Manage IAM policies

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

New

This feature is currently in Preview release.

API alternative

To instead use the API to manage IAM policies, go to https://iam.dynatrace.com/swagger/

List IAM policies

  1. From the User menu in the upper-right corner of the page, select Account settings.
  2. Go to Identity management > Policy management.
    The Policy management page lists all existing policies that you can bind to user groups:
    • Policy—the name of the policy
    • Policy Description—a brief description of the policy
    • Organization levelglobal, account (cluster in a Dynatrace Managed deployment), or environment
    • Actions—view, edit, or delete that row's policy

Built-in policies

In Preview release, every IAM-enabled Dynatrace cluster has the following built-in policies:

  • Settings Reader: grants permission to read Dynatrace settings
  • Settings Writer: grants permission to write Dynatrace settings

Create a policy

To create a policy, select Add policy and enter the following:

Element Description

Policy

The name of the policy.

Description

A brief description of the policy.

Organization level

Each policy has a level that determines its scope:

  • global: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited.
  • account: Account policies apply to all environments under that account (customer). Use them to set company-wide policies.
    • In a Dynatrace Managed deployment, this is cluster.
  • environment: Environment policies apply only to a single customer environment.

Policy statements

A statement specifying exactly what this policy allows.

SchemaId condition

A schemaId condition defines which part of the settings a user can have access to in the settings UI.

Services

This feature is still in early development (Preview). We plan to add more services.

Available services include:

Service name Service description

dynatrace.settings

Edit a policy

To edit an existing policy

  1. Go to Identity management > Policy management.
  2. Find the policy you want to edit.
    You can filter the list by name and organization level.
  3. Select the pen icon for the policy.

Delete a policy

To delete a policy

  1. Go to Identity management > Policy management.

  2. Find the policy you want to edit.
    You can filter the list by name and organization level.

  3. Select the delete icon for the policy.

    Note

    The change takes effect in a few minutes.

    To change the delay, modify property policyRefreshIntervalSeconds in the iam section of the config file.

Copy a policy

To copy an existing policy

  1. Go to Identity management > Policy management.
  2. Open an existing policy for editing.
  3. Copy the contents of Policy statements to the clipboard.
  4. Go to Identity management > Policy management.
  5. Select Add policy.
  6. Paste the copied policy statements into Policy statements.
  7. Complete the rest of the policy definition.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Manage group permissions with IAM policies.