Group management

In Dynatrace, user permissions are managed via group membership: users inherit the Dynatrace access permissions that are assigned to the Dynatrace groups they belong to.

An administrator or a user belonging to a group with View and manage users and groups permission can perform the group management activities listed here.

Group types

In your Dynatrace account, the group source defines its type:

Local

Groups of this type are managed by Dynatrace. Your interface to this type of groups is the Account Management page.

SAML

Groups of this type originate from your SAML federation.

You can enable SAML authorization by mapping a local group to SAML group claims through the addition of security group claims to your local group.

This effectively changes the group source from Local to SAML.

As a user logs in using the SAML federation, the security group claim attribute of the SAML response is used to determine the user's group membership.

For more information, see SAML.

SCIM

Groups of this type originate from your SCIM integration.

Users and groups are created automatically and kept in sync with the SCIM source. User-to-group assignments defined in your IdP are also synchronized.

For more information, see SCIM.

ALL_USERS

By default, all users are automatically assigned to a special Default group with all users group that is seeded with minimum permissions. Additional permissions can be added to fit your business needs, with the understanding that such permissions are granted to all users.

Default groups of your Dynatrace account

When a new account is initially created, a set of default groups and associated permissions are also created using pre-defined templates. For example, the Log viewer group comes with the permissions to view logs ingested to Dynatrace.

These are meant to give you a jump start with common groups you might find useful. You can use these groups as is and assign users to them, or modify them as you see fit.

If you modify the default groups, they might provide a different configuration and permission set from the original templates used at the initial account creation.

Group management operations

The group management operations listed below are all performed using the Account Management pages.

  1. Go to Account Management. If you have more than one account, select the account you want to manage.

    This opens https://myaccount.dynatrace.com/, which you can bookmark for easy access to Account Management.

  2. Go to Identity & access management > Group Management.

Create a group

  1. Select Group and specify:
    • Group Name
    • optional Description
    • optional Security Claims. Note that this option is only available if you have an active SAML federation.
  2. Select Create.

Delete a group

  1. Find the group in the table or use the filters above the table to help you locate your group.
  2. In the Actions column for the group you want to delete, select > Delete group.
  3. Confirm your selection.

View group details

  1. In the Actions column for the group you want to view, select > View group.
  2. The group detail page lists basic group information and any existing account-level permissions or other environment-level permissions.
    • Group Name, Description, and any Security Claims are listed in the Details section.
    • Account-level permissions are listed in the Account management permissions section.
    • A list of assigned environment permissions is displayed in the Permissions section and includes permissions of type ROLE or POLICY.

Manage group permissions

  1. In the Actions column for the group you want to view, select > View group.
  2. To modify a group's details, select Edit.
    • Group Name, Description, and any Security Claims (if SAML federation is configured) can be modified.
  3. To modify a group's account management permissions, select Manage permissions and choose from the available permissions. For a detailed description of each permission, refer to Role-based permissions.
  4. To modify a group's environment permissions
    • To delete an already assigned permission: in the Actions column for the permission you want to delete, select > Delete and confirm your selection.
    • To edit an already assigned permission: in the Actions column for the permission you want to delete, select > Edit.
      • On the Permission picker page, you have the option to modify the scope, and, depending on the policy type, adjust management zone assignments.
    • To add a new permission: select Permission and, on the Permission picker page, select a permission.
  • Define the scope of your new permission assignment (account or environment) by selecting one or many environments.
    • optional for permissions of type role, it is possible to further restrict the scope to individual management zones.
    • optional for permissions of type policy, it is possible to set the scope at the account level or to further restrict to individual environments.
Use boundaries for fine granular access control

For permissions of type policy you can, additionally to the scope, select one or multiple policy boundaries during permission assignment to restrict access on record and/or resource level. To learn more about policy boundaries, see Policy boundaries.

Export list of groups

To export a list of existing groups to a comma-separated values (CSV) file, complete the following steps on the group management page:

  1. optional Use the Group and Source filters above the table to focus on specific groups.

  2. Select Export groups.

    For all groups matching your filter settings, information such as name, UUID, name, description, and source is exported to a local CSV file.

Group management API

All group management tasks can be also carried out via the Dynatrace Account Management API. For details on available endpoints, see Account Management API.