Dynatrace default policies

As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.

You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.

You can find the default policies in the Policy overview of Account Management.

Access to Dynatrace

AppEngine - Admin

Full access to AppEngine and read access to AutomationEngine.

ALLOW
app-engine:functions:run,
app-engine:apps:run,
app-engine:apps:install,
app-engine:edge-connects:read,
app-engine:edge-connects:write,
app-engine:edge-connects:delete,
app-engine:apps:delete;
ALLOW
hub:catalog:read;
ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;
ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;
ALLOW
davis:analyzers:read,
davis:analyzers:execute;
ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:app-states:delete,
state-management:user-app-states:delete,
state-management:user-app-states:delete-all,
app-settings:objects:read,
app-settings:objects:write;
ALLOW
settings:objects:read,
settings:objects:write,
settings:schemas:read where settings:schemaId startsWith "app:";
ALLOW
oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";
ALLOW
email:emails:send;
ALLOW
storage:bucket-definitions:read,
storage:bucket-definitions:write,
storage:bucket-definitions:truncate,
storage:bucket-definitions:delete;
ALLOW hyperscaler-authentication:aws:authenticate;

AppEngine - Developer access

Users are allowed to install and delete customs apps. Additional app-engine:apps:run permission is necessary to access AppEngine.

ALLOW
app-engine:apps:install,
app-engine:apps:delete WHERE shared:app-id startsWith "my";
ALLOW
hub:catalog:read;
ALLOW
email:emails:send;

DynatraceAccessProUser

Grants advanced permissions to build, deploy, and run fully featured apps and automated workflows that make use of key platform services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;
//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;
//Grail
ALLOW storage:bucket-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;
//OpenPipeline
ALLOW openpipeline:configurations:read;
//Hub
ALLOW hub:catalog:read;
//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install;
//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;
//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write;
//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;
//IAM
ALLOW iam:service-users:use;
//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;
//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:view-security-problems, environment:roles:manage-security-problems;
// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;
//Geolocations
ALLOW geolocation:locations:lookup;
// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;
//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;
//BusinessInsights
ALLOW insights:opportunities:read;

DynatraceAccessAdminUser

Grants administrative access across all platform services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, state-management:app-states:delete;
//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:documents:admin, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;
//Grail
ALLOW storage:bucket-definitions:read, storage:filter-segments:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin;
//OpenPipeline
ALLOW openpipeline:configurations:read, openpipeline:configurations:write;
//Hub
ALLOW hub:catalog:read;
//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install, app-engine:apps:delete;
//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;
//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write, automation:workflows:admin;
//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;
//IAM
ALLOW iam:service-users:use, oauth2:clients:manage;
//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read, app-settings:objects:write, settings:objects:write;
//Extensions
ALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;
//Deployment
ALLOW deployment:activegates.network-zones:write, deployment:activegates.groups:write, deployment:oneagents.network-zones:write, deployment:oneagents.host-groups:write, deployment:oneagents.host-tags:write, deployment:oneagents.host-properties:write;
//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:agent-install, environment:roles:configure-request-capture-data, environment:roles:manage-security-problems, cloudautomation:resources:read, cloudautomation:resources:write, cloudautomation:resources:delete, cloudautomation:metadata:read, cloudautomation:events:read, cloudautomation:events:write, cloudautomation:logs:read, cloudautomation:logs:write, cloudautomation:projects:read, cloudautomation:projects:write, cloudautomation:projects:delete, cloudautomation:stages:read, cloudautomation:services:read, cloudautomation:services:write, cloudautomation:services:delete, cloudautomation:integrations:read, cloudautomation:integrations:write, cloudautomation:integrations:delete, cloudautomation:secrets:read, cloudautomation:secrets:write, cloudautomation:secrets:delete, cloudautomation:instance:manage, cloudautomation:statistics:read;
// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;
//Geolocations
ALLOW geolocation:locations:lookup;
// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;
//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;
//BusinessInsights
ALLOW insights:opportunities:read;

AppEngine - User

Basic access to AppEngine to run apps and Launcher; AutomationEngine read access.

ALLOW
app-engine:apps:run,
app-engine:functions:run,
app-engine:edge-connects:read;
ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;
ALLOW
hub:catalog:read;
ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;
ALLOW
davis:analyzers:read,
davis:analyzers:execute;
ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:user-app-states:delete,
app-settings:objects:read;
ALLOW
email:emails:send;
ALLOW
storage:bucket-definitions:read;

AutomationEngine - Admin access

Grants admin access to automation service and workflows.

ALLOW
automation:workflows:admin,
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;

AutomationEngine - User access

Grants access to automation service and workflows.

ALLOW
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;

Access to data

Storage All Grail Data Read

Unconditional access to all Grail tables and to all Grail buckets. New tables will be added.

ALLOW
storage:buckets:read;
ALLOW
storage:system:read,
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:entities:read,
storage:bizevents:read,
storage:spans:read;

Storage All System Data Read

Unconditional access to all Grail system tables (prefixed with dt.).

ALLOW
storage:buckets:read
WHERE storage:table-name STARTSWITH "dt.";
ALLOW
storage:system:read;

Storage Bizevents Read

Unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "bizevents";
ALLOW
storage:bizevents:read;

Storage Entities Read

Unconditional access to the entities table.

ALLOW
storage:entities:read;

Storage Events Read

Unconditional access to the events table and to all event buckets (excluding security events).

ALLOW
storage:buckets:read
WHERE storage:table-name = "events"
AND storage:bucket-name NOT IN ("default_security_events","default_security_custom_events");
ALLOW storage:events:read;

Storage Default Monitoring Read

Unconditional access to all Grail tables and to the default buckets (excluding security events). New tables and default buckets will be added.

ALLOW
storage:buckets:read
WHERE storage:bucket-name IN (
"default_logs
"default_bizevents
"default_events
"default_metrics
"default_spans
"default_selfmon_events
"default_davis_events
"default_k8s_ops_events
"default_davis_custom_events
"default_davis_k8s_ops_events"
);
ALLOW
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:entities:read,
storage:bizevents:read,
storage:spans:read;

Storage Logs Read

Unconditional access to the logs table and to all log buckets, including all custom log buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "logs";
ALLOW storage:logs:read;

Storage Metrics Read

Unconditional access to the metrics table and to all metrics buckets, including all custom metrics buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "metrics";
ALLOW storage:metrics:read;

Storage Metrics Write

Enables writing metrics to Grail.

ALLOW storage:buckets:write WHERE storage:table-name = "metrics";
ALLOW storage:metrics:write;

Storage Security Events Read

Unconditional access to the events table and to the default security event buckets.

ALLOW
storage:buckets:read
WHERE storage:bucket-name IN ("default_security_events", "default_security_custom_events");
ALLOW storage:events:read;

Storage Spans Read

Unconditional access to the spans table and to all spans buckets, including all custom spans buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "spans";
ALLOW storage:spans:read;

Role-based policies

Environment role - Download/install OneAgent

Permission to access 'Agent Install' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:agent-install;

Environment role - Configure capture of sensitive data

Permission to access 'Configure Request Capture Data' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:configure-request-capture-data;

Environment role - View logs

Permission to access 'Log Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:logviewer;

Environment role - Change monitoring settings

Permission to access 'Environment Manage Settings' features (equivalent to RBAC permission).

ALLOW environment:roles:manage-settings;

Environment role - Replay session data

Permission to access 'Replay Sessions With Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-with-masking;

Environment role - Replay session data without masking

Permission to access 'Replay Sessions Without Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-without-masking;

Environment role - View security problems

Permission to access 'View Security Problems' features (equivalent to RBAC permission).

ALLOW environment:roles:view-security-problems;

Environment role - View sensitive request data

Permission to access 'View Sensitive Request Data' features (equivalent to RBAC permission).

ALLOW environment:roles:view-sensitive-request-data;

Environment role - Access environment

Permission to access 'Environment Roles Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:viewer;