Grant access to Dynatrace through default groups and permissions

To get you started, Dynatrace provides a default set of editable groups for account and environment users. You can edit and adapt these default groups to fit your needs or you can create new groups.

Dynatrace default groups

Dynatrace offers the following user groups with environment and account permissions.

User group

Permissions

Environment Users

Basic access to Dynatrace in all environments of the account.

Default policies:

  • Standard User
  • Read Entities
  • Read Events
  • Read Metrics
  • Read Logs
  • Read Spans
  • Read User Sessions

Environment Professionals

Access advanced features in all environments of the account.

Default policies:

  • Pro User
  • Read Entities
  • Read Events
  • Read Metrics
  • Read Logs
  • Read Spans
  • Read User Sessions

Environment Admins

Full access to all functions in all environments of the account.

Default policies:

  • Admin User
  • Data Processing and Storage
  • All Grail data read access

Account Admins

Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.

Account viewers

Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Dynatrace default policies

As a Dynatrace administrator, you can use the default Dynatrace policies and bind them to user groups just like any other policy.

You can assign policies to groups via the user group details either on the account level, which includes all environments in that account, or on the individual environment level.

You can find the default policies in the Policy overview of Account Management.

Legacy default policies

The legacy default policies were used previously to provide access to Dynatrace. They are not accessible for new policy assignments, but existing assignments of these policies remain until removed.

Environment role - Download/install OneAgent

Permission to access 'Agent Install' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:agent-install;

Environment role - Configure capture of sensitive data

Permission to access 'Configure Request Capture Data' features (equivalent to RBAC permission). Management zones not supported.

ALLOW environment:roles:configure-request-capture-data;

Environment role - View logs

Permission to access 'Log Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:logviewer;

Environment role - Change monitoring settings

Permission to access 'Environment Manage Settings' features (equivalent to RBAC permission).

ALLOW environment:roles:manage-settings;

Environment role - Replay session data

Permission to access 'Replay Sessions With Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-with-masking;

Environment role - Replay session data without masking

Permission to access 'Replay Sessions Without Masking' features (equivalent to RBAC permission).

ALLOW environment:roles:replay-sessions-without-masking;

Environment role - View security problems

Permission to access 'View Security Problems' features (equivalent to RBAC permission).

ALLOW environment:roles:view-security-problems;

Environment role - View sensitive request data

Permission to access 'View Sensitive Request Data' features (equivalent to RBAC permission).

ALLOW environment:roles:view-sensitive-request-data;

Environment role - Access environment

Permission to access 'Environment Roles Viewer' features (equivalent to RBAC permission).

ALLOW environment:roles:viewer;