The following is a complete reference of IAM permissions and corresponding conditions applicable to Dynatrace services. Refer to it when you need to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.
Environment and management zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.
Role IAM permissions work the same way as classic roles do, which means that the environment:roles:viewer permission is a part of any other role permission. For example, a policy granting environment:roles:manage-settings permission also allows a user to access the web UI.
Grants user the Access environment permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on the management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the Change monitoring settings permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the Download/install OneAgent permission. Users who have this permission assigned are also able to view monitoring data for all management zones.
Grants user the View sensitive request data permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the Configure capture of sensitive data permission. Users who have this permission assigned are also able to view monitoring data for all management zones.
Grants user the Replay session data without masking permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the Replay session data permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the Manage security problems permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the View security problems permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHGrants user the View logs permission.
environment:management-zone - A string that uniquely identifies a management zone. Applies the permission on management zone level for the specified management zone.
operators: IN, startsWith, NOT startsWith, =, !=, MATCHExtensions service
Grants permission to read extension and environment configurations
extensions:extension-name - A string that uniquely identifies a single extension
operators: IN, NOT IN, startsWith, NOT startsWith, !=, =Grants permission to write (update/create/delete) extension and environment configurations
extensions:extension-name - A string that uniquely identifies a single extension
operators: IN, NOT IN, startsWith, NOT startsWith, !=, =Grants permission to read extension monitoring configurations
extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
operators: IN, =extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
operators: IN, =extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators: IN, =extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
operators: IN, =extensions:extension-name - A string that uniquely identifies a single extension
operators: IN, NOT IN, startsWith, NOT startsWith, !=, =Grants permission to write (update/create/delete) extension monitoring configurations
extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
operators: IN, =extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
operators: IN, =extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators: IN, =extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
operators: IN, =extensions:extension-name - A string that uniquely identifies a single extension
operators: IN, NOT IN, startsWith, NOT startsWith, !=, =Grants permission to execute actions for extension
extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
operators: IN, =extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
operators: IN, =extensions:ag-group - A string that uniquely identifies a single ActiveGate group for monitoring configuration assignment
operators: IN, =extensions:management-zone - A string that uniquely identifies a single management zone for monitoring configuration assignment
operators: IN, =extensions:extension-name - A string that uniquely identifies a single extension
operators: IN, NOT IN, startsWith, NOT startsWith, !=, =Settings service
Enables reading of settings objects belonging to the schema
settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators: IN, =, !=, startsWith, NOT startsWithsettings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
operators: IN, =settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
operators: IN, =, !=settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
operators: IN, =, !=, startsWith, NOT startsWithenvironment:management-zone - The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
operators: IN, =, startsWith, MATCHEnables writing of settings objects belonging to the schema
settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
operators: IN, =, !=, startsWith, NOT startsWithsettings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
operators: IN, =settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
operators: IN, =, !=settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
operators: IN, =, !=, startsWith, NOT startsWithenvironment:management-zone - The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
operators: IN, =, startsWith, MATCHEnables reading settings schemas
settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
operators: IN, =, !=, startsWith, NOT startsWithsettings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
operators: IN, =