This tutorial shows how to use the Dynatrace default policies to grant access to features and services inside of Dynatrace. The default policies are managed and maintained by Dynatrace and provide pre-built access to Dynatrace.
The Dynatrace default policies don't cover access to the monitoring data of your environment stored in Grail. To grant access to monitoring data, see Grant access to Grail.
This tutorial is for Dynatrace account administrators who need to grant users access to platform features.
In this tutorial, you'll learn
The following default policies are relevant to grant users access to the new Dynatrace platform features of AppEngine and AutomationEngine:
The AppEngine permissions are needed to use the new Dynatrace Launcher.
In addition, the following roles exist to control access to existing features of Dynatrace:
For a full description of the role-based permissions, see Role-based permissions .
Coming soon: In the near future, to make it easier to assign access rights, both the role-based permissions and permissions to AppEngine and AutomationEngine will be combined in a new default policy set.
For guidance on how to use default policies and roles with your user groups, please also see Grant access to Dynatrace through default groups and permissions.
This policy provides basic access to AppEngine: permission to run apps and functions, and to access the main supporting services (such as the state service, document service, and document sharing).
ALLOW app-engine:apps:run, app-engine:functions:run;ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete;ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write,state:user-app-states:delete, app-settings:objects:read;
This policy provides full access to AppEngine, with write access to all services.
ALLOW app-engine:functions:run, app-engine:apps:run, app-engine:apps:install, app-engine:apps:delete;ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete;ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, app-settings:objects:read, app-settings:objects:write;ALLOW settings:objects:read, settings:objects:write, settings:schemas:read where settings:schemaId startsWith "app:";
This policy grants additional permissions that enable a user to develop and install custom apps.
ALLOW app-engine:apps:install, app-engine:apps:delete WHERE shared:app-id startsWith “my”;
This policy grants permission to use the Workflows app and automation capabilities.
ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.automations";ALLOW automation:workflows:read, automation:workflows:write, automation:workflows:run, automation:rules:read, automation:rules:write, automation:automations:run, automation:calendars:read, automation:calendars:write;