The Dynatrace permission management system makes it easy to manage permissions for groups. The permissions system isn’t based on hierarchical roles, but rather on groups, reflecting Unix- and Windows-based permissions. It enables you to create groups that have pre-defined (fully customizable) permissions sets; users added to a group inherit the permissions of that group.
Permissions are granted based on group assignment. Permissions are granted to groups and users are assigned to groups, as illustrated below:
You can assign a pre-defined set of permissions to a group. Once a group is defined, you can add users to the group. Users inherit the permissions of the groups that they belong to. Any group can be modified to fit your needs. You can even create new groups and assign permissions to them.
Dynatrace provides the following environment-based permissions:
- Access environment. Allows read-only access to the environment. Can't change settings or install OneAgent.
- Change monitoring settings. Allows changing of all environment settings. Can't install OneAgent.
- Download & install OneAgent. Allows download of OneAgent and installation on hosts. Can't change settings.
- View logs. Allows access to sensitive log file data.
- View sensitive request data. Allows viewing of potentially personal data. Users who don't have this permission see that the data point exists but the personal data is masked out with asterisks (
- Configure capture of sensitive data. Allows configuration of request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search.
Dynatrace provides the following account-based permissions:
- Access account. Allows access to the account to view environment data (host hours, sessions, synthetic monitors) and view links to Dynatrace Help and Dynatrace ONE (create tickets, view documentation, and visit forums). No access to billing or user/group management.
- Edit billing & account info. Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).
- Manage users. Allows access to user management (add/remove users to groups) and group management (create, edit, delete groups).
Users with the Manage users permission can perform the following operations:
- View lists of groups by selecting Group management from the menu.
- Create groups by clicking Group management > Create new group. At least one permission per group must be selected.
- Edit groups by selecting Group management and clicking the corresponding Edit(V) button.
- Delete groups by selecting Group management and clicking the corresponding Delete (X) button.
- View a list of users by selecting User management from the menu.
- Invite users to an account by selecting User management > Invite user. A user must be assigned to at least one group. Permission preview lists the permissions the user inherits from all the groups they belong to.
Note: If you don't have the Manage users permission, you can use the Invite a co-worker option available on your account's Environment page.
- Edit group assignments by selecting User management and clicking the corresponding Edit (V) button.
- Delete a user by selecting User management and clicking the corresponding Delete (X) button.
Dynatrace provides separate permissions for account and environment users. To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.
These are users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.
Default groups for environment users
Dynatrace offers four user groups with environment permissions:
- Monitoring admin has full environment access. Can change monitoring settings. Can download and install OneAgent.
- Deployment admin can download and install OneAgent. Has read-only access to the environment. Can’t change settings.
- Confidential data admin can view personal data (for example, method arguments) and configure request-data capture rules.
- Monitoring viewer can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.
- Log viewer can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights.
These are users who are involved in managing account details such as company addresses, billing, payment information, and user management.
Default groups for account users
Dynatrace offers three user groups with account permissions:
- Account manager has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Help, and Support.
- Finance admin can enter credit card data and review invoices. Has access to environment consumption data, Help, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.
- Account viewer has access to environment consumption data, Help, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.