Group management

In Dynatrace, user permissions are managed via group membership: users inherit the Dynatrace access permissions that are assigned to the Dynatrace groups to which they belong.

User and group membership can be federated via SAML, or groups can be created locally in your Dynatrace account and users can be directly assigned. SAML is used to sign in your users and steer group membership.

To read more on SAML integration and to learn how to set up the protocol, see SAML.

Local groups and federated groups

In your Dynatrace account, you can have different types of groups.

  • If SAML is set up, the group type automatically changes to the respective type.
  • Groups that are not federated have the type LOCAL.

If you have SAML federation activated, you can add security claims to local groups, which makes them a SAML federated group with the source SAML.

Group management operations

The group management operations listed below are all performed using the Account Management pages.

  1. Go to Account Management. If you have more than one account, select the account you want to manage.

    This opens https://myaccount.dynatrace.com/, which you can bookmark for easy access to Account Management.

  2. Go to Identity & access management > Group Management.

Create a group

  1. Select Group and specify:
    • Group Name
    • optional Description
    • optional Security Claims. Note that this option is only available if you have an active SAML federation.
  2. Select Create.

Delete a group

  1. Find the group in the table or use the filters above the table to help you locate your group.
  2. In the Actions column for the group you want to delete, select > Delete group.
  3. Confirm your selection.

View group details

  1. In the Actions column for the group you want to view, select > View group.
  2. The group detail page lists basic group information and any existing account-level permissions or other environment-level permissions.
    • Group Name, Description, and any Security Claims are listed in the Details section.
    • Account-level permissions are listed in the Account management permissions section.
    • A list of assigned environment permissions is displayed in the Permissions section and includes permissions of type ROLE or POLICY.

Manage group permissions

  1. In the Actions column for the group you want to view, select > View group.
  2. To modify a group's details, select Edit.
    • Group Name, Description, and any Security Claims (if SAML federation is configured) can be modified.
  3. To modify a group's account management permissions, select Manage permissions and choose from the available permissions. For a detailed description of each permission, refer to Role-based permissions.
  4. To modify a group's environment permissions
    • To delete an already assigned permission: in the Actions column for the permission you want to delete, select > Delete and confirm your selection.
    • To edit an already assigned permission: in the Actions column for the permission you want to delete, select > Edit.
      • On the Permission picker page, you have the option to modify the scope, and, depending on the policy type, adjust management zone assignments.
    • To add a new permission: select Permission and, on the Permission picker page, select a permission.
  • Define the scope of your new permission assignment (account or environment) by selecting one or many environments.
    • optional for permissions of type role, it is possible to further restrict the scope to individual management zones.
    • optional for permissions of type policy, it is possible to set the scope at the account level or to further restrict to individual environments.
Use boundaries for fine granular access control

For permissions of type policy you can, additionally to the scope, select one or multiple policy boundaries during permission assignment to restrict access on record and/or resource level. To learn more about policy boundaries, see Policy boundaries.

Export list of groups

To export a list of existing groups to a comma-separated values (CSV) file, complete the following steps on the group management page:

  1. optional Use the Group and Source filters above the table to focus on specific groups.

  2. Select Export groups.

    For all groups matching your filter settings, information such as name, UUID, name, description, and source is exported to a local CSV file.

Group management API

All group management tasks can be also carried out via the Dynatrace Account Management API. For details on available endpoints, see Account Management API.