Grant access to entities with security context

This tutorial will guide you through the process of setting the security context and granting access to the monitored entities using policies.

Who this is for

This tutorial is for Dynatrace account administrators who need to create policies to grant users access to data stored in Grail in the context of monitored entities, for example hosts.

What you'll learn

In this tutorial, you'll learn

  1. How to set security context on monitored entities
  2. How to create policies to grant access to monitoring data stored in Grail in the context of monitored entities.

Steps

We start by learning how to set the context, and then we learn how to create those policies to grant access to data on entities.

1. Set the security context for monitored entities

The security context field for entities is multi-value. To set the security context for entities, you can choose one of the following options:

Dynatrace API

Set the security context via Monitored entities API. If the security context name is identical to the name of an existing management zone, all the matching entities will be assigned to the management zone, which will help you migrate your current management zones to the security context.

Map to an already existing property

Map it to an already existing property (based on its type). Supported values are entity.detected_name and managementZones.

  1. Go to Settings > Topology model > Grail Security Context.

  2. Choose the preferred entity and expand for details, where you'll find the Destination property section.

    Grail Security Context

Define an extraction rule for generic types

For generic entity types, you can add an extraction rule for dt.security_context and derive the security context from any detail that is present on the data source. Let’s take a look at the following example:

  1. We use the metric ingest API to ingest a metric providing the following data points:
my.dummy_metric,name="Dummy Name 1",id=1,context="Security Context 1" 42
my.dummy_metric,name="Dummy Name 2",id=2,context="Security Context 2" 42
my.dummy_metric,name="Dummy Name 3",id=3,context="Security Context 3" 42
my.dummy_metric,name="Dummy Name 4",id=4,context="Security Context 4" 42
  1. Then, you can extract an entity using metrics as the ingest datasource type and the metric ID.

  2. Based on this, you can create an attribute by creating an extraction rule that sets the dt.security_context to the value of the context variable appearing in the payload.

Host tags and properties

You can set the security context using the dt.security_context host property set using automated rules or host properties set using OneAgent configuration via command-line interface.

Tags assigned through environment variables or Topology and Smartscape API can't be used for setting the security context.

After you set the security context on a host, it will be used to automatically determine the security context for all logs, spans, metrics and events that are sent from this host.

Additionally, it will also set the security context for all entities that are reported from this host, for example, process group instance, host, etc.

To set a security context using oneagentctl:

./oneagentctl --set-host-property=dt.security_context=my-security-context

2. Create the policy

Entity permissions allow you to define policies that control data access on entities.

In contrast to monitoring data, entity permissions only allow filtering for the dt.security_context field.

Access to all entities is configured via the storage:entities:read permission which supports the following conditions"

  • storage:entity.type

    the entity type in upper snake case (for example PROCESS_GROUP_INSTANCE)

  • storage:dt.security_context

    the security context of this entity. Can be a multi-value field and startsWith will evaluate for any matching value.

For example, the following policy grants access to data with the security context set to mySecurityContext.

ALLOW
storage:entities:read
WHERE
storage:dt.security_context = "mySecurityContext";

For more information, see IAM Policy reference and Working with policies.