Dynatrace default policies

As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.

You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.

You can find the default policies in the Policy overview of the Account Management.

Access to Dynatrace

AppEngine - Admin

Full access to AppEngine and read access to AutomationEngine

ALLOW
app-engine:functions:run,
app-engine:apps:run,
app-engine:apps:install,
app-engine:edge-connects:read,
app-engine:edge-connects:write,
app-engine:edge-connects:delete,
app-engine:apps:delete;


ALLOW
hub:catalog:read;


ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;


ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;


ALLOW
davis:analyzers:read,
davis:analyzers:execute;


ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:app-states:delete,
state-management:user-app-states:delete,
state-management:user-app-states:delete-all,
app-settings:objects:read,
app-settings:objects:write;


ALLOW
settings:objects:read,
settings:objects:write,
settings:schemas:read where settings:schemaId startsWith "app:";


ALLOW
oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";


ALLOW
email:emails:send;


ALLOW
storage:bucket-definitions:read,
storage:bucket-definitions:write,
storage:bucket-definitions:truncate,
storage:bucket-definitions:delete;


ALLOW hyperscaler-authentication:aws:authenticate;

AppEngine - Developer access

Users are allowed to install and delete customs apps, additional app-engine:apps:run permission is necessary to access AppEngine

ALLOW
app-engine:apps:install,
app-engine:apps:delete WHERE shared:app-id startsWith "my";


ALLOW
hub:catalog:read;


ALLOW
email:emails:send;

AppEngine - User

Basic access to App engine to run Apps and Launcher, AutomationEngine read access.

ALLOW
app-engine:apps:run,
app-engine:functions:run,
app-engine:edge-connects:read;


ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;


ALLOW
hub:catalog:read;


ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;


ALLOW
davis:analyzers:read,
davis:analyzers:execute;


ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:user-app-states:delete,
app-settings:objects:read;


ALLOW
email:emails:send;


ALLOW
storage:bucket-definitions:read;

AutomationEngine - Admin access

Grants admin access to automation service and workflows

ALLOW
automation:workflows:admin,
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;"

AutomationEngine - User access

Grants access to automation service and workflows

ALLOW
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;"

Access to data

Storage All Grail Data Read

Unconditional access to ALL Grail tables and to ALL Grail buckets. New tables will be added.

ALLOW
storage:buckets:read;


ALLOW
storage:system:read,
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:entities:read,
storage:bizevents:read,
storage:spans:read;

Storage All System Data Read

Unconditional access to all Grail system tables (prefixed with dt.).

ALLOW
storage:buckets:read
WHERE storage:table-name STARTSWITH "dt.";


ALLOW
storage:system:read;

Storage Bizevents Read

Unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "bizevents";


ALLOW
storage:bizevents:read;

Storage Entities Read

Unconditional access to the entities table.

ALLOW
storage:entities:read;

Storage Events Read

Unconditional access to the events table and to all event buckets (excluding security events).

ALLOW
storage:buckets:read
WHERE storage:table-name = "events"
AND storage:bucket-name NOT IN ("default_security_events "default_security_custom_events");


ALLOW storage:events:read;

Storage Default Monitoring Read

Unconditional access to all Grail tables and to the default buckets (excluding security events). New tables and default buckets will be added.

ALLOW
storage:buckets:read
WHERE storage:bucket-name IN (
"default_logs
"default_bizevents
"default_events
"default_metrics
"default_spans
"default_selfmon_events
"default_davis_events
"default_k8s_ops_events
"default_davis_custom_events
"default_davis_k8s_ops_events"
);


ALLOW
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:entities:read,
storage:bizevents:read,
storage:spans:read;

Storage Logs Read

Unconditional access to the logs table and to all log buckets, including all custom log buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "logs";


ALLOW storage:logs:read;

Storage Metrics Read

Unconditional access to the metrics table and to all metrics buckets, including all custom metrics buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "metrics";


ALLOW storage:metrics:read;

Storage Metrics Write

Enables writing metrics to Grail

ALLOW storage:buckets:write WHERE storage:table-name = \"metrics\";\nALLOW storage:metrics:write;"

Storage Security Events Read

Unconditional access to the events table and to the default security event buckets.

ALLOW
storage:buckets:read
WHERE storage:bucket-name IN ("default_security_events "default_security_custom_events");


ALLOW storage:events:read;

Storage Spans Read

Unconditional access to the spans table and to all spans buckets, including all custom spans buckets.

ALLOW
storage:buckets:read
WHERE storage:table-name = "spans";


ALLOW storage:spans:read;

Role-based policies

Environment role - Download/install OneAgent

Permission to access 'Agent Install' features (equivalence RBAC permission). Management zones not supported.

ALLOW environment:roles:agent-install;"

Environment role - Configure capture of sensitive data

Permission to access 'Configure Request Capture Data' features (equivalence RBAC permission). Management zones not supported.

ALLOW environment:roles:configure-request-capture-data;"

Environment role - View logs

Permission to access 'Log Viewer' features (equivalence RBAC permission).

ALLOW environment:roles:logviewer;"

Environment role - Change monitoring settings

Permission to access 'Environment Manage Settings' features (equivalence RBAC permission).

ALLOW environment:roles:manage-settings;"

Environment role - Replay session data

Permission to access 'Replay Sessions With Masking' features (equivalence RBAC permission).

ALLOW environment:roles:replay-sessions-with-masking;"

Environment role - Replay session data without masking

Permission to access 'Replay Sessions Without Masking' features (equivalence RBAC permission).

ALLOW environment:roles:replay-sessions-without-masking;"

Environment role - View security problems

Permission to access 'View Security Problems' features (equivalence RBAC permission).

ALLOW environment:roles:view-security-problems;"

Environment role - View sensitive request data

Permission to access 'View Sensitive Request Data' features (equivalence RBAC permission).

ALLOW environment:roles:view-sensitive-request-data;"

Environment role - Access environment

Permission to access 'Environment Roles Viewer' features (equivalence RBAC permission).

ALLOW environment:roles:viewer;"