Configure user access for Distributed Tracing

Latest Dynatrace

Distributed traces are stored in the default_span built-in Grail bucket with a 10-day retention period. Traces might contain personal and sensitive data.

This article contains information on how to modify user access to trace data and sensitive information and how to configure trace data storage.

Who is this for

This article is intended for administrators controlling identity and access management.

Prerequisites

Configure user permissions for trace data

To configure user permission to fetch span data from buckets and tables in Grail and for Distributed Tracing Distributed Tracing data

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. Go to Identity & access management > Policies.
  3. Select Create policy.
  4. Add the policy details:
    • Name
    • Description
    • Policy statement—use the following: 
      ALLOW storage:buckets:read WHERE storage:bucket-name = "spans";
      ALLOW storage:spans:read;
  5. Select Create policy.
Conclusion

Users can now access all stored trace data and leverage it in Grail according to sensitive information permissions. To change which data users can access, you can modify environment-level data storage and user access to sensitive information.

Configure access to sensitive data

To configure access to sensitive information in compliance with your company's privacy policies

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. Go to Identity & access management > Policies.
  3. Select Create policy.
  4. Add the policy details:
    • Name
    • Description
    • Policy statement—use the following:
      • To give access to all sensitive fields 
        ALLOW storage:fieldsets:read WHERE storage:fieldset-name="builtin-sensitive-spans"

        The fields' attributes are client.ip, db.connection_string, http.request.header.referer, url.full, url.query, and db.query.parameters. To learn more about the attributes, see Global field reference.

      • To give access to fields containing confidential request attributes 
        ALLOW storage:fieldsets:read WHERE storage:fieldset-name="builtin-request-attributes-spans"
  5. Select Create policy.
Conclusion

Users can now access sensitive data according to the configured permissions.

Configure forwarding data to Grail

To configure which span data is stored and available in your latest Dynatrace environment

  1. Go to Settings > Server-side service monitoring > Attribute capturing.
  2. Select Blocked attributes > Add item.
  3. Enter the attribute key.
  4. Select Save changes.
Conclusion

Only attributes that are not blocked will be forwarded to Grail.

Related topics