• Home
  • Manage
  • Access control
  • Manage user permissions with IAM policies
  • Manage IAM policies

Manage IAM policies

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

API alternative

To instead use the API to manage IAM policies, go to:

  • Dynatrace SaaS: Dynatrace Account Management API 1.0
  • Dynatrace Managed: IAM API is available as part of Cluster API v2

List IAM policies

To list configured IAM policies

  1. In Account Management, go to Identity & and access management > Policies.

  2. Review the table of all existing policies that you can bind to user groups.

    • Name—the name of the policy
    • Description—a brief description of the policy
    • Source—global, account (cluster in a Dynatrace Managed deployment), or environment
    • Actions—view, edit, or delete that row's policy (actions available to you depend on your permission level)

  1. In the Cluster Management Console, go to User authentication > Policy management.

  2. Review the table of all existing policies that you can bind to user groups.

    • Policy—the name of the policy
    • Policy description—a brief description of the policy
    • Organizational level—global, account (cluster in a Dynatrace Managed deployment), or environment
    • Actions—view, edit, or delete that row's policy (actions available to you depend on your permission level)

Built-in policies

To let you use policies right away, Dynatrace IAM is shipped with built-in global policies.

  • On the Policies page, in the Source column, they're all set to Dynatrace
  • They're predefined and managed by Dynatrace
  • You can apply a built-in policy by assigning it to a group for the whole account or to any environment.
  • You can inspect them—select View policy in the Actions column—but you can't edit them

Create a policy

To create a policy

  1. In Account Management, go to Identity & and access management > Policies.

  2. Select Create policy.

  3. Enter the following information.

    ElementDescription

    Name

    The name of the policy.

    Description

    A brief description of the policy.

    Organization level

    Each policy has a level that determines its scope:

    • global: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited.
    • account: Account policies apply to all environments under that account (customer). Use them to set company-wide policies.
    • In a Dynatrace Managed deployment, this is cluster.
    • environment: Environment policies apply only to a single customer environment.

    Organization levels are restricted in the UI to the account \ cluster level (other levels are still available via API). Restriction in UI was provided to avoid confusion between creating and binding. Commonly creating multiple identical policies on the environment levels can be achieved in a more efficient way by defining one policy on account \ cluster level and binding it to environment levels.

    Policy statement

    A statement specifying exactly what this policy allows.

    Example: Policy for Settings 2.0 Write

    plaintext
    ALLOW settings:objects:read;
ALLOW settings:objects:write;
ALLOW settings:schemas:read;

    You can combine multiple permissions in a single statement. Here is the same example combined into a single statement:

    plaintext
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;

    Combining statements is particularly useful for managing policies with complicated conditions.

  1. In the Cluster Management Console, go to User authentication > Policy management.

  2. Select Add policy.

  3. Enter the following information.

    ElementDescription

    Policy name

    The name of the policy.

    Policy description

    A brief description of the policy.

    Available for organizational level

    Each policy has a level that determines its scope:

    • global: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited.
    • account: Account policies apply to all environments under that account (customer). Use them to set company-wide policies.
    • In a Dynatrace Managed deployment, this is cluster.
    • environment: Environment policies apply only to a single customer environment.

    Organization levels are now restricted in the UI to the account \ cluster level (other levels are still available via API). Restriction in UI was provided to avoid confusion between creating and binding. Commonly creating multiple identical policies on the environment levels can be achieved in a more efficient way by defining one policy on account \ cluster level and binding it to environment levels.

    Policy statements

    A statement specifying exactly what this policy allows.

    Example: Policy for Settings 2.0 Write

    plaintext
    ALLOW settings:objects:read;
ALLOW settings:objects:write;
ALLOW settings:schemas:read;

    You can combine multiple permissions in a single statement. Here is the same example combined into a single statement:

    plaintext
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;

    Combining statements is particularly useful for managing policies with complicated conditions.

SchemaId condition

A schemaId condition defines which part of the settings a user can have access to in the settings UI.

Example schemaId condition in policy statement:

plaintext
ALLOW settings:schemas:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

Services

Currently, only Dynatrace Settings 2.0 service is supported. We plan to add more services.

Available services include:

Service nameService description

settings

Dynatrace Settings 2.0 service.

Edit a policy

To edit an existing policy

  1. In Account Management, go to Identity & and access management > Policies.
  2. Find the policy you want to edit.
    You can filter and sort the table.
  3. Select Actions > Edit policy.
  4. Make your changes and select Save.
  1. In the Cluster Management Console, go to User authentication > Policy management.
  2. Find the policy you want to edit.
    You can filter and sort the table.
  3. Select Actions > Edit policy.
  4. Make your changes and select Save.

Delete a policy

To delete a policy

  1. In Account Management, go to Identity & and access management > Policies.
  2. Find the policy you want to delete.
    You can filter and sort the table.
  3. Select Actions > Delete for the policy.

  1. In the Cluster Management Console, go to User authentication > Policy management.

  2. Find the policy you want to delete.
    You can filter and sort the table.

  3. Select the Edit button for the policy.

  4. Select Delete policy.

    In Dynatrace Managed, the change takes effect in a few minutes.

    To change the delay, modify property policyRefreshIntervalSeconds in the iam section of the config file.

Copy a policy

To copy an existing policy

  1. In Account Management, go to Identity & and access management > Policies.
  2. Find the policy you want to copy.
    You can filter and sort the table.
  3. Select the Edit button for the policy.
  4. Copy the contents of Policy statement to the clipboard.
  5. Go back to the Policies page.
  6. Select Create policy.
  7. Paste the copied policy statements into Policy statement.
  8. Fill in the Name and optional Description.
  9. Select Create policy.
  1. In the Cluster Management Console, go to User authentication > Policy management.
  2. Open an existing policy for editing.
  3. Copy the contents of Policy statements to the clipboard.
  4. Go back to the Policy management page.
  5. Select Add policy.
  6. Paste the copied policy statements into Policy statements.
  7. Fill in the Name and optional Description.
  8. Select Save.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Manage group permissions with IAM policies.