IAM by example


This feature is currently in Preview release.

All examples here are based on the Settings 2.0 service, which so far is the only Dynatrace service supporting IAM-based authorization. Support for other Dynatrace services is planned.

Built-in policies

Every IAM-enabled Dynatrace cluster has (so far) two built-in policies:

  • Settings Reader: grants permission to read Dynatrace settings
  • Settings Writer: grants permission to write Dynatrace settings

To verify that you have these policies

  1. In Dynatrace SaaS, select Account settings from the user profile menu in the upper-right corner of the page.
  2. Open Identity management > Policy management.
  3. Find Settings Reader and Settings Writer in the table.

REST API authentication

All IAM features can be accessed via REST API. The complete documentation of all the objects used within the API and all exposed endpoints can be found in the REST API Swagger doc. Here we will only cover the aspects regarding authentication of requests, which differs in Dynatrace SaaS and Dynatrace Managed deployments.

Dynatrace SaaS

For Dynatrace SaaS deployments, the APIs must be accessed using an OAuth2 client.

To generate an OAuth2 client

  1. Sign in to Dynatrace using an account with the account-user-management permission set.

  2. Go to Account management API and select Create new client.

  3. Describe the client.
    Be sure to select Allow IAM policy configuration for environments.

  4. Select Generate client.

  5. Copy and paste the generated fields (Client ID, Client secret, and Your account URN) to a secure location.


    Client secret is revealed only once and cannot be regenerated!

  6. Once you have a client ID and secret, you can use Dynatrace SSO to request an access token for your client through a client credentials flow. You must include your account UID prefixed with urn:dtaccount in the resource parameter of the request body. Format:
    Request a token at https://sso.dynatrace.com/sso/oauth2/token. Any OAuth or HTTP client can be used to request the token. Sample HTTP request:

    POST /sso/oauth2/token HTTP/1.1  
    Host: sso.dynatrace.com  
    Content-Type: application/x-www-form-urlencoded  
    grant_type=client_credentials&client_id={your client id}&client_secret={your client secret}&scope=iam-policies-management&resource=urn%3Adtaccount%{your account UID}
  7. Complete the fields for the /oauth2/token endpoint using data obtained in the previous step as shown below:

    grant_type: client_credentials  
    client_id: ${client_id}  
    client_secret: ${client_secret}  
    scope: iam-policies-management  
    resource: urn:dtaccount:${account_id}  
  8. Execute the request.

  9. The required token is returned in the response. This can now be used as a Bearer token to authenticate requests to the Policy Administration Point (PAP) REST API.

Dynatrace Managed

Dynatrace Managed deployments use token-based authentication for the PAP REST API. To generate it

  1. Open Cluster Management Console (CMC).
  2. Go to Settings > API tokens.
  3. In the Cluster tokens section, select Generate token.
    • Give the token any name you want
    • Turn on Service provider API
  4. Select Save.
  5. Select Copy to copy the token.
  6. Add an Authorization header to your request with the value Api-Token [generated token goes here].

Example 1: read and write permission

Suppose you have the following teams in your organization:

  • The IT team, which is responsible for configuring the Dynatrace environment and making sure everything works.
  • The sales team, which should only be able to read the Dynatrace settings, and never modify them.

The IT team needs read and write access, while the sales team needs only read access.

Create two Dynatrace user groups

To add a group named IT

  1. Open Identity management > Group management.
  2. Select Add group.
  3. Enter the Group name (IT) and Group description, and then select Save.

Repeat the procedure for the Sales user group.

Now that you have the two user groups, you need to grant each group the correct permissions. You can use either the Dynatrace web UI or the REST API.

Bind policies via Dynatrace web UI

Let's start by assigning the correct permissions to the IT group.


If you're going to use the REST API, skip to Bind policies via REST API below.

  1. Go to Identity management > Group management.
  2. Find the IT group and select the pencil icon in the Edit column to edit that group.
    The edit view includes an Environment permissions section listing all environments you are managing.
  3. Expand the environment for which you want to make changes and select the Policies tab.
  4. In the Select policies to bind filter box:
    • Find and select the Settings Writer policy
    • Find and select the Settings Reader policy
  5. Select the Bind policies button on the right to bind the policies.
  6. Select the Save button that is displayed on a ribbon at the bottom of the page.

Congratulations, you've bound your first policies! The IT group in the selected environment has read and write access to Dynatrace settings.

Now repeat the above procedure for the Sales team, but bind only the Settings Reader policy to it. The sales team in this example does not need write access to Dynatrace settings.

Bind policies via REST API

This procedure uses the REST API to do the same things we did above in Bind policies via Dynatrace web UI.

To bind a policy to a group, you need the following values:

  • ID of each policy you want to bind
  • ID of each group to which you want to bind policies
  • ID of the environment for which you want to make changes

In our example, suppose we have the following values:

  • The Settings Reader policy has ID settings_reader_id
  • The Settings writer policy has ID settings_writer_id
  • The Sales group ID is sales_group_id
  • The IT group ID is it_group_id
  • The environment has the ID my_environment_id

Now we need to create a body for the request for binding the policies. You can use either a PUT (for replacing policy bindings) or a POST (for appending policy bindings). Let's assume that we want to append the policies and use a POST.

In this example we use the /repo/{level-type}/{level-id}/bindings/{policy-uuid} endpoint from the PAP REST API. We need to proceed in two steps:

  1. Bind the Settings Reader policy to both of our groups (IT and Sales).
  2. Bind the Settings Writer policy only to the IT group.

The first request should then be sent on the /repo/environment/my_environment_id/bindings/settings_reader_id endpoint with the following body:

  "groups": [

This grants read permission to both groups.

To add write permission to the IT group, we need to execute another POST request on the /repo/environment/my_environment_id/bindings/settings_writer_id endpoint with the following body:

  "groups": [

Congratulations, you've completed the binding of built-in policies via API!

Example 2: allow access to a particular schema

If the built-in policies are not granular enough for your needs, you can manage permissions at the setting level.

Assume that you have a particular Settings 2.0 schema, say dynatrace.settings.apm.my-super-secret-schema, the only one that you want to keep open for the Sales and IT groups.

You therefore want to allow access to the following:

  • Allow reading of schema dynatrace.settings.apm.my-super-secret-schema
  • Allow reading and writing of objects belonging to the schema dynatrace.settings.apm.my-super-secret-schema

As before, we present two ways of obtaining this effect.

Create a policy via Dynatrace web UI

This procedure uses the Dynatrace web UI. To use the REST API instead, skip to Create a policy via REST API.

To create a policy

  1. Open Identity management > Policy management.
  2. Select Add policy.
  3. Describe the policy:
    • Policy name
      Any useful name.
    • Policy description
      Any useful description.
    • Organization level
      Select the appropriate level for this policy. Let's assume that it will apply to the same environment as in the previous example (with my_environment_id).
    • Policy statements
      Copy the following statement to the Policy statements box.
      ALLOW dynatrace.settings:schemas:read WHERE schemaId = "dynatrace.settings.apm.container.monitoring-rule";  
      ALLOW dynatrace.settings:objects:read WHERE schemaId = "dynatrace.settings.apm.container.monitoring-rule";  
      ALLOW dynatrace.settings:objects:write WHERE schemaId = "dynatrace.settings.apm.container.monitoring-rule";  

Create a policy via REST API

This procedure uses the REST API to do the same things we did in Create a policy via Dynatrace web UI.

To create a policy using the API, we will use the /repo/{level-type}/{level-id}/policies endpoint and use a POST method to add a policy.

Assume that the policy name we want to add is my_policy_name and the description is My policy description. As before, assume that we want this policy to apply only on the environment level for environment my_tenant_id.

The request body should be the following:

   "description":"My policy description",

   "statementQuery": "ALLOW dynatrace.settings:schemas:read WHERE schemaId = \"dynatrace.settings.apm.container.monitoring-rule\"; ALLOW dynatrace.settings:objects:read WHERE schemaId = \"dynatrace.settings.apm.container.monitoring-rule\"; ALLOW dynatrace.settings:objects:write WHERE schemaId = \"dynatrace.settings.apm.container.monitoring-rule\";" 

Enforce the policy

Important: Remember that a policy does not take effect until you bind it to a group. For this example, you need to bind it to the IT and Sales groups.