• Home
  • How to use Dynatrace
  • User management and SSO
  • Manage user groups and permissions
  • Manage policies and groups with Dynatrace IAM
  • IAM service reference

IAM service reference

All supported values for each IAM service, permission, and condition are listed below. Use them to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.

  • For an overview of Dynatrace IAM, see Manage policies and groups with Dynatrace IAM
  • For some syntax help and examples, see IAM policy statement syntax and examples
  • To list all REST API calls, see Dynatrace Account Management API 1.0
  • To see examples of Dynatrace web UI and REST API configuration procedures, see IAM getting started

Global conditions

Policies with listed permissions can be further refined with global conditions.

cloudautomation

cloudautomation service

cloudautomation:resources:read

Allows to read resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:write

Allows to write/edit resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:delete

Allows to delete resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:metadata:read

Allows to read metadata of Cloud Automation

cloudautomation:events:read

Allows to read events in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type.
    • operators: IN ,= ,!=

cloudautomation:events:write

Allows to send events to Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type
    • operators: IN ,= ,!=

cloudautomation:logs:read

Allows to read logs of Cloud Automation

cloudautomation:logs:write

Allows to write logs for Cloud Automation

cloudautomation:projects:read

Allows to read projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:write

Allows to write/edit projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:delete

Allows to delete projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:stages:read

Allows to read stages in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=

cloudautomation:services:read

Allows to read services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:write

Allows to write/edit services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:delete

Allows to delete services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:integrations:read

Allows to read integrations used in Cloud Automation

cloudautomation:integrations:write

Allows to write/edit integrations used in Cloud Automation

cloudautomation:integrations:delete

Allows to delete integrations used in Cloud Automation

cloudautomation:secrets:read

Allows to read secrets used in Cloud Automation

cloudautomation:secrets:write

Allows to write secrets used in Cloud Automation

cloudautomation:secrets:delete

Allows to delete secrets used in Cloud Automation

cloudautomation:instance:manage

Enables the management of a Cloud Automation instance.

cloudautomation:statistics:read

Allows to read the usage statistics of a Cloud Automation instance.

environment

Environment and management-zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.

environment:roles:viewer

Grants user the Access environment permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-settings

Grants user the Change monitoring settings permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:agent-install

Grants user the Download/install OneAgent permission.

environment:roles:view-sensitive-request-data

Grants user the View sensitive request data permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:configure-request-capture-data

Grants user the Configure capture of sensitive data permission.

environment:roles:replay-sessions-without-masking

Grants user the Replay session data without masking permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:replay-sessions-with-masking

Grants user the Replay session data permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-security-problems

Grants user the Manage security problems permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:logviewer

Grants user the View logs permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

extensions

Extensions service

extensions:definitions:read

Enables READ operations for extensions and environment configurations

Conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:definitions:write

Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions and environment configurations

Conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:configurations:read

Enables READ operations for extensions monitoring configurations

Conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    • operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single Active Gate group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single Management Zone for monitoring configuration assignment
    • operators: IN ,=

extensions:configurations:write

Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions monitoring configurations

Conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    • operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single Active Gate group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single Management Zone for monitoring configuration assignment
    • operators: IN ,=

settings

Settings service

settings:objects:read

Enables reading of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,=

settings:objects:write

Enables writing of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,=

settings:schemas:read

Enables reading settings schemas

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,=