Header background

Flexible group-based permissions management in Dynatrace SaaS!

The upcoming release of Dynatrace (2nd half April 2017) includes an upgrade of our permissions management system to make it more flexible and to give you more control over managing permissions for groups. The new system isn’t based on hierarchical roles, but rather on groups, reflecting Unix- and Windows-based permissions. It enables you to create groups that have pre-defined (fully customizable) permissions sets—users added to a group inherit the permissions of that group.

Group, users and permissions

Groups

To get you started, Dynatrace provides a new default set of editable user groups that cover all the roles and permissions that were available in the previous permission system. The same separation of account and environment permissions has been retained.

Default account groups

  • Account manager. Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Help, and Support.
  • Finance admin. Can enter credit card data and review invoices. Has access to company/billing address info, environment consumption data, Help, and Support. Can’t edit groups or assign users to groups.
  • Account viewer. Has access to Help and Support. No access to environment consumption data, credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Default environment groups

  • Monitoring admin. Has full environment access. Can change monitoring settings. Can download and install OneAgent.
  • Deployment admin. Can download and install OneAgent. Has read-only access to the environment. Can’t change settings.
  • Confidential data admin. Can view sensitive data (e.g., method arguments) and configure request-data capture rules.
  • Monitoring viewer. Can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.
  • Log viewer. Can access and view the contents of log files. Only available to personnel who have been granted permission to view sensitive log data. No other access rights.

Permissions

Groups are fully customizable and can be modified to contain any permission you require for a specific group. Even the default groups can be modified to meet your needs. Just select/deselect the predefined permissions you want when setting up groups. Once permissions are assigned to a group, users added to that group inherit the permissions of the group.

Account permissions

  • Access account. Can access account to view environment data (host hours, sessions, and web checks). Can access Help and Support (create Support tickets, view documentation, and visit the Dynatrace Community user forum). No access to billing or user/group management.
  • Edit billing & account info. Allows access to payment data (credit card details), billing data (invoices), and contact information (company/billing address).
  • Manage users. Allows access to user management (can add users to groups) and group management (can create, edit, and delete groups).

Environment permissions

  • Access environment. Allows read-only access to the environment. Can’t change settings. Can’t install OneAgent.
  • Change monitoring settings. Can change all Dynatrace monitoring settings. Can’t install OneAgent.
  • Download & install OneAgent. Allows download and installation of OneAgent on hosts. Can’t change Dynatrace monitoring settings.
  • View logs. Allows access to log file content, which may contain sensitive information.
  • View sensitive request data. Allows viewing of potentially sensitive data (for example, previously captured HTTP Headers, method arguments, and literals within database statement parameters).
  • Configure request capture data (upcoming feature). Allows configuration of request-data capture rules, which can be used to capture data such as HTTP Header or Post parameters within requests. Captured request data can be stored, filtered, and searched.

Manage groups and users

The new user and group permissions controls are available when you sign into your account. Just select User management or Group management from the menu on the left-hand side.

View list of groups

To view the list of groups associated with your account, Select Group management from the menu.

Note: This feature is only available to users who have the Manage users permission.

permissions management

Create a new group

  1. Select Group management from the menu.
    Note: This feature is only available to users who have the Manage users permission.
  2. Click Create new group.
  3. Enter a Group name.
  4. Select relevant permissions (account and/or environment permissions).
    At least one permission must be selected.
  5. Click Add group.

permissions management

Edit a group

  1. Select Group management from the menu.
    Note: This feature is only available to users who have the Manage users permission.
  2. Click the Edit (V) button on the right-hand side.
  3. Select/Deselect permissions as required.
  4. (Optional) Type a new Group name.
  5. Click Save.

permissions management

Delete a group

  1. Select Group management from the menu.
    Note: This feature is only available to users who have the Manage users permission.
  2. Click the corresponding Delete (x) button on the right-hand side of the group list.
  3. Click Yes to confirm the deletion.
    You can delete groups that have one or more users assigned to them.

permissions management

View list of users

To view the list of users and their permissions associated with your account, Select User management from the menu.

Note: This feature is only available to users who have the Manage users permission.

permissions management

Invite a user to your account

  1. Select User management from the menu.
    Note: This feature is only available to users who have the Manage users permission. Other users must use the Invite a co-worker option (available on your account’s Environment page).
  2. Click Invite user.
  3. Type the new user’s Email address.
  4. Click a group name to add or remove the user from that group.
    You need to select at least one group.
  5. To see which permissions the user inherits from all the groups they are members of, click Permission preview.
  6. Click Invite.
    If the user isn’t already a Dynatrace user, they will receive a link they can use to complete the signup process. If they are already a Dynatrace user, they will receive a link to the specified environment.

permissions management

permissions management

Edit a user’s group assignments

  1. Select User management from the menu.
    Note: This feature is only available to users who have the Manage users permission.
  2. Locate the relevant user in the list and click the corresponding Edit (V) button on the right-hand side.
  3. Click a group name to add or remove the user from that group.
  4. Review the permissions by clicking Permission preview.
    This is an aggregated view of all permissions of all groups the user is assigned to.
  5. Click Save.

permissions management

permissions management

Delete a user

  1. Select User management from the menu.
    Note: This feature is only available to users who have the Manage users permission.
  2. Locate the relevant user in the list and click Delete (X) on the right-hand side.
  3. Click Yes to confirm the deletion.

permissions management