An administrator or a user belonging to a group with View and manage users and groups
permission can perform the service user management activities listed here.
A service user is a non-interactive user: it can't sign in to Dynatrace and it isn't related to any real person. It has its own identity and access management permissions assigned directly.
You can select a service user as the actor of a workflow or Davis anomaly detector.
When workflows and anomaly detectors are executed in the context of a service user, it makes them independent of the status of the user who maintains them. This makes it a good fit for a department or production use cases, or any collaborative efforts where a dependency on an actual user could hinder your work. Using a service user also strengthens the security of the actions executed by the actor.
Go to Account Management. If you have more than one account, select the account you want to manage.
Go to Identity & access management > Service users.
A table lists the defined service users.
In the Actions column for the user you want to edit, select > Edit.
In the Edit service user page, you can:
Note: You can't change the service user email address. It's the identifier used in policy statements. See Create policies based on a service user.
On the Select group section, you can add or remove the selected groups. Service users get permissions via the selected groups.
Select Save.
On the Service users page, select Add service user.
On the Create service user page, enter the following service user details.
Name
optional Description
Tip: Make sure they're both meaningful for environment admins so that they understand the purpose of the service user. The service user's email address is created automatically and can't be modified. It's the identifier used in the policy statements.
In the Assign permissions section, select whether to assign permissions Through existing groups or Directly.
Through existing groups: Select one or more existing groups whose permissions you want to assign to this service user.
Directly: Make your own custom selection of permissions. A new group will be automatically created.
Select Create.
A user who wants to use a service user as an actor of a workflow or anomaly detector, must be granted the iam:service-users:use
permission.
That permission is granted with the following default policies:
To control the use of service users even further, you can create a policy allowing users to use only specific service users as workflows or anomaly detectors actors.
To do that, create a policy with iam:service-users:use
set to the iam:service-user-email
condition
For example:
ALLOW iam:service-users:useWHERE iam:service-user-email IN ("be820735-3114-4d40-9c44-dfa18fa62be9@service.sso.dynatrace.com");
Such policies are secure. You can't modify the service user identifier or assign a custom email address to a service user.