Manage IAM policies

Latest Dynatrace
How-to guide
7-min read

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

API alternative

To instead use the API to manage IAM policies, go to Dynatrace Account Management API 1.0.

List IAM policies

To list configured IAM policies

Go to Account Management > Identity & access management > Policy management.
Review the table of all existing policies that you can bind to user groups.
- Name—the name of the policy
- Description—a brief description of the policy
- Source—global, account, or environment
- Actions—view, edit, or delete that row's policy (actions available to you depend on your permission level)

Default policies

To let you use policies right away, Dynatrace IAM is shipped with built-in global policies.

On the Policies page, in the Source column, they're all set to Dynatrace
They're predefined and managed by Dynatrace
You can apply a built-in policy by assigning it to a group for the whole account or to any environment.
You can inspect them—select View policy in the Actions column—but you can't edit them

Create a policy

To create a policy

Go to Account Management > Identity & access management > Policy management.
Select Create policy.

Enter the following information.

Element	Description
Name	The name of the policy.
Description	A brief description of the policy.
Organization level	Each policy has a level that determines its scope: `global`: These policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited. `account`: These policies apply to all environments under that account (customer). Use them to set company-wide policies. `environment`: These policies apply only to a single customer environment. Organization levels are restricted in the UI to the `account` level (other levels are still available via API). Restriction in UI was provided to avoid confusion between creating and binding. Commonly creating multiple identical policies on the `environment` levels can be achieved in a more efficient way by defining one policy on the `account` level and binding it to `environment` levels.
Policy statement	A statement specifying exactly what this policy allows. Example: Policy for Settings 2.0 Write ALLOW settings:objects:read; ALLOW settings:objects:write; ALLOW settings:schemas:read; You can combine multiple permissions in a single statement. Here is the same example combined into a single statement: ALLOW settings:objects:read, settings:objects:write, settings:schemas:read; Combining statements is particularly useful for managing policies with complicated conditions.

Services

For a complete and up-to-date list of Dynatrace services that support permission management via IAM policies, see IAM policy reference.

Edit a policy

To edit an existing policy

Go to Account Management > Identity & access management > Policy management.
Find the policy you want to edit.
You can filter and sort the table.
Select Actions > Edit policy.
Make your changes and select Save.

Delete a policy

To delete a policy

Go to Account Management > Identity & access management > Policy management.
Find the policy you want to delete.
You can filter and sort the table.
Select Actions > Delete for the policy.

Copy a policy

To copy an existing policy

Go to Account Management > Identity & access management > Policy management.
Find the policy you want to copy.
You can filter and sort the table.
Select the Edit button for the policy.
Copy the contents of Policy statement to the clipboard.
Go back to the Policies page.
Select Create policy.
Paste the copied policy statements into Policy statement.
Fill in the Name and optional Description.
Select Create policy.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Working with policies.