Use the Dynatrace identity and access management (IAM) to manage user access to Dynatrace features.
With the new Dynatrace identity and access management (IAM) framework, you can define policies that clearly specify whether an action in Dynatrace is allowed. When policies are bound to user groups, they describe an access pattern for the group that is enforced at runtime. This gives you much more fine-grained control over how your users interact with Dynatrace.
Before IAM, Dynatrace offered (and still offers!) access control based on roles, where each role had a fixed set of permissions, and each user or user group could be assigned one or more roles.
The new IAM framework offers additional control over access by enabling you to create your own access policies based on a fine-grained set of permissions and conditions that can be enforced per service, not per role. You can even set policies for single resources within a service.
The Dynatrace IAM framework gives you more control over permissions within the system.
- Administration of permissions is easier and more scalable. You can manage IAM through the Dynatrace web UI or API.
- You are able to more flexibly control who has access to specific parts of the system and whether they can change settings or only view them. Some employees (such as admins) may need to have the ability to do almost everything in Dynatrace, while others may need to see only specific hosts, settings, or synthetic monitors.
- Instead of permissions that give all-or-nothing access, IAM granularity enables you to grant users exactly the right amount of access.
IAM is designed first and foremost to make Dynatrace safer.
- IAM enables admins to more selectively grant permissions based strictly on necessity following the principle of least privilege (PoLP).
- IAM enables you to realize access patterns that were not possible before. For instance, you can allow a user access to a single resource (a single setting or schema), regardless of user roles. Before IAM, you would have to assign the user a role for which such fine-grained control is not possible.
- IAM helps to make Dynatrace permissions easier to understand, which means admins can more reliably administer permissions.
How to configure IAM
You can configure IAM through the Dynatrace web UI or REST API.
- To manage Dynatrace IAM policies, see Manage IAM policies
- To manage group permissions with IAM policies, see Manage group permissions with IAM policies
- To list all REST API calls, see the IAM Swagger spec
- To see examples of Dynatrace web UI and REST API configuration procedures, see IAM by example
- To list all supported values for each Dynatrace IAM service, permission, and condition, see IAM services reference