In Dynatrace, user permissions are managed via group membership: users inherit the Dynatrace access permissions that are assigned to the Dynatrace groups they belong to.
An administrator or a user belonging to a group with View and manage users and groups permission can perform the group management activities listed here.
In your Dynatrace account, the group source defines its type:
Groups of this type are managed by Dynatrace. Your interface to this type of groups is the Account Management page.
Groups of this type originate from your SAML federation.
You can enable SAML authorization by mapping a local group to SAML group claims through the addition of security group claims to your local group.
This effectively changes the group source from Local to SAML.
As a user logs in using the SAML federation, the security group claim attribute of the SAML response is used to determine the user's group membership.
For more information, see SAML.
Groups of this type originate from your SCIM integration.
Users and groups are created automatically and kept in sync with the SCIM source. User-to-group assignments defined in your IdP are also synchronized.
For more information, see SCIM.
By default, all users are automatically assigned to a special Default group with all users group that is seeded with minimum permissions. Additional permissions can be added to fit your business needs, with the understanding that such permissions are granted to all users.
When a new account is initially created, a set of default groups and associated permissions are also created using pre-defined templates. For example, the Log viewer group comes with the permissions to view logs ingested to Dynatrace.
These are meant to give you a jump start with common groups you might find useful. You can use these groups as is and assign users to them, or modify them as you see fit.
If you modify the default groups, they might provide a different configuration and permission set from the original templates used at the initial account creation.
The group management operations listed below are all performed using the Account Management pages.
This opens https://myaccount.dynatrace.com/
, which you can bookmark for easy access to Account Management.
For permissions of type policy you can, additionally to the scope, select one or multiple policy boundaries during permission assignment to restrict access on record and/or resource level. To learn more about policy boundaries, see Policy boundaries.
To export a list of existing groups to a comma-separated values (CSV) file, complete the following steps on the group management page:
optional Use the Group and Source filters above the table to focus on specific groups.
Select Export groups.
For all groups matching your filter settings, information such as name, UUID, name, description, and source is exported to a local CSV file.
All group management tasks can be also carried out via the Dynatrace Account Management API. For details on available endpoints, see Account Management API.