access to AppEngine

AppEngine user policy

This policy provides basic access to AppEngine: permission to run apps and functions, and to access the main supporting services (such as the state service, document service, and document sharing).

ALLOW app-engine:apps:run, app-engine:functions:run;
ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write,state:user-app-states:delete, app-settings:objects:read;

AppEngine admin policy

This policy provides full access to AppEngine, with write access to all services.

ALLOW app-engine:functions:run, app-engine:apps:run, app-engine:apps:install, app-engine:apps:delete;
ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, app-settings:objects:read, app-settings:objects:write;
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read where settings:schemaId startsWith "app:";

Give additional access to new platform capabilities

AppEngine developer

This policy grants additional permissions that enable a user to develop and install custom apps.

ALLOW app-engine:apps:install, app-engine:apps:delete WHERE shared:app-id startsWith “my”;

AutomationEngine access

This policy grants permission to use the Workflows app and automation capabilities.

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.automations";
ALLOW automation:workflows:read, automation:workflows:write, automation:workflows:run, automation:rules:read, automation:rules:write, automation:automations:run, automation:calendars:read, automation:calendars:write;