Service users

An administrator or a user belonging to a group with View and manage users and groups permission can perform the service user management activities listed here.

What's a service user?

A service user is a non-interactive user: it can't sign in to Dynatrace and it isn't related to any real person. It has its own identity and access management permissions assigned directly.

You can select a service user as the actor of a workflow or Davis anomaly detector.

Use case

When workflows and anomaly detectors are executed in the context of a service user, it makes them independent of the status of the user who maintains them. This makes it a good fit for a department or production use cases, or any collaborative efforts where a dependency on an actual user could hinder your work. Using a service user also strengthens the security of the actions executed by the actor.

List and edit service users

  1. Go to Account Management. If you have more than one account, select the account you want to manage.

  2. Go to Identity & access management > Service users.

    A table lists the defined service users.

  3. In the Actions column for the user you want to edit, select > Edit user.

  4. On Service user details, you can:

  5. Select Save.

Create service users

  1. Select Add service user.

  2. Add

    • Name

    • optional Description

      Tip: Make sure they're both meaningful for environment admins so that they understand the purpose of the service user. The service user email address is created automatically and can't be modified. It's the identifier used in the policy statements.

  3. Select Save.

Assign permissions to service users

Unlike regular users, service users don't belong to groups. You assign permissions directly to the service user.

We highly recommend granting a service user only the permissions that are required for the intended usage scenarios.

To assign a service user the permissions required by your intended actor

  1. In the Actions column for the user you want to edit, select > View user.

  2. Select Permission

  3. Select one of the available permissions.

    • Define the scope of your new permission assignment (account or environment) by selecting one or more environments.
    • optional For permissions of type role, it is possible to further restrict the scope to individual management zones.
    • optional For permissions of type policy, it is possible to set the scope at the account level or to further restrict the service user to individual environments.
    Use boundaries for fine granular access control

    For permissions of type policy, you can, in addition to the scope, select one or more policy boundaries during permission assignment to restrict access on the record and/or resource level. To learn more about policy boundaries, see Policy boundaries.

  4. Select Save

User permissions to use service users as actors

A user who wants to use a service user as an actor of a workflow or anomaly detector, must be granted the iam:service-users:use permission.

That permission is granted with the following default policies:

Create policies based on a service user

To control the use of service users even further, you can create a policy allowing users to use only specific service users as workflows or anomaly detectors actors.

To do that, create a policy with iam:service-users:use set to the iam:service-user-email condition

For example:

ALLOW iam:service-users:use
WHERE iam:service-user-email IN ("be820735-3114-4d40-9c44-dfa18fa62be9@service.sso.dynatrace.com");

Such policies are secure. You can't modify the service user identifier or assign a custom email address to a service user.