To get you started, Dynatrace provides a default set of editable groups for account and environment users. You can edit and adapt these default groups to fit your needs or you can create new groups.
Dynatrace offers the following user groups with environment and account permissions.
User group
Permissions
Environment Users
Basic access to Dynatrace in all environments of the account.
Default policies:
Environment Professionals
Access advanced features in all environments of the account.
Default policies:
Environment Admins
Full access to all functions in all environments of the account.
Default policies:
Account Admins
Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.
Account viewers
Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.
As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.
You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.
You can find the default policies in the Policy overview of Account Management.
Grants access to Environment and ability to run Apps
//StatesALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;//DocumentsALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;//Unified analysis screensALLOW unified-analysis:screen-definition:read;//Grail read dataALLOW storage:bucket-definitions:read;ALLOW storage:filter-segments:read;//OpenPipelineALLOW openpipeline:configurations:read;//HubALLOW hub:catalog:read;//AppEngineALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;//NotificationsALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;//AutomationEngineALLOW automation:workflows:read, automation:calendars:read, automation:rules:read;//DavisALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;//SettingsALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;//ClassicsALLOW environment:roles:viewer, environment:roles:view-security-problems;//GeolocationsALLOW geolocation:locations:lookup;// Vulnerability serviceALLOW vulnerability-service:vulnerabilities:read;//SLOsALLOW slo:slos:read, slo:objective-templates:read;//BusinessInsightsALLOW insights:opportunities:read;
Grants advanced permissions to build, deploy, and run fully featured apps and automated workflows that make use of key platform services.
//StatesALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;//DocumentsALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;//Unified analysis screensALLOW unified-analysis:screen-definition:read;//GrailALLOW storage:bucket-definitions:read;ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;//OpenPipelineALLOW openpipeline:configurations:read;//HubALLOW hub:catalog:read;//AppEngineALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install;//NotificationsALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;//AutomationEngineALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write;//DavisALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;//IAMALLOW iam:service-users:use;//SettingsALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;//ClassicsALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:view-security-problems, environment:roles:manage-security-problems;// Hyperscaler AuthenticationALLOW hyperscaler-authentication:aws:authenticate;//GeolocationsALLOW geolocation:locations:lookup;// Vulnerability serviceALLOW vulnerability-service:vulnerabilities:read;ALLOW vulnerability-service:vulnerabilities:write;//SLOsALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;//BusinessInsightsALLOW insights:opportunities:read;
Grants administrative access across all platform services.
//StatesALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, state-management:app-states:delete;//DocumentsALLOW document:documents:read, document:documents:write, document:documents:delete, document:documents:admin, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;//Unified analysis screensALLOW unified-analysis:screen-definition:read;//GrailALLOW storage:bucket-definitions:read, storage:filter-segments:read;ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin;//OpenPipelineALLOW openpipeline:configurations:read, openpipeline:configurations:write;//HubALLOW hub:catalog:read;//AppEngineALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install, app-engine:apps:delete;//NotificationsALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;//AutomationEngineALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write, automation:workflows:admin;//DavisALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;//IAMALLOW iam:service-users:use, oauth2:clients:manage;//SettingsALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read, app-settings:objects:write, settings:objects:write;//ExtensionsALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;//DeploymentALLOW deployment:activegates.network-zones:write, deployment:activegates.groups:write, deployment:oneagents.network-zones:write, deployment:oneagents.host-groups:write, deployment:oneagents.host-tags:write, deployment:oneagents.host-properties:write;//ClassicsALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:agent-install, environment:roles:configure-request-capture-data, environment:roles:manage-security-problems, cloudautomation:resources:read, cloudautomation:resources:write, cloudautomation:resources:delete, cloudautomation:metadata:read, cloudautomation:events:read, cloudautomation:events:write, cloudautomation:logs:read, cloudautomation:logs:write, cloudautomation:projects:read, cloudautomation:projects:write, cloudautomation:projects:delete, cloudautomation:stages:read, cloudautomation:services:read, cloudautomation:services:write, cloudautomation:services:delete, cloudautomation:integrations:read, cloudautomation:integrations:write, cloudautomation:integrations:delete, cloudautomation:secrets:read, cloudautomation:secrets:write, cloudautomation:secrets:delete, cloudautomation:instance:manage, cloudautomation:statistics:read;// Hyperscaler AuthenticationALLOW hyperscaler-authentication:aws:authenticate;//GeolocationsALLOW geolocation:locations:lookup;// Vulnerability serviceALLOW vulnerability-service:vulnerabilities:read;ALLOW vulnerability-service:vulnerabilities:write;//SLOsALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;//BusinessInsightsALLOW insights:opportunities:read;
Access to Bucket management and configuration of OpenPipeline processing capabilities
// OpenPipelineALLOWopenpipeline:configurations:read,openpipeline:configurations:write;// Grail read dataALLOWstorage:bucket-definitions:write,storage:bucket-definitions:delete,storage:bucket-definitions:truncate;
Unconditional access to all Grail tables and to all Grail buckets. New tables will be added.
//Grail read dataALLOWstorage:buckets:read,storage:logs:read,storage:metrics:read,storage:spans:read,storage:bizevents:read,storage:events:read,storage:system:read,storage:spans:read,storage:entities:read,storage:user.events:read;
Unconditional access to the spans table and to all spans buckets, including all custom spans buckets.
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "spans";ALLOW storage:spans:read;
Unconditional access to the events table and to all event buckets (excluding security events).
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "events" AND storage:bucket-name NOT IN ("default_security_events", "default_security_custom_events");ALLOW storage:events:read;
Grants read access to all System Events data
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "system";ALLOW storage:system:read;
Unconditional access to the metrics table and to all metrics buckets, including all custom metrics buckets.
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "metrics";ALLOW storage:metrics:read;
Unconditional access to the entities table.
//Grail read dataALLOW storage:entities:read;ALLOW storage:buckets:read WHERE storage:table-name IN ("entities");
Unconditional access to the logs table and to all log buckets, including all custom log buckets.
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "logs";ALLOW storage:logs:read;//ClassicsALLOW environment:roles:logviewer;
Unconditional access to the events table and to the default security event buckets.
ALLOW//Grail read dataALLOW storage:buckets:read WHERE storage:bucket-name IN ("default_security_events", "default_security_custom_events");ALLOW storage:events:read;// Field level permissionsALLOW storage:fieldsets:read WHERE storage:table-name = 'events' AND storage:bucket-name = 'default_security_events';
Unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.
//Grail read dataALLOW storage:buckets:read WHERE storage:table-name = "bizevents";ALLOW storage:bizevents:read;
The legacy default policies were used previously to provide access to Dynatrace. They are not accessible for new policy assignments, but existing assignment of these policies stay in place until removed.
Full access to AppEngine and read access to AutomationEngine.
ALLOWapp-engine:functions:run,app-engine:apps:run,app-engine:apps:install,app-engine:edge-connects:read,app-engine:edge-connects:write,app-engine:edge-connects:delete,app-engine:apps:delete;ALLOWhub:catalog:read;ALLOWautomation:workflows:read,automation:rules:read,automation:calendars:read;ALLOWdocument:documents:read,document:documents:write,document:documents:delete,document:environment-shares:read,document:environment-shares:write,document:environment-shares:claim,document:environment-shares:delete,document:direct-shares:read,document:direct-shares:write,document:direct-shares:delete,document:trash.documents:read,document:trash.documents:restore,document:trash.documents:delete;ALLOWdavis:analyzers:read,davis:analyzers:execute;ALLOWstate:app-states:read,state:app-states:write,state:app-states:delete,state:user-app-states:read,state:user-app-states:write,state:user-app-states:delete,state-management:app-states:delete,state-management:user-app-states:delete,state-management:user-app-states:delete-all,app-settings:objects:read,app-settings:objects:write;ALLOWsettings:objects:read,settings:objects:write,settings:schemas:read where settings:schemaId startsWith "app:";ALLOWoauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";ALLOWemail:emails:send;ALLOWstorage:bucket-definitions:read,storage:bucket-definitions:write,storage:bucket-definitions:truncate,storage:bucket-definitions:delete;ALLOW hyperscaler-authentication:aws:authenticate;
Users are allowed to install and delete customs apps. Additional app-engine:apps:run
permission is necessary to access AppEngine.
ALLOWapp-engine:apps:install,app-engine:apps:delete WHERE shared:app-id startsWith "my";ALLOWhub:catalog:read;ALLOWemail:emails:send;
Full access to manage EdgeConnect.
ALLOWapp-engine:edge-connects:read,app-engine:edge-connects:write,app-engine:edge-connects:delete;ALLOWoauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";
Basic access to AppEngine to run apps and Launcher; AutomationEngine read access.
ALLOWapp-engine:apps:run,app-engine:functions:run,app-engine:edge-connects:read;ALLOWautomation:workflows:read,automation:rules:read,automation:calendars:read;ALLOWhub:catalog:read;ALLOWdocument:documents:read,document:documents:write,document:documents:delete,document:environment-shares:read,document:environment-shares:write,document:environment-shares:claim,document:environment-shares:delete,document:direct-shares:read,document:direct-shares:write,document:direct-shares:delete,document:trash.documents:read,document:trash.documents:restore,document:trash.documents:delete;ALLOWdavis:analyzers:read,davis:analyzers:execute;ALLOWstate:app-states:read,state:app-states:write,state:app-states:delete,state:user-app-states:read,state:user-app-states:write,state:user-app-states:delete,state-management:user-app-states:delete,app-settings:objects:read;ALLOWemail:emails:send;ALLOWstorage:bucket-definitions:read;
Grants admin access to automation service and workflows.
ALLOWautomation:workflows:admin,automation:workflows:read,automation:workflows:write,automation:workflows:run,automation:rules:read,automation:rules:write,automation:calendars:read,automation:calendars:write;
Grants access to automation service and workflows.
ALLOWautomation:workflows:read,automation:workflows:write,automation:workflows:run,automation:rules:read,automation:rules:write,automation:calendars:read,automation:calendars:write;
Access to Bucket management and configuration of OpenPipeline processing capabilities
// OpenPipelineALLOWopenpipeline:configurations:read,openpipeline:configurations:write;// Grail read dataALLOWstorage:bucket-definitions:write,storage:bucket-definitions:delete,storage:bucket-definitions:truncate;
Users are allowed to send emails from @apps.dynatrace.com
with public send email API.
ALLOW email:emails:send;"
Grants access to view, add, activate, update and delete all the extensions and their monitoring configurations
ALLOWextensions:definitions:read,extensions:definitions:write,extensions:configurations:read,extensions:configurations:write,extensions:configuration.actions:write;
Grants access to view all the extensions and their monitoring configurations
ALLOWextensions:definitions:read,extensions:configurations:read;
Grants read access to the Hub catalog content
ALLOW hub:catalog:read;"
Write events to the ingest endpoints
ALLOW storage:events:write;"
Settings Reader Policy
ALLOW settings:objects:read, settings:schemas:read;"
Settings Writer Policy
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;"
Permission to access 'Agent Install' features (equivalent to RBAC permission). Management zones not supported.
ALLOW environment:roles:agent-install;
Permission to access 'Configure Request Capture Data' features (equivalent to RBAC permission). Management zones not supported.
ALLOW environment:roles:configure-request-capture-data;
Permission to access 'Log Viewer' features (equivalent to RBAC permission).
ALLOW environment:roles:logviewer;
Permission to access 'Environment Manage Settings' features (equivalent to RBAC permission).
ALLOW environment:roles:manage-settings;
Permission to access 'Replay Sessions With Masking' features (equivalent to RBAC permission).
ALLOW environment:roles:replay-sessions-with-masking;
Permission to access 'Replay Sessions Without Masking' features (equivalent to RBAC permission).
ALLOW environment:roles:replay-sessions-without-masking;
Permission to access 'View Security Problems' features (equivalent to RBAC permission).
ALLOW environment:roles:view-security-problems;
Permission to access 'View Sensitive Request Data' features (equivalent to RBAC permission).
ALLOW environment:roles:view-sensitive-request-data;
Permission to access 'Environment Roles Viewer' features (equivalent to RBAC permission).
ALLOW environment:roles:viewer;