Grant access to Dynatrace through default groups and permissions

To get you started, Dynatrace provides a default set of editable groups for account and environment users. You can edit and adapt these default groups to fit your needs or you can create new groups.

Default environment permissions

These groups are created for users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.

Dynatrace offers the following user groups with environment permissions.

User group
Account permissions

Confidential data admin

Can view personal data (for example, method arguments) and configure request-data capture rules.

Default roles:

  • View environment
  • Replay sessions with masking
  • View sensitive request data
  • Manage capturing of sensitive request data
  • Manage monitoring settings

Default polices:

  • AppEngine - Admin
  • AutomationEngine - Admin access
  • Storage All Grail Data Read

Deployment admin

Can download and install OneAgent. Has read-only access to the environment. Can’t change settings.

Default roles:

  • View environment
  • Replay sessions with masking
  • Install OneAgent

Default policies:

  • AppEngine - User
  • AutomationEngine - User access
  • Storage Default Monitoring Read

Log viewer

Can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights.

Default roles:

  • View environment
  • Replay sessions with masking
  • View logs

Default policies:

  • AppEngine - User
  • Storage Logs Read
  • AutomationEngine - User access

Monitoring admin

Has full environment access. Can change monitoring settings. Can download and install OneAgent.

Default roles:

  • View environment
  • Replay sessions with masking
  • Manage monitoring settings
  • Manage support tickets
  • Install OneAgent

Default policies:

  • AppEngine - Admin
  • Ingest Events write
  • Storage All Grail Data Read
  • AutomationEngine - Admin access

Monitoring viewer

Can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.

Default roles:

  • View environment
  • Replay sessions with masking

Default policies:

  • AutomationEngine - User access
  • AppEngine - User
  • Storage Default Monitoring Read

Security admin

Can view and manage vulnerabilities.

Default roles:

  • Manage security problems

Default account permissions

These groups are created for users who are involved in managing account details such as company addresses, billing, payment information, and user management.

Dynatrace offers the following user groups with account permissions.

User group
Account permissions

Account manager

Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.

Default permissions:

  • View account
  • View and manage account and billing information
  • View and manage users and groups

Account viewer

Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Default permissions:

  • View account

Finance admin

Can enter credit card data and review invoices. Has access to environment consumption data, Documentation, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.

Default permissions:

  • View account
  • View and manage account and billing information