Access control
Dynatrace offers two basic forms of access control:
-
Attribute-based access control (ABAC) recommended determines a user's access based on their role, the type of resource being accessed (such as file type, owner, and sensitivity), and the environment (location, date, and time). This enables higher granularity in controlling access, but it also requires a little more knowledge.
The new IAM framework is ABAC: you control access by creating access policies based on a fine-grained set of permissions and conditions that can be enforced per service, not per role. You can even set policies for a single resource within a service.
-
Role-based access control (RBAC) determines a user's access based on their role (which is determined by characteristics such as department, location, seniority, and duties).
Before introducing IAM, Dynatrace offered (and still offers!) our classic role-based access control, where each role had a fixed set of permissions, and each user or user group could be assigned one or more roles. If you're a current user of our classic role-based access control, see Migrate role-based permissions to Dynatrace IAM for details on how you can migrate to the latest attribute-based access control (IAM).
Get the best of both worldsDynatrace version 1.252+
Dynatrace security policies now support the classic role-based permissions, which means that you can control all access to a Dynatrace environment using only the recommended IAM framework and use security policies to define user/group authorization in your environment via either the Dynatrace web UI and or the Dynatrace API.
Attribute-based access control with IAM
recommended
For the tightest access control, the Dynatrace identity and access management (IAM) framework offers attribute-based access control.
How is IAM different?
Compared to our classic role-based access control, the new IAM framework offers additional control over access by enabling you to create your own access policies based on a fine-grained set of permissions and conditions that can be enforced per service, not per role. You can even set policies for single resources within a service.
What is the value of IAM to me?
The Dynatrace IAM framework gives you more control over permissions within the system.
- Administration of permissions is easier and more scalable. You can manage IAM through the Dynatrace web UI or API.
- You can more flexibly control who has access to specific parts of the system and whether they can change settings or only view them. Some employees (such as admins) may need to have the ability to do almost everything in Dynatrace, while others may need to see only specific hosts, settings, or synthetic monitors.
- Instead of permissions that give all-or-nothing access, IAM granularity enables you to grant each user exactly the right amount of access.
How does IAM improve data security?
IAM is designed first and foremost to make Dynatrace safer.
- IAM enables admins to more selectively grant permissions based strictly on necessity following the principle of least privilege (PoLP).
- IAM enables you to realize access patterns that were not possible before. For instance, you can allow a user access to a single resource (a single setting or schema), regardless of user roles. Before IAM, you would have to assign the user a role for which such fine-grained control is not possible.
- IAM helps to make Dynatrace permissions easier to understand, which means admins can more reliably administer permissions.
For details on IAM, see Manage user permissions with IAM policies.
Role-based permissions
For details on configuring role-based permissions (role-based access control), see Manage user permissions with roles.
recommended
Dynatrace version 1.252+
Starting with Dynatrace version 1.252, you can manage role-based access using Dynatrace IAM. If you're using our classic role-based access control, see Migrate role-based permissions to Dynatrace IAM for details on how to migrate to the latest attribute-based access control (IAM).
SSO
Dynatrace makes it easy to manage user permissions based on user account membership in user groups. You can manage these accounts and groups locally, through LDAP, or through an IdP.
For details on managing user permissions via SSO, see User management and SSO.
Emergency contacts
Be sure to specify your Dynatrace emergency contacts. These email addresses will receive emergency notifications concerning your Dynatrace deployment.
For details on specifying your emergency contacts, see Specify emergency contacts.
Clickwrap
You can configure the display of the Subscription Agreement, or "clickwrap" agreement, to new users.
For details on configuring the clickwrap agreement, see Display clickwrap agreement to new users.
Access tokens
All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.
For details on access tokens, see Access tokens.
Management zones
Management zones are a powerful information-partitioning mechanism that promotes focus on specific parts of your observed topology and the sharing of relevant team-specific data while simultaneously ensuring access control.
For details on management zones, see Management zones,