Manage user groups and permissions

In Dynatrace SaaS, select Account settings from the user profile menu in the upper-right to manage users and user groups.

  • License details—View license quotas and consumption details.
  • Contact information—Update your company information.
  • Environment management—Update environment settings like name and time zone.
  • Identity management
    • User management—Assign users to groups (to provide permissions to users), invite new users, and resend invitations to users who lose their invitations.
    • Group management—Assign permissions to groups. Group members inherit the permissions assigned to groups.
    • Single sign-on—Configure SSO user authentication.
    • SCIM configuration—Manage user identities in cloud-based applications and services.
  • Account management API—Configure and manage account API OAuth clients.

Password policy

Dynatrace passwords must meet the following requirements:

  • Minimum length: 12 characters
  • A mix of uppercase and lowercase letters
  • At least one number or special character

There is no enforced password expiration.

Account permissions

Dynatrace provides the following account-level permissions.

  • Access account: Allows access to the account to view environment data (host hours, sessions, synthetic monitors) and Dynatrace Help (documentation) links. Also allows access Dynatrace ONE (to view and create support tickets) and the Dynatrace Answers user forum. There is no access to billing or user/group management.

  • Edit billing & account info: Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).

  • Manage users: Allows access to user management (add, edit, remove users to groups) and group management (create, edit, delete groups). Users with this permission can do the following operations:

Environment permissions

Dynatrace provides the following environment-level permissions. Select all that apply:

  • Access environment: Allows read-only access to the environment. You cannot change settings or install OneAgent with this permission alone.
    Important
    Access environment permission is required for any of the other environment permissions, so Access environment is automatically selected for the environment when you select any other environment permission.
  • Change monitoring settings: Allows changing of all environment settings. To install OneAgent, you must provide the Download/install OneAgent permission.
  • Manage support tickets: Allows access to all support tickets that have been created for this environment.
  • View logs: Allows access to sensitive log file data in the Logs tab.
  • View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace, including downloading memory dumps. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****).
  • Download/install OneAgent: Allows download of OneAgent and installation on hosts. To change/edit settings, you must provide the Change monitoring settings permission.

  • Configure capture of sensitive data: Allows configuration of request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search. Also allows manually triggering memory dumps.

  • Replay session data: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.
  • Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.
  • Manage security problems: Allows management of problems reported by Dynatrace Application Security.

Management zone permissions

Dynatrace provides the following management-zone-level permissions. Select all that apply:

  • Access environment: Allows read-only access to the entities within the management zone. To change/edit settings, you must provide the Change monitoring settings permission.
    Important
    Access environment permission is required for any of the other management zone permissions, so Access environment is automatically selected for the management zone when you select any other management zone permission.
  • Change monitoring settings: Allows the changing of management-zone settings, for example, the ability to record or edit synthetic monitors.
  • View logs: Allows access to sensitive log file data in the Logs tab for hosts explicitly included within the management zone. Note that it is not sufficient to provide management-zone-level access to the host groups that the hosts belong to—see Management zone rules for details.
  • View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace for the entities within the management zone. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****)—see also Environment permissions above.
  • Replay session data: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.
  • Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.
    Important
    For Session Replay permissions to work within a management zone, the user also needs to have access to the requisite applications.
    • If a user session spans multiple applications that are not all assigned to the management zone, users can see still see and replay the session. However, user actions associated with the application to which you do not have access are masked and the corresponding part of the replay is not shown.
    • Playback buttons are grayed out for users who have access to applications but do not have permission to replay sessions.
    For details on management zones, see Management zones.
  • Manage security problems: Allows management of problems reported by Dynatrace Application Security.

Relationship between environment and management zone permissions

Important
When you provide any permission other than Access environment at the environment level, Access environment is automatically enabled as well for the environment. Likewise, when you provide any permission other than Access environment at the management-zone level, Access environment is automatically enabled for the management zone.

Management zones are designed to provide targeted and limited access to certain entities within an environment. If you wish to provide a permission to users accessing a management zone, we recommend that you use the management-zone-level permissions. Any permission you provide at the environment level supersedes and adds to those at the management-zone level. In other words, management-zone permissions cannot be used to limit permissions already provided at the environment level.

Take the example of a management zone containing three hosts out of five total hosts in an environment. If you grant the View logs permission to the management zone, viewers can see the Logs tab with information for the three hosts in the management zone. However, if you remove the same permission at the management-zone level and provide it at the environment level, users will be able to:

  • Access All management zones from the management zones filter on the menu bar.
  • See the Logs tab for all five hosts in the environment when viewing All management zones.
  • See the Logs tab for the three hosts in the assigned management zone when they switch to it.

Users

Dynatrace provides separate permissions for account and environment users. To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.