• Home
  • How to use Dynatrace
  • User management and SSO
  • Manage user groups and permissions
  • Manage policies and groups with Dynatrace IAM
  • IAM service reference

IAM service reference

All supported values for each IAM service, permission, and condition are listed below. Use them to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.

  • For an overview of Dynatrace IAM, see Manage policies and groups with Dynatrace IAM
  • For some syntax help and examples, see IAM policy statement syntax and examples
  • To list all REST API calls, see Dynatrace Account Management API 1.0
  • To see examples of Dynatrace web UI and REST API configuration procedures, see IAM getting started

Global conditions

Policies with listed permissions can be further refined with global conditions.

settings

Settings service

settings:objects:read

Enables reading of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,=

settings:objects:write

Enables writing of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,=

settings:schemas:read

Enables reading settings schemas

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,=

cloudautomation

cloudautomation service

cloudautomation:resources:read

Allows to read resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:write

Allows to write/edit resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:delete

Allows to delete resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:metadata:read

Allows to read metadata of Cloud Automation

cloudautomation:events:read

Allows to read events in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type.
    • operators: IN ,= ,!=

cloudautomation:events:write

Allows to send events to Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type
    • operators: IN ,= ,!=

cloudautomation:logs:read

Allows to read logs of Cloud Automation

cloudautomation:logs:write

Allows to write logs for Cloud Automation

cloudautomation:projects:read

Allows to read projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:write

Allows to write/edit projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:delete

Allows to delete projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:stages:read

Allows to read stages in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=

cloudautomation:services:read

Allows to read services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:write

Allows to write/edit services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:delete

Allows to delete services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:integrations:read

Allows to read integrations used in Cloud Automation

cloudautomation:integrations:write

Allows to write/edit integrations used in Cloud Automation

cloudautomation:integrations:delete

Allows to delete integrations used in Cloud Automation

cloudautomation:secrets:read

Allows to read secrets used in Cloud Automation

cloudautomation:secrets:write

Allows to write secrets used in Cloud Automation

cloudautomation:secrets:delete

Allows to delete secrets used in Cloud Automation

cloudautomation:instance:manage

Enables the management of a Cloud Automation instance.

cloudautomation:statistics:read

Allows to read the usage statistics of a Cloud Automation instance.