Dynatrace default policies reference

Reference
2-min read
Page has not been published yet

As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups similar to any other policy.

Dynatrace default user groups have default policies assigned at the account level, applying to all tenants.
Default policies offer ready-made permission sets for refined access control.
These policies stay up-to-date with platform changes, since they are maintained by Dynatrace.
There are two types of policies:
- Dynatrace access policies: grant feature-level access based on user roles.
- Data policies: control access to data types in Grail.
Dynatrace default policies can be assigned to any user group. To learn more about policy assignment, follow this guide: Working with policies.

You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level. You can find the default policies in the Policy overview of Account Management.

Dynatrace access

Admin User

Grants administrative access across all Platform Services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, state-management:app-states:delete;

//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:documents:admin, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;

//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;

//Live Debugger
ALLOW dev-obs:breakpoints:set;
ALLOW dev-obs:breakpoints:manage;

//Grail
ALLOW storage:bucket-definitions:read, storage:filter-segments:read, storage:fieldset-definitions:read, storage:fieldset-definitions:write;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:share, storage:filter-segments:delete, storage:filter-segments:admin;

//OpenPipeline
ALLOW openpipeline:configurations:read, openpipeline:configurations:write;

//Hub
ALLOW hub:catalog:read;

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:edge-connects:write, app-engine:edge-connects:delete, app-engine:apps:install, app-engine:apps:delete;

//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read, notification:notifications:write;

//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write, automation:workflows:admin;

//Davis
ALLOW davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
ALLOW davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//IAM
ALLOW iam:service-users:use, oauth2:clients:manage;

//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read, app-settings:objects:write, settings:objects:write, settings:objects:admin, app-settings:objects:admin;

//Extensions
ALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;

//Deployment
ALLOW deployment:activegates.network-zones:write, deployment:activegates.groups:write, deployment:oneagents.network-zones:write, deployment:oneagents.host-groups:write, deployment:oneagents.host-tags:write, deployment:oneagents.host-properties:write;

//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:agent-install, environment:roles:configure-request-capture-data, environment:roles:manage-security-problems, environment:roles:manage-settings, cloudautomation:resources:read, cloudautomation:resources:write, cloudautomation:resources:delete, cloudautomation:metadata:read, cloudautomation:events:read, cloudautomation:events:write, cloudautomation:logs:read, cloudautomation:logs:write, cloudautomation:projects:read, cloudautomation:projects:write, cloudautomation:projects:delete, cloudautomation:stages:read, cloudautomation:services:read, cloudautomation:services:write, cloudautomation:services:delete, cloudautomation:integrations:read, cloudautomation:integrations:write, cloudautomation:integrations:delete, cloudautomation:secrets:read, cloudautomation:secrets:write, cloudautomation:secrets:delete, cloudautomation:instance:manage, cloudautomation:statistics:read;

// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;

//Geolocations
ALLOW geolocation:locations:lookup;

// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;

// Security Intelligence Service
ALLOW security-intelligence:enrichments:run;

//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;

//BusinessInsights
ALLOW insights:opportunities:read;
ALLOW insights:moments:read;

Pro User

Grants advanced permissions to build, deploy, and run fully featured Dynatrace Apps and automated workflows that make the use of key Platform Services.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;

//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;

//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;

//Live Debugger
ALLOW dev-obs:breakpoints:set;

//Grail
ALLOW storage:bucket-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:share, storage:filter-segments:delete;

//OpenPipeline
ALLOW openpipeline:configurations:read;

//Hub
ALLOW hub:catalog:read;

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read, app-engine:apps:install;

//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read, notification:notifications:write;

//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read, automation:workflows:write, automation:workflows:run, automation:calendars:write, automation:rules:write;

//Davis
ALLOW davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
ALLOW davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//IAM
ALLOW iam:service-users:use;

//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;

//Classics
ALLOW environment:roles:viewer, environment:roles:replay-sessions-with-masking, environment:roles:view-security-problems, environment:roles:manage-security-problems;

// Hyperscaler Authentication
ALLOW hyperscaler-authentication:aws:authenticate;

//Geolocations
ALLOW geolocation:locations:lookup;

// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;
ALLOW vulnerability-service:vulnerabilities:write;

// Security Intelligence Service
ALLOW security-intelligence:enrichments:run;

//SLOs
ALLOW slo:slos:read, slo:slos:write, slo:objective-templates:read;

//BusinessInsights
ALLOW insights:opportunities:read;
ALLOW insights:moments:read;

//Extensions
ALLOW extensions:definitions:read;

Standard User

Grants access to Dynatrace environment and run Dynatrace Apps.

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;

//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;

//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;

//Live Debugger
ALLOW dev-obs:breakpoints:set;

//Grail
ALLOW storage:bucket-definitions:read;
ALLOW storage:fieldset-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

//OpenPipeline
ALLOW openpipeline:configurations:read;

//Hub
ALLOW hub:catalog:read;

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read, notification:notifications:write;

//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read;
ALLOW automation:workflows:write WHERE automation:workflow-type = "SIMPLE";
ALLOW automation:workflows:run;

//Davis
ALLOW davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
ALLOW davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;

//Classics
ALLOW environment:roles:viewer, environment:roles:view-security-problems;

//Geolocations
ALLOW geolocation:locations:lookup;

// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;

//SLOs
ALLOW slo:slos:read, slo:objective-templates:read;

//BusinessInsights
ALLOW insights:opportunities:read;
ALLOW insights:moments:read;

//Extensions
ALLOW extensions:definitions:read;

Data access

All Grail data read access

Grants unconditional access to ALL Grail tables and to ALL Grail buckets.

//Grail read data
ALLOW
storage:application.snapshots:read,
storage:bizevents:read,
storage:buckets:read,
storage:entities:read,
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:security.events:read,
storage:smartscape:read,
storage:spans:read,
storage:system:read,
storage:user.events:read,
storage:user.sessions:read;

//Lookup tables
ALLOW
storage:files:read WHERE storage:file-path startsWith "/lookups/";

Data Processing and Storage

Grants access to the Grail bucket management and configuration of OpenPipeline processing capabilities.

// OpenPipeline
ALLOW openpipeline:configurations:read, openpipeline:configurations:write;
// Grail read data
ALLOW storage:bucket-definitions:write, storage:bucket-definitions:delete, storage:bucket-definitions:truncate;

OpenPipeline Ingest

Grants permission to ingest data into OpenPipeline.

ALLOW openpipeline:events:ingest, openpipeline:events.custom:ingest, openpipeline:security.events:ingest, openpipeline:security.events.custom:ingest, openpipeline:events.sdlc:ingest, openpipeline:events.sdlc.custom:ingest;

Read Application Snapshots

Grants read access to the Grail application snapshots table.

//Grail read data
ALLOW storage:application.snapshots:read;
ALLOW storage:buckets:read WHERE storage:table-name = "application.snapshots";

Read BizEvents

Grants unconditional access to the bizevents table and to all bizevent buckets, including all custom bizevent buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "bizevents";
ALLOW storage:bizevents:read;

Read Entities

Grants read access to all entities.

//Grail read data
ALLOW 
storage:entities:read,
storage:smartscape:read;

Read Events

Grants unconditional access to the Grail events table and to all event buckets (excluding security events).

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "events" AND storage:bucket-name NOT IN ("default_security_events", "default_security_custom_events");
ALLOW storage:events:read;

Read Logs

Grants unconditional access to the logs table and all log buckets, including all custom log buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "logs";
ALLOW storage:logs:read;

//Classics
ALLOW environment:roles:logviewer;

Read Metrics

Grants unconditional access to the metrics table and all metrics buckets, including all custom metrics buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "metrics";
ALLOW storage:metrics:read;

Read Security Events

Grants unconditional access to the security events from both, events and security.events tables and to the default security event buckets.

// Grail read permission for security events residing in the `events` table
ALLOW storage:buckets:read WHERE storage:bucket-name IN ("default_security_events", "default_security_custom_events");
ALLOW storage:events:read;

// Grail read permission for security events residing in the `security.events` table
ALLOW storage:buckets:read WHERE storage:table-name = 'security.events';
ALLOW storage:security.events:read;

Read Sensitive Data

Grants unconditional permissions to read sensitive data in Dynatrace.

//Read sensitive request data
ALLOW environment:roles:view-sensitive-request-data;

Read Spans

Grants unconditional access to the spans table and all spans buckets, including all custom spans buckets.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "spans";
ALLOW storage:spans:read;

Read System Events

Grants read access to all Dynatrace system events data.

//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "dt.system.events";
ALLOW storage:system:read;

Legacy default policies

The legacy default policies were used previously to provide access to Dynatrace. They are not accessible for new policy assignments, but existing assignments of these policies remain until removed.

AppEngine - Admin

Grants admin permissions to view, run, and install Dynatrace Apps, and view workflows.

ALLOW app-engine:functions:run, app-engine:apps:run, app-engine:apps:install, app-engine:edge-connects:read, app-engine:edge-connects:write, app-engine:edge-connects:delete, app-engine:apps:delete;
ALLOW hub:catalog:read;
ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
ALLOW davis:analyzers:read, davis:analyzers:execute;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, app-settings:objects:read, app-settings:objects:write;
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read where settings:schemaId startsWith "app:";
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read where settings:schemaId = "service:davis.copilot.datamining-blocklist";
ALLOW oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read,  notification:notifications:write;
ALLOW storage:bucket-definitions:read, storage:bucket-definitions:write, storage:bucket-definitions:truncate, storage:bucket-definitions:delete;
ALLOW storage:fieldset-definitions:read, storage:fieldset-definitions:write;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:share, storage:filter-segments:delete, storage:filter-segments:admin;
ALLOW openpipeline:configurations:read, openpipeline:configurations:write;
ALLOW hyperscaler-authentication:aws:authenticate;

AppEngine - Developer access

Grants permissions to install and delete customs apps. You need to add an additional app-engine:apps:run permission to run Dynatrace Apps and Launcher. permission is necessary to access AppEngine.

ALLOW app-engine:apps:install, app-engine:apps:delete WHERE shared:app-id startsWith "my";
ALLOW hub:catalog:read;
ALLOW email:emails:send;

AppEngine - Manage EdgeConnect

Grants full access to manage EdgeConnect.

ALLOW app-engine:edge-connects:read, app-engine:edge-connects:write, app-engine:edge-connects:delete;
ALLOW oauth2:clients:manage where oauth2:scopes="app-engine:edge-connects:connect";

AppEngine - User

Grants basic access to AppEngine, that is to run Dynatrace Apps and Launcher, gives read access to workflows.

ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;
ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;
ALLOW hub:catalog:read;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
ALLOW davis:analyzers:read, davis:analyzers:execute;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, app-settings:objects:read;
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read,  notification:notifications:write;
ALLOW storage:bucket-definitions:read;
ALLOW storage:fieldset-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

AutomationEngine - Admin access

Grants admin access to workflows.

ALLOW automation:workflows:admin, automation:workflows:read, automation:workflows:write, automation:workflows:run, automation:rules:read, automation:rules:write, automation:calendars:read, automation:calendars:write;

AutomationEngine - User access

Grants basic read access to workflows.

ALLOW automation:workflows:read, automation:workflows:write, automation:workflows:run, automation:rules:read, automation:rules:write, automation:calendars:read, automation:calendars:write;

Email Service - allow to send email

Grants permission to send emails from @apps.dynatrace.com using a public send email API endpoint.

ALLOW email:emails:send;

Environment role - Access environment

Permission to access 'Environment Roles Viewer' features (equivalence RBAC permission).

ALLOW environment:roles:viewer;

Environment role - Change monitoring settings

Permission to access 'Environment Manage Settings' features (equivalence RBAC permission).

ALLOW environment:roles:manage-settings;

Environment role - Configure capture of sensitive data

Permission to access 'Configure Request Capture Data' features (equivalence RBAC permission). Management zones not supported.

ALLOW environment:roles:configure-request-capture-data;

Environment role - Download/install OneAgent

Permission to access 'Agent Install' features (equivalence RBAC permission). Management zones not supported.

ALLOW environment:roles:agent-install;

Environment role - Manage security problems

Permission to access 'Manage Security Problems' features (equivalence RBAC permission).

ALLOW environment:roles:manage-security-problems;

Environment role - Replay session data

Permission to access 'Replay Sessions With Masking' features (equivalence RBAC permission).

ALLOW environment:roles:replay-sessions-with-masking;

Environment role - Replay session data without masking

Permission to access 'Replay Sessions Without Masking' features (equivalence RBAC permission).

ALLOW environment:roles:replay-sessions-without-masking;

Environment role - View logs

Permission to access 'Log Viewer' features (equivalence RBAC permission).

ALLOW environment:roles:logviewer;

Environment role - View security problems

Permission to access 'View Security Problems' features (equivalence RBAC permission).

ALLOW environment:roles:view-security-problems;

Environment role - View sensitive request data

Permission to access 'View Sensitive Request Data' features (equivalence RBAC permission).

ALLOW environment:roles:view-sensitive-request-data;

Extensions - Admin access

Grants access to view, add, activate, update, and delete all the extensions and their monitoring configurations.

ALLOW extensions:definitions:read, extensions:definitions:write, extensions:configurations:read, extensions:configurations:write, extensions:configuration.actions:write;

Extensions - User access

Grants access to view all the extensions and their monitoring configurations.

ALLOW extensions:definitions:read, extensions:configurations:read;

Hub Catalog Read

Grants read access to the Hub catalog content.

ALLOW hub:catalog:read;

Hyperscaler authentication service

Grants permissions to authenticate against hyperscalers.

ALLOW hyperscaler-authentication:aws:authenticate;

Ingest Events write

Grants permission to write events to the ingest endpoints.

ALLOW storage:events:write;

Settings Reader

Grants read access to Dynatrace settings.

ALLOW settings:objects:read, settings:schemas:read;

Settings Writer

Grants permission to read and write Dynatrace settings.

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;

Storage All System Data Read

Grants unconditional access to all Grail system tables prefixed with "dt.".

ALLOW storage:buckets:read WHERE storage:table-name STARTSWITH "dt.";
ALLOW storage:system:read;

Storage Default Monitoring Read

Grants unconditional access to all the Grail tables and default buckets (excluding security events).

ALLOW storage:buckets:read WHERE storage:bucket-name IN ( "default_logs", "default_bizevents", "default_events", "default_metrics", "default_spans", "default_selfmon_events", "default_davis_events", "default_k8s_ops_events", "default_davis_custom_events", "default_davis_k8s_ops_events", "default_application_snapshots" );
ALLOW storage:events:read, storage:logs:read, storage:metrics:read, storage:entities:read, storage:smartscape:read, storage:bizevents:read, storage:spans:read, storage:application.snapshots:read;

Storage Metrics Write

Grants permission to write metrics to Grail.

ALLOW storage:metrics:write;