• Home
  • How to use Dynatrace
  • User management and SSO
  • Manage user groups and permissions
  • Manage policies and groups with Dynatrace IAM
  • IAM policy statement syntax and examples

IAM policy statement syntax and examples

This page uses some simple examples to give you a quick overview of how to work with IAM policy statements.

  • For a generated list of all supported values for each IAM service, permission, and condition, see IAM services reference.

  • These examples use Dynatrace Settings service (settings), which enables you to manage the following permissions:

    • schemas:read
    • objects:read
    • objects:write

    It supports condition settings:schemaId, which supports operators =, !=, and IN.

Syntax

In its most basic form, a policy statement starts with the ALLOW keyword, which is followed by the service (in these examples, settings), and then a permission (such as schemas:read). A statement can include an optional condition.

ALLOW <service>:<permission> WHERE <condition>;

Syntax details
ComponentPossible values

policy

A policy consists of one or more policy statements, with one statement per line.

<statement>

ALLOW <service>:<permission> <condition>;

<service>

  • settings

(In the current Preview release, settings is the only available service. More will be added.)

<permission>

TBD

<condition>

  • null
  • WHERE <condition name> <condition operator> "<condition value>"

Example: WHERE settings:schemaId = "builtin:container.monitoring-rule"

  • Conditions are optional.
  • To add multiple conditions to a statement, use AND

<condition name>

TBD

<condition operator>

  • =
  • !=
  • IN
    (Applies only to lists.)

<condition value>

If <condition operator> is = or !=, the <condition value> must be a single value in quotations like this:
"<value1>"

In this example <condition>:
WHERE settings:schemaId = "builtin:container.monitoring-rule"

  • <condition name> is settings:schemaId
  • <condition value> is one possible value of settings:schemaId

If <condition operator> is IN, the <condition value> must be a comma-separated list of values in parentheses like this:
("<value1>", … , "<valueN>")

In this example <condition>:
WHERE settings:schemaId IN ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule")

  • <condition name> is settings:schemaId
  • <condition value> is a list containing two possible values of settings:schemaId

Example 1: simple statement

In this example, a user that belongs to a group to which this policy is assigned has read access to all schemas in the Dynatrace settings service.

plaintext
ALLOW settings:schemas:read;

Example 2: condition - single value

This example modifies example 1 by adding a condition to limit read access to just one specific schema in the Dynatrace settings service.

plaintext
ALLOW settings:schemas:read WHERE settings:schemaId = "builtin:container.monitoring-rule";

The condition is added to this example statement by adding keyword WHERE followed by the condition, which consists of three parts:

  • condition name (settings:schemaId)
  • condition operator (=)
  • condition value ("builtin:container.monitoring-rule")

So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema is equal to builtin:container.monitoring-rule.

If you instead used the condition operator !=, it would mean that a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema is NOT equal to builtin:container.monitoring-rule.

Example 3: condition - list of values

This example modifies example 2 to show how to use the IN operator with a list of values.

plaintext
ALLOW settings:schemas:read WHERE settings:schemaId IN ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule");

The condition value in this case takes form of a list of schema IDs enclosed with parentheses and delimited with commas.

So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema ID is in this list, and then it defines a comma-separated list of two schema IDs: ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule")

Example 4: statements on separate lines

Each policy can have multiple statements.

Example policy with two statements:

plaintext
ALLOW settings:objects:read; ALLOW settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

In this example, a user that belongs to a group to which this policy is assigned can:

  • read all objects in the settings service (there is no condition in the first statement)
  • write objects in the settings service only where settings:schemaId is equal to builtin:container.monitoring-rule

Example 5: statements combined

Instead of listing permission statements on separate lines, you can combine statements into one line:

plaintext
ALLOW settings:objects:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

A policy with this statement grants read and write access to builtin:container.monitoring-rule, with the WHERE condition applying to both.

Date and time conditions

The following are simple examples of how to work with time-based conditions in IAM policy statements. For global:date, global:date-time, and global:time-of-day, the value needs to be specified with a time zone according to ISO/WD 8601-1. Following ISO/WD 8601-1, the character Z is used to designate that the date is in UTC.

Day of week

The policy is active on specific days of the week (GMT time zone).

Example:

ALLOW service:resource:permission WHERE global:week-day = "Monday";

Operators: =, IN

Date

The policy is active during a specified date range. Time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";

Operators: <, >, =

Date and time

The policy is active according to a specified date and time. Time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";

Operators: <, >

Time of day

The policy is active each day during a specified time range. Time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";

Operators: <, >