Manage user groups and permissions

The Dynatrace permission management system makes it easy to manage permissions for groups. The permissions system isn’t based on hierarchical roles, but rather on groups, reflecting Unix- and Windows-based permissions. It enables you to create groups that have pre-defined (fully customizable) permissions sets—users added to a group inherit the permissions of that group.

Permissions are granted based on group assignment. Permissions are granted to groups and users are assigned to groups, as illustrated below:


Dynatrace provides separate permissions for account and environment users. To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.

Environment users

These are users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.

Default groups for environment users

Dynatrace offers four user groups with environment permissions:

  • Monitoring admin has full environment access. Can change monitoring settings. Can download and install OneAgent.
  • Deployment admin can download and install OneAgent. Has read-only access to the environment. Can’t change settings.
  • Confidential data admin can view personal data (for example, method arguments) and configure request-data capture rules.
  • Monitoring viewer can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.
  • Log viewer can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights.

Account users

These are users who are involved in managing account details such as company addresses, billing, payment information, and user management.

Default groups for account users

Dynatrace offers three user groups with account permissions:

  • Account manager has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Help, and Support.
  • Finance admin can enter credit card data and review invoices. Has access to environment consumption data, Help, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.
  • Account viewer has access to environment consumption data, Help, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.


You can assign a pre-defined set of permissions to a group. Once a group is defined, you can add users to the group. Added users inherit the permissions of the groups they are assigned to. Any group can be modified to fit your needs. You can even create new groups and assign permissions to them.

Environment permissions

Dynatrace provides following environment-based permissions:

  • Access environment. Allows read-only access to the environment. Can't change settings or install OneAgent.
  • Change monitoring settings. Allows changing of all environment settings. Can't install OneAgent.
  • Download & install OneAgent. Allows download of OneAgent and installation on hosts. Can't change settings.
  • View logs. Allows access to sensitive log file data.
  • View sensitive request data. Allows viewing of potentionally personal data. Users that don't have this permission see that the data point exists but the personal data is masked out with *****.
  • Configure capture of sensitive data. Allows configuration of request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search.

Account permissions

Dynatrace provides the following account-based permissions:

  • Access account. Allows access to the account to view environment data (host hours, sessions, synthetic monitors) and view links to Help and Support (create tickets, view documentation, and visit forums). No access to billing or user/group management.
  • Edit billing & account info. Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).
  • Manage users. Allows access to user management (add/remove users to groups) and group management (create, edit, delete groups).