As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.
You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.
You can find the default policies in the Policy overview of Account Management.
Full access to AppEngine and read access to AutomationEngine.
ALLOWapp-engine:functions:run,app-engine:apps:run,app-engine:apps:install,app-engine:edge-connects:read,app-engine:edge-connects:write,app-engine:edge-connects:delete,app-engine:apps:delete;ALLOWhub:catalog:read;ALLOWautomation:workflows:read,automation:rules:read,automation:calendars:read;ALLOWdocument:documents:read,document:documents:write,document:documents:delete,document:environment-shares:read,document:environment-shares:write,document:environment-shares:claim,document:environment-shares:delete,document:direct-shares:read,document:direct-shares:write,document:direct-shares:delete,document:trash.documents:read,document:trash.documents:restore,document:trash.documents:delete;ALLOWdavis:analyzers:read,davis:analyzers:execute;ALLOWstate:app-states:read,state:app-states:write,state:app-states:delete,state:user-app-states:read,state:user-app-states:write,state:user-app-states:delete,state-management:app-states:delete,state-management:user-app-states:delete,state-management:user-app-states:delete-all,app-settings:objects:read,app-settings:objects:write;ALLOWsettings:objects:read,settings:objects:write,settings:schemas:read where settings:schemaId startsWith "app:";ALLOWoauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";ALLOWemail:emails:send;ALLOWstorage:bucket-definitions:read,storage:bucket-definitions:write,storage:bucket-definitions:truncate,storage:bucket-definitions:delete;ALLOW hyperscaler-authentication:aws:authenticate;
Users are allowed to install and delete customs apps. Additional app-engine:apps:run
permission is necessary to access AppEngine.
ALLOWapp-engine:apps:install,app-engine:apps:delete WHERE shared:app-id startsWith "my";ALLOWhub:catalog:read;ALLOWemail:emails:send;
Grants advanced permissions to build, deploy, and run fully featured apps and automated workflows that make use of key platform services.
//StatesALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;//DocumentsALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;//Unified analysis screensALLOW unified-analysis:screen-definition:read;//GrailALLOW storage:bucket-definitions:read;ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;//OpenPipelineALLOW openpipeline:configurations:read;//HubALLOW hub:catalog:read;//AppEngineALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install;//NotificationsALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;//AutomationEngineALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write;//DavisALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;//IAMALLOW iam:service-users:use;//SettingsALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;//ClassicsALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:view-security-problems, environment:roles:manage-security-problems;// Hyperscaler AuthenticationALLOW hyperscaler-authentication:aws:authenticate;//GeolocationsALLOW geolocation:locations:lookup;// Vulnerability serviceALLOW vulnerability-service:vulnerabilities:read;ALLOW vulnerability-service:vulnerabilities:write;//SLOsALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;//BusinessInsightsALLOW insights:opportunities:read;
Grants administrative access across all platform services.
//StatesALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, state-management:app-states:delete;//DocumentsALLOW document:documents:read, document:documents:write, document:documents:delete, document:documents:admin, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;//Unified analysis screensALLOW unified-analysis:screen-definition:read;//GrailALLOW storage:bucket-definitions:read, storage:filter-segments:read;ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin;//OpenPipelineALLOW openpipeline:configurations:read, openpipeline:configurations:write;//HubALLOW hub:catalog:read;//AppEngineALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install, app-engine:apps:delete;//NotificationsALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;//AutomationEngineALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write, automation:workflows:admin;//DavisALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;//IAMALLOW iam:service-users:use, oauth2:clients:manage;//SettingsALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read, app-settings:objects:write, settings:objects:write;//ExtensionsALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;//DeploymentALLOW deployment:activegates.network-zones:write, deployment:activegates.groups:write, deployment:oneagents.network-zones:write, deployment:oneagents.host-groups:write, deployment:oneagents.host-tags:write, deployment:oneagents.host-properties:write;//ClassicsALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:agent-install, environment:roles:configure-request-capture-data, environment:roles:manage-security-problems, cloudautomation:resources:read, cloudautomation:resources:write, cloudautomation:resources:delete, cloudautomation:metadata:read, cloudautomation:events:read, cloudautomation:events:write, cloudautomation:logs:read, cloudautomation:logs:write, cloudautomation:projects:read, cloudautomation:projects:write, cloudautomation:projects:delete, cloudautomation:stages:read, cloudautomation:services:read, cloudautomation:services:write, cloudautomation:services:delete, cloudautomation:integrations:read, cloudautomation:integrations:write, cloudautomation:integrations:delete, cloudautomation:secrets:read, cloudautomation:secrets:write, cloudautomation:secrets:delete, cloudautomation:instance:manage, cloudautomation:statistics:read;// Hyperscaler AuthenticationALLOW hyperscaler-authentication:aws:authenticate;//GeolocationsALLOW geolocation:locations:lookup;// Vulnerability serviceALLOW vulnerability-service:vulnerabilities:read;ALLOW vulnerability-service:vulnerabilities:write;//SLOsALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;//BusinessInsightsALLOW insights:opportunities:read;
Basic access to AppEngine to run apps and Launcher; AutomationEngine read access.
ALLOWapp-engine:apps:run,app-engine:functions:run,app-engine:edge-connects:read;ALLOWautomation:workflows:read,automation:rules:read,automation:calendars:read;ALLOWhub:catalog:read;ALLOWdocument:documents:read,document:documents:write,document:documents:delete,document:environment-shares:read,document:environment-shares:write,document:environment-shares:claim,document:environment-shares:delete,document:direct-shares:read,document:direct-shares:write,document:direct-shares:delete,document:trash.documents:read,document:trash.documents:restore,document:trash.documents:delete;ALLOWdavis:analyzers:read,davis:analyzers:execute;ALLOWstate:app-states:read,state:app-states:write,state:app-states:delete,state:user-app-states:read,state:user-app-states:write,state:user-app-states:delete,state-management:user-app-states:delete,app-settings:objects:read;ALLOWemail:emails:send;ALLOWstorage:bucket-definitions:read;
Grants admin access to automation service and workflows.
ALLOWautomation:workflows:admin,automation:workflows:read,automation:workflows:write,automation:workflows:run,automation:rules:read,automation:rules:write,automation:calendars:read,automation:calendars:write;
Grants access to automation service and workflows.
ALLOWautomation:workflows:read,automation:workflows:write,automation:workflows:run,automation:rules:read,automation:rules:write,automation:calendars:read,automation:calendars:write;
Unconditional access to all Grail tables and to all Grail buckets. New tables will be added.
ALLOWstorage:buckets:read;ALLOWstorage:system:read,storage:events:read,storage:logs:read,storage:metrics:read,storage:entities:read,storage:bizevents:read,storage:spans:read;
Unconditional access to all Grail system tables (prefixed with dt.
).
ALLOWstorage:buckets:readWHERE storage:table-name STARTSWITH "dt.";ALLOWstorage:system:read;
Unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.
ALLOWstorage:buckets:readWHERE storage:table-name = "bizevents";ALLOWstorage:bizevents:read;
Unconditional access to the entities table.
ALLOWstorage:entities:read;
Unconditional access to the events table and to all event buckets (excluding security events).
ALLOWstorage:buckets:readWHERE storage:table-name = "events"AND storage:bucket-name NOT IN ("default_security_events","default_security_custom_events");ALLOW storage:events:read;
Unconditional access to all Grail tables and to the default buckets (excluding security events). New tables and default buckets will be added.
ALLOWstorage:buckets:readWHERE storage:bucket-name IN ("default_logs"default_bizevents"default_events"default_metrics"default_spans"default_selfmon_events"default_davis_events"default_k8s_ops_events"default_davis_custom_events"default_davis_k8s_ops_events");ALLOWstorage:events:read,storage:logs:read,storage:metrics:read,storage:entities:read,storage:bizevents:read,storage:spans:read;
Unconditional access to the logs table and to all log buckets, including all custom log buckets.
ALLOWstorage:buckets:readWHERE storage:table-name = "logs";ALLOW storage:logs:read;
Unconditional access to the metrics table and to all metrics buckets, including all custom metrics buckets.
ALLOWstorage:buckets:readWHERE storage:table-name = "metrics";ALLOW storage:metrics:read;
Enables writing metrics to Grail.
ALLOW storage:buckets:write WHERE storage:table-name = "metrics";ALLOW storage:metrics:write;
Unconditional access to the events table and to the default security event buckets.
ALLOWstorage:buckets:readWHERE storage:bucket-name IN ("default_security_events", "default_security_custom_events");ALLOW storage:events:read;
Unconditional access to the spans table and to all spans buckets, including all custom spans buckets.
ALLOWstorage:buckets:readWHERE storage:table-name = "spans";ALLOW storage:spans:read;
Permission to access 'Agent Install' features (equivalent to RBAC permission). Management zones not supported.
ALLOW environment:roles:agent-install;
Permission to access 'Configure Request Capture Data' features (equivalent to RBAC permission). Management zones not supported.
ALLOW environment:roles:configure-request-capture-data;
Permission to access 'Log Viewer' features (equivalent to RBAC permission).
ALLOW environment:roles:logviewer;
Permission to access 'Environment Manage Settings' features (equivalent to RBAC permission).
ALLOW environment:roles:manage-settings;
Permission to access 'Replay Sessions With Masking' features (equivalent to RBAC permission).
ALLOW environment:roles:replay-sessions-with-masking;
Permission to access 'Replay Sessions Without Masking' features (equivalent to RBAC permission).
ALLOW environment:roles:replay-sessions-without-masking;
Permission to access 'View Security Problems' features (equivalent to RBAC permission).
ALLOW environment:roles:view-security-problems;
Permission to access 'View Sensitive Request Data' features (equivalent to RBAC permission).
ALLOW environment:roles:view-sensitive-request-data;
Permission to access 'Environment Roles Viewer' features (equivalent to RBAC permission).
ALLOW environment:roles:viewer;