User permissions for workflows
Latest Dynatrace
Workflows and AutomationEngine API permissions
The Workflows app, which is the frontend for the AutomationEngine, enables you to edit, manage, and run workflows in Dynatrace.
To use Workflows, you need some general AppEngine permissions and some AutomationEngine-specific permissions.
Permissions are configured in account administration and require account admin access.
If you are missing any required permissions, reach out to your account administrator.
We recommend that administrators differentiate between regular users and administrators as follows.
AutomationEngine authorization settings
If the required permission for a workflow task is missing, an attempt to execute this task results in a 403 Forbidden error.
Always make sure:
- You have the required permissions granted in Account Management.
You granted all required permissions for the workflows to run in the authorization settings.
To enable or edit the AutomationEngine authorization settings
- In the Workflows app, go to Settings > Authorization settings.
- Enable the required permissions from Primary permissions and Secondary permissions lists.
Workflows user
A Workflows user creates, edits, runs, and monitors workflows.
To access the Workflows and view workflows, you need at least the following permissions.
| Permission | Grants access to |
|---|---|
app-engine:apps:run | List all apps and read the app bundles. |
automation:workflows:read | View workflows. |
To write and execute workflows, the following additional permissions are required.
| Permission | Grants access to |
|---|---|
app-engine:functions:run | Use the function executor. |
automation:workflows:run | Run workflows. |
automation:workflows:write | Write workflows. |
These permissions grant access to workflows themselves. To successfully run workflow tasks, the actor might need additional permissions.
Workflows administrator
A Workflows administrator can:
To administer workflows, you need the following permission on top of all user permissions.
| Permission | Grants access to |
|---|---|
automation:workflows:admin | Administer workflows. |
To turn on admin mode in Workflows
- Verify that you have
automation:workflows:adminpermission in addition to all regular user permissions. - Select Settings in the upper-right corner of the Workflows app and turn on Admin mode.
To stop down from the administrator role and use Workflows as a regular user, disable Admin mode.
Workflow and execution access
The user who creates a workflow is the workflow owner.
By default, only the owner can access the workflow.
The owner is responsible for maintenance of the workflow.
- The owner can make a workflow public. A public workflow is visible for every user with
automation:workflows:*permissions. The owner can transfer ownership to any other user (as long it's not a service user).
- Access to an execution depends on the workflow ownership and private/public configuration at the time of the execution start.
Execution access is always evaluated at the execution start. A change to the workflow ownership or visibility doesn't impact past executions and affects only future executions.
Administrator
An administrator has access to all workflows and executions in an environment.
An administrator can manage all workflows and executions.
No restriction of visibility or ownership applies to an administrator.
Workflow actor
Every execution of a workflow task is performed in the context of a user.
To figure out the actor of a workflow
Open a workflow in the workflow editor.
- Select
> Settings. Check the details pane where you'll find the actor information.
This user is called the actor.
The actor is configured per workflow.
By default, the actor is the creator of the workflow.
When you run a workflow in an environment for the first time, Dynatrace asks to allow the AutomationEngine to run workflows for you.
You need to consent to the range of permissions the AutomationEngine might exercise when running workflows with you as the actor.
These permissions are tied to the permissions you already have and can never exceed them.
Actor updates
A user who updates a workflow is set as the actor automatically. This prevents exploits where a user changes a workflow to achieve something in another user's context.
The actor remains unchanged if either the workflow update happens by a user in admin mode, or the actor is set to a service user.
Service users
You can use your own account when trying out some workflow configuration or for a personal workflows.
We recommend using service users as actors for all workflows that serve a department or organization use case. This makes the workflow independent of the status of the user who maintains it.
To set the workflow actor to a service user
Open the workflow in the workflow editor.
- Select > Settings.
- Select the service user from the Actor list.
Save your changes.
There are no AutomationEngine-specific authorization settings for a service user. The permissions granted to a service user should follow the least-privilege principle. Configure permissions in Account Management.
Managing service users
Currently, no user interface is available to create or delete a service user. To do that, use the User management endpoint of the Dynatrace Account Management API. You'll require an OAUTH client for a user who possesses the required permissions to issue the requests. For more information, see Authentication in account management API.
Create a service user.
1POST https://api.dynatrace.com/iam/v1/accounts/<ACCOUNT-UUID>/service-users2{3 "name": "<SERVICE-USER-NAME>"4}
List all service users.
1GET https://api.dynatrace.com/iam/v1/accounts/<ACCOUNT-UUID>/service-users
Add service user to a group.
1POST https://api.dynatrace.com/iam/v1/accounts/<ACCOUNT-UUID>/users/<EMAIL>2[3 "<GROUP-UUID>",4 ...5]
Permissions for service users are managed via groups and policies like for any other user in the account management UI.