Manage IAM policies

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

API alternative

To instead use the API to manage IAM policies, go to:

List IAM policies

To list configured IAM policies, go to the Policy management page:

  • Dynatrace SaaS: in the user menu, go to Account settings and select Identity management > Policy management.
  • Dynatrace Managed: in the Cluster Management Console, select User authentication > Policy management.

The Policy management page lists all existing policies that you can bind to user groups:

  • Policy—the name of the policy
  • Policy Description—a brief description of the policy
  • Organization levelglobal, account (cluster in a Dynatrace Managed deployment), or environment
  • Actions—view, edit, or delete that row's policy

Built-in policies

To let you use policies right away, Dynatrace IAM is shipped with preconfigured policies:

  • Settings Reader: grants permission to read Dynatrace settings
  • Settings Writer: grants permission to write Dynatrace settings

Create a policy

To create a policy, select Add policy and enter the following:

Element Description

Policy

The name of the policy.

Description

A brief description of the policy.

Organization level

Each policy has a level that determines its scope:

  • global: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited.
  • account: Account policies apply to all environments under that account (customer). Use them to set company-wide policies.
    • In a Dynatrace Managed deployment, this is cluster.
  • environment: Environment policies apply only to a single customer environment.

Policy statements

A statement specifying exactly what this policy allows.

It is also possible to combine multiple permissions in a single statement:

This feature is particularly useful for managing policies with complicated conditions.

SchemaId condition

A schemaId condition defines which part of the settings a user can have access to in the settings UI.

Services

Currently, only Dyntrace Settings 2.0 service is supported. We plan to add more services.

Available services include:

Service name Service description

settings

Dynatrace Settings 2.0 service.

Edit a policy

To edit an existing policy

  1. Go to the Policy management page:
    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.
  2. Find the policy you want to edit.
    You can filter the list by name and organization level.
  3. Select the Edit button for the policy.

Delete a policy

To delete a policy

  1. Go to the Policy management page:

    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.
  2. Find the policy you want to edit.
    You can filter the list by name and organization level.

  3. Select the Edit button for the policy.

  4. Select Delete policy.

    Note

    In Dynatrace Managed, the change takes effect in a few minutes.

    To change the delay, modify property policyRefreshIntervalSeconds in the iam section of the config file.

Copy a policy

To copy an existing policy

  1. Go to the Policy management page:
    • Dynatrace SaaS: Identity management > Policy management.
    • Dynatrace Managed: User authentication > Policy management.
  2. Open an existing policy for editing.
  3. Copy the contents of Policy statements to the clipboard.
  4. Go back to the Policy management page.
  5. Select Add policy.
  6. Paste the copied policy statements into Policy statements.
  7. Complete the rest of the policy definition.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Manage group permissions with IAM policies.