• Home
  • How to use Dynatrace
  • User management and SSO
  • Manage user groups and permissions
  • Manage policies and groups with Dynatrace IAM
  • Manage IAM policies

Manage IAM policies

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

API alternative

To instead use the API to manage IAM policies, go to:

  • Dynatrace SaaS: Dynatrace Account Management API 1.0
  • Dynatrace Managed: IAM API is available as part of Cluster API v2

List IAM policies

To list configured IAM policies, go to the Policy management page:

  • Dynatrace SaaS: in the user menu, go to Account settings and select Identity management > Policy management.
  • Dynatrace Managed: in the Cluster Management Console, select User authentication > Policy management.

The Policy management page lists all existing policies that you can bind to user groups:

  • Policy—the name of the policy
  • Policy Description—a brief description of the policy
  • Organization level—global, account (cluster in a Dynatrace Managed deployment), or environment
  • Actions—view, edit, or delete that row's policy

Built-in policies

To let you use policies right away, Dynatrace IAM is shipped with preconfigured policies:

  • Settings Reader: grants permission to read Dynatrace settings
  • Settings Writer: grants permission to write Dynatrace settings

Create a policy

To create a policy, select Add policy and enter the following:

ElementDescription

Policy

The name of the policy.

Description

A brief description of the policy.

Organization level

Each policy has a level that determines its scope:

  • global: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited.
  • account: Account policies apply to all environments under that account (customer). Use them to set company-wide policies.
    • In a Dynatrace Managed deployment, this is cluster.
  • environment: Environment policies apply only to a single customer environment.

Policy statements

A statement specifying exactly what this policy allows.

Example: 'Policy for Settings 2.0 Write' 
plaintext
ALLOW settings:objects:read;
ALLOW settings:objects:write;
ALLOW settings:schemas:read;

It is also possible to combine multiple permissions in a single statement:

Example: 'Policy for Settings 2.0 Write' using a single statement
plaintext
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;

This feature is particularly useful for managing policies with complicated conditions.

Note

Organization levels are restricted in the UI to the account \ cluster level (other levels are still available via API). Restriction in UI was provided to avoid confusion between creating and binding. Commonly creating multiple identical policies on the environment levels can be achieved in a more efficient way by defining one policy on account \ cluster level and binding it to environment levels.

SchemaId condition

A schemaId condition defines which part of the settings a user can have access to in the settings UI.

Example schemaId condition in policy statement
plaintext
ALLOW settings:schemas:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

Services

Currently, only Dynatrace Settings 2.0 service is supported. We plan to add more services.

Available services include:

Service nameService description

settings

Dynatrace Settings 2.0 service.

Edit a policy

To edit an existing policy

  1. Go to the Policy management page:
    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.
  2. Find the policy you want to edit.
    You can filter the list by name and organization level.
  3. Select the Edit button for the policy.

Delete a policy

To delete a policy

  1. Go to the Policy management page:

    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.

  2. Find the policy you want to edit.
    You can filter the list by name and organization level.

  3. Select the Edit button for the policy.

  4. Select Delete policy.

    Note

    In Dynatrace Managed, the change takes effect in a few minutes.

    To change the delay, modify property policyRefreshIntervalSeconds in the iam section of the config file.

Copy a policy

To copy an existing policy

  1. Go to the Policy management page:
    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.
  2. Open an existing policy for editing.
  3. Copy the contents of Policy statements to the clipboard.
  4. Go back to the Policy management page.
  5. Select Add policy.
  6. Paste the copied policy statements into Policy statements.
  7. Complete the rest of the policy definition.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Manage group permissions with IAM policies.