Grant access to Dynatrace through default groups and permissions

To get you started, Dynatrace provides a default set of editable groups for account and environment users. You can edit and adapt these default groups to fit your needs or you can create new groups.

Dynatrace default groups

Dynatrace offers the following user groups with environment and account permissions.

User group

Permissions

Environment Users

Basic access to Dynatrace in all environments of the account.

Default policies:

  • Standard User
  • Read Entities
  • Read Events
  • Read Metrics
  • Read Logs
  • Read Spans
  • Read User Sessions

Environment Professionals

Access advanced features in all environments of the account.

Default policies:

  • Pro User
  • Read Entities
  • Read Events
  • Read Metrics
  • Read Logs
  • Read Spans
  • Read User Sessions

Environment Admins

Full access to all functions in all environments of the account.

Default policies:

  • Admin User
  • Data Processing and Storage
  • All Grail data read access

Account Admins

Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.

Account viewers

Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Dynatrace default policies

As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.

You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.

You can find the default policies in the Policy overview of Account Management.

Dynatrace access

Standard User

Grants access to Environment and ability to run Apps

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;
//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;
//Grail read data
ALLOW storage:bucket-definitions:read;
ALLOW storage:filter-segments:read;
//OpenPipeline
ALLOW openpipeline:configurations:read;
//Hub
ALLOW hub:catalog:read;
//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;
//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;
//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read;
//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;
//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;
//Classics
ALLOW environment:roles:viewer, environment:roles:view-security-problems;
//Geolocations
ALLOW geolocation:locations:lookup;
// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
//SLOs
ALLOW slo:slos:read, slo:objective-templates:read;
//BusinessInsights
ALLOW insights:opportunities:read;

Pro user

Grants advanced permissions to build, deploy, and run fully featured apps and automated workflows that make use of key platform services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;
//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;
//Grail
ALLOW storage:bucket-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;
//OpenPipeline
ALLOW openpipeline:configurations:read;
//Hub
ALLOW hub:catalog:read;
//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install;
//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;
//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write;
//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;
//IAM
ALLOW iam:service-users:use;
//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;
//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:view-security-problems, environment:roles:manage-security-problems;
// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;
//Geolocations
ALLOW geolocation:locations:lookup;
// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;
//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;
//BusinessInsights
ALLOW insights:opportunities:read;

Admin user

Grants administrative access across all platform services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, state-management:app-states:delete;
//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:documents:admin, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;
//Grail
ALLOW storage:bucket-definitions:read, storage:filter-segments:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin;
//OpenPipeline
ALLOW openpipeline:configurations:read, openpipeline:configurations:write;
//Hub
ALLOW hub:catalog:read;
//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install, app-engine:apps:delete;
//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;
//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write, automation:workflows:admin;
//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;
//IAM
ALLOW iam:service-users:use, oauth2:clients:manage;
//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read, app-settings:objects:write, settings:objects:write;
//Extensions
ALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;
//Deployment
ALLOW deployment:activegates.network-zones:write, deployment:activegates.groups:write, deployment:oneagents.network-zones:write, deployment:oneagents.host-groups:write, deployment:oneagents.host-tags:write, deployment:oneagents.host-properties:write;
//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:agent-install, environment:roles:configure-request-capture-data, environment:roles:manage-security-problems, cloudautomation:resources:read, cloudautomation:resources:write, cloudautomation:resources:delete, cloudautomation:metadata:read, cloudautomation:events:read, cloudautomation:events:write, cloudautomation:logs:read, cloudautomation:logs:write, cloudautomation:projects:read, cloudautomation:projects:write, cloudautomation:projects:delete, cloudautomation:stages:read, cloudautomation:services:read, cloudautomation:services:write, cloudautomation:services:delete, cloudautomation:integrations:read, cloudautomation:integrations:write, cloudautomation:integrations:delete, cloudautomation:secrets:read, cloudautomation:secrets:write, cloudautomation:secrets:delete, cloudautomation:instance:manage, cloudautomation:statistics:read;
// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;
//Geolocations
ALLOW geolocation:locations:lookup;
// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;
//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;
//BusinessInsights
ALLOW insights:opportunities:read;

Data access

Data Processing and Storage

Access to Bucket management and configuration of OpenPipeline processing capabilities

// OpenPipeline
ALLOW
openpipeline:configurations:read,
openpipeline:configurations:write;
// Grail read data
ALLOW
storage:bucket-definitions:write,
storage:bucket-definitions:delete,
storage:bucket-definitions:truncate;

Storage All Grail Data Read

Unconditional access to all Grail tables and to all Grail buckets. New tables will be added.

//Grail read data
ALLOW
storage:buckets:read,
storage:logs:read,
storage:metrics:read,
storage:spans:read,
storage:bizevents:read,
storage:events:read,
storage:system:read,
storage:spans:read,
storage:entities:read,
storage:user.events:read;

Storage Spans Read

Unconditional access to the spans table and to all spans buckets, including all custom spans buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "spans";
ALLOW storage:spans:read;

Storage Events Read

Unconditional access to the events table and to all event buckets (excluding security events).

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "events" AND storage:bucket-name NOT IN ("default_security_events", "default_security_custom_events");
ALLOW storage:events:read;

Read System Events

Grants read access to all System Events data

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "system";
ALLOW storage:system:read;

Storage Metrics Read

Unconditional access to the metrics table and to all metrics buckets, including all custom metrics buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "metrics";
ALLOW storage:metrics:read;

Storage Entities Read

Unconditional access to the entities table.

//Grail read data
ALLOW storage:entities:read;
ALLOW storage:buckets:read WHERE storage:table-name IN ("entities");

Storage Logs Read

Unconditional access to the logs table and to all log buckets, including all custom log buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "logs";
ALLOW storage:logs:read;
//Classics
ALLOW environment:roles:logviewer;

Storage Security Events Read

Unconditional access to the events table and to the default security event buckets.

ALLOW
//Grail read data
ALLOW storage:buckets:read WHERE storage:bucket-name IN ("default_security_events", "default_security_custom_events");
ALLOW storage:events:read;
// Field level permissions
ALLOW storage:fieldsets:read WHERE storage:table-name = 'events' AND storage:bucket-name = 'default_security_events';

Storage Bizevents Read

Unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "bizevents";
ALLOW storage:bizevents:read;

Legacy default policies

The legacy default policies were used previously to provide access to Dynatrace. They are not accessible for new policy assignments, but existing assignment of these policies stay in place until removed.

AppEngine - Admin

Full access to AppEngine and read access to AutomationEngine.

ALLOW
app-engine:functions:run,
app-engine:apps:run,
app-engine:apps:install,
app-engine:edge-connects:read,
app-engine:edge-connects:write,
app-engine:edge-connects:delete,
app-engine:apps:delete;
ALLOW
hub:catalog:read;
ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;
ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;
ALLOW
davis:analyzers:read,
davis:analyzers:execute;
ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:app-states:delete,
state-management:user-app-states:delete,
state-management:user-app-states:delete-all,
app-settings:objects:read,
app-settings:objects:write;
ALLOW
settings:objects:read,
settings:objects:write,
settings:schemas:read where settings:schemaId startsWith "app:";
ALLOW
oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";
ALLOW
email:emails:send;
ALLOW
storage:bucket-definitions:read,
storage:bucket-definitions:write,
storage:bucket-definitions:truncate,
storage:bucket-definitions:delete;
ALLOW hyperscaler-authentication:aws:authenticate;

AppEngine - Developer access

Users are allowed to install and delete customs apps. Additional app-engine:apps:run permission is necessary to access AppEngine.

ALLOW
app-engine:apps:install,
app-engine:apps:delete WHERE shared:app-id startsWith "my";
ALLOW
hub:catalog:read;
ALLOW
email:emails:send;

AppEngine - Manage EdgeConnect

Full access to manage EdgeConnect.

ALLOW
app-engine:edge-connects:read,
app-engine:edge-connects:write,
app-engine:edge-connects:delete;
ALLOW
oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";

AppEngine - User

Basic access to AppEngine to run apps and Launcher; AutomationEngine read access.

ALLOW
app-engine:apps:run,
app-engine:functions:run,
app-engine:edge-connects:read;
ALLOW
automation:workflows:read,
automation:rules:read,
automation:calendars:read;
ALLOW
hub:catalog:read;
ALLOW
document:documents:read,
document:documents:write,
document:documents:delete,
document:environment-shares:read,
document:environment-shares:write,
document:environment-shares:claim,
document:environment-shares:delete,
document:direct-shares:read,
document:direct-shares:write,
document:direct-shares:delete,
document:trash.documents:read,
document:trash.documents:restore,
document:trash.documents:delete;
ALLOW
davis:analyzers:read,
davis:analyzers:execute;
ALLOW
state:app-states:read,
state:app-states:write,
state:app-states:delete,
state:user-app-states:read,
state:user-app-states:write,
state:user-app-states:delete,
state-management:user-app-states:delete,
app-settings:objects:read;
ALLOW
email:emails:send;
ALLOW
storage:bucket-definitions:read;

AutomationEngine - Admin access

Grants admin access to automation service and workflows.

ALLOW
automation:workflows:admin,
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;

AutomationEngine - User access

Grants access to automation service and workflows.

ALLOW
automation:workflows:read,
automation:workflows:write,
automation:workflows:run,
automation:rules:read,
automation:rules:write,
automation:calendars:read,
automation:calendars:write;

Data Processing and Storage

Access to Bucket management and configuration of OpenPipeline processing capabilities

// OpenPipeline
ALLOW
openpipeline:configurations:read,
openpipeline:configurations:write;
// Grail read data
ALLOW
storage:bucket-definitions:write,
storage:bucket-definitions:delete,
storage:bucket-definitions:truncate;

Email Service - allow to send email

Users are allowed to send emails from @apps.dynatrace.com with public send email API.

ALLOW email:emails:send;"

Extensions - Admin access

Grants access to view, add, activate, update and delete all the extensions and their monitoring configurations

ALLOW
extensions:definitions:read,
extensions:definitions:write,
extensions:configurations:read,
extensions:configurations:write,
extensions:configuration.actions:write;

Extensions - User access

Grants access to view all the extensions and their monitoring configurations

ALLOW
extensions:definitions:read,
extensions:configurations:read;

Hub Catalog Read

Grants read access to the Hub catalog content

ALLOW hub:catalog:read;"

Ingest Events write

Write events to the ingest endpoints

ALLOW storage:events:write;"

Settings Reader

Settings Reader Policy

ALLOW settings:objects:read, settings:schemas:read;"

Settings Writer

Settings Writer Policy

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;"

Environment role - Download/install OneAgent

Permission to access 'Agent Install' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:agent-install;

Environment role - Configure capture of sensitive data

Permission to access 'Configure Request Capture Data' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:configure-request-capture-data;

Environment role - View logs

Permission to access 'Log Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:logviewer;

Environment role - Change monitoring settings

Permission to access 'Environment Manage Settings' features (equivalent to RBAC permission).

ALLOW environment:roles:manage-settings;

Environment role - Replay session data

Permission to access 'Replay Sessions With Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-with-masking;

Environment role - Replay session data without masking

Permission to access 'Replay Sessions Without Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-without-masking;

Environment role - View security problems

Permission to access 'View Security Problems' features (equivalent to RBAC permission).

ALLOW environment:roles:view-security-problems;

Environment role - View sensitive request data

Permission to access 'View Sensitive Request Data' features (equivalent to RBAC permission).

ALLOW environment:roles:view-sensitive-request-data;

Environment role - Access environment

Permission to access 'Environment Roles Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:viewer;