This article shows you how to control your user access to Dynatrace settings globally or at an individual settings schema level.
All examples here are based on the Settings 2.0 service. For a complete list of services supporting policy-based authorization, see IAM policy reference.
This is for Dynatrace account administrators who need to grant user access to Dynatrace settings. It also helps new Dynatrace users looking to understand group-based permissions.
In this article, you'll learn how to:
Unified framework for managing configurations through settings objects defined by Dynatrace-managed schemas.
A specific configuration structure in Settings 2.0; permissions can be granted per schema for reading or writing.
An API used to manage IAM policies, including creating and binding policies to groups.
For every account, administrators have two built-in policies available for Settings 2.0 services:
Settings Reader: grants permission to read Dynatrace settingsSettings Writer: grants permission to write Dynatrace settingsTo verify that you have these policies
Settings Reader and Settings Writer in the table.You can access all IAM features via the REST API. Here, we cover the aspects of API request authentication.
Dynatrace Managed deployments use token-based authentication for the PAP REST API.
To generate the token
Authorization header to your request with the value Api-Token [generated token goes here].Suppose you have the following teams in your organization:
IT team: is responsible for configuring the Dynatrace environment and making sure everything works.Sales team: only needs to read the settings and never modify them.The IT team needs read and write access, while the sales team needs only read access.
The policies in the examples presented on this page showcase the mechanics of the policy framework and only give access to the settings service. They enable API access to the settings service, but they don't provide access to the Dynatrace Web UI.
First, create a group named IT with the policies Settings Writer and Settings Reader.
To create a group
IT in this example) and Group description, then select Save.To bind policies to the group
IT group and select the pencil icon in the Edit column to edit that group.Settings Writer policySettings Reader policyNow repeat the above procedure to create a Sales group with read-only access.
Sales.Settings Reader policy to the sales team, as they don't need write access to Dynatrace settings.To bind policies to the group
IT group and select the pencil icon in the Edit column to edit that group.Settings Writer policySettings Reader policyYou can add a condition to a policy to achieve more control.
If the built-in policies are not granular enough for your needs, you can manage permissions at the setting level.
Assume that you have a particular Settings 2.0 schema, say settings.apm.my-super-secret-schema, the only one you want to keep open for the Sales and IT groups.
You want to allow access to the following:
settings.apm.my-super-secret-schemasettings.apm.my-super-secret-schemaThere are two methods to allow access to a schema.
This procedure uses the Dynatrace web UI. To use the REST API, see Create a policy via REST API.
To create a policy:
In the Cluster Management Console, go to User authentication > Policy management.
Select Add policy.
Describe the policy:
Policy name
Add a relevant name.
Policy description
Add a useful description.
Policy statements
Copy the following statement to the Policy statements box.
ALLOW settings:schemas:read WHERE settings:schemaId = "builtin:container.monitoring-rule";ALLOW settings:objects:read WHERE settings:schemaId = "builtin:container.monitoring-rule";ALLOW settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";
Note that since one can use multiple permissions in one statement, it is possible to merge the first two statements from the above into a single one:
ALLOW settings:schemas:read, settings:objects:read WHERE settings:schemaId = "builtin:container.monitoring-rule";ALLOW settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";
Select Save.
The policy is added to your table of policies that you can bind to groups.
This procedure uses the REST API to perform the same tasks we did in Create a policy via Dynatrace web UI.
To create a policy using the API, we will use the /repo/{level-type}/{level-id}/policies endpoint and use a POST method to add a policy.
Assume that the policy name we want to add is my_policy_name and the description is My policy description. As before, assume that we want this policy to apply only on the environment level for the environment my_tenant_id.
The request body should be the following:
{"name":"my_policy_name","description":"My policy description","tags":[],"statementQuery": "ALLOW settings:schemas:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:write WHERE settings:schemaId = \"builtin:container.monitoring-rule\";"}
Equivalently, using multiple permissions in a single statement, the request body should be the following:
{"name":"my_policy_name","description":"My policy description","tags":[],"statementQuery": "ALLOW settings:schemas:read, settings:objects:read WHERE settings:schemaId = \"builtin:container.monitoring-rule\"; ALLOW settings:objects:write WHERE settings:schemaId = \"builtin:container.monitoring-rule\";"}
Important: Remember that a policy does not take effect until you bind it to a group. You need to bind this example to the IT and Sales groups. See Bind policies via Dynatrace web UI or Bind policies via REST API for details.