• Home
  • Manage
  • Access control
  • Manage user permissions with roles

Manage user permissions with roles

Migrate roles to Dynatrace IAM

recommended

Dynatrace version 1.252+

Starting with Dynatrace version 1.252, you can manage role-based access using Dynatrace IAM. For more information, see Migrate role-based permissions to Dynatrace IAM.

Go to https://myaccount.dynatrace.com to open Account Management.

Password policy

Dynatrace passwords must meet the following requirements:

  • Minimum length: 12 characters
  • A mix of uppercase and lowercase letters
  • At least one number or special character

There is no enforced password expiration.

Account permissions

Dynatrace provides the following account-level permissions.

  • View account: Allows access to the account to view environment data (host hours, sessions, synthetic monitors) and Dynatrace Documentation (documentation) links. Also allows access to view and create support tickets and the Dynatrace Community user forum. There is no access to billing or user/group management.
  • View and manage account and billing information: Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).
  • View and manage users and groups: Allows access to user management (add, edit, remove user group membership) and group management (create, edit, delete groups).

Environment permissions

Dynatrace provides the following environment-level permissions. Select all that apply:

  • View environment: Allows read-only access to the environment. You cannot change settings or install OneAgent with this permission alone.

    View environment permission is required for any of the other environment permissions, so View environment is automatically selected for the environment when you select any other environment permission.

  • View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace, including downloading memory dumps. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****). Also allows manually triggering memory dumps.
  • View logs: Allows access to sensitive log file data in the Logs tab.
  • Replay session data with masking: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.
  • Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.
  • Install OneAgent: Allows download of OneAgent and installation on hosts. To change/edit settings, you must provide the Manage monitoring settings permission.

  • Manage monitoring settings: Allows changing of all environment settings. To install OneAgent, you must provide the Install OneAgent permission.

  • Manage capturing of sensitive request data: Allows configuration of request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search. Also allows manually triggering memory dumps.

  • Manage security problems: Allows viewing and management of vulnerabilities reported by Dynatrace Application Security.

  • View security problems: Allows viewing (but not management) of vulnerabilities reported by Dynatrace Application Security.

    For details on Application Security permissions, see Fine-tune permissions.

  • Manage support tickets: Allows access to all support tickets that have been created for this environment.

Management zone permissions

Dynatrace provides the following management-zone-level permissions. Select all that apply:

  • View environment: Allows read-only access to the entities within the management zone. To change/edit settings, you must provide the Change monitoring settings permission.

    View environment permission is required for any of the other management zone permissions, so View environment is automatically selected for the management zone when you select any other management zone permission.

  • View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace for the entities within the management zone. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****)—see also Environment permissions above.
  • View logs: Allows access to sensitive log file data in the Logs tab for hosts explicitly included within the management zone. Note that it is not sufficient to provide management-zone-level access to the host groups that the hosts belong to—see Management zone rules for details.
  • Replay session data with masking: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.

  • Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.

    For Session Replay permissions to work within a management zone, the user also needs to have access to the requisite applications.

    • If a user session spans multiple applications that are not all assigned to the management zone, users can see still see and replay the session. However, user actions associated with the application to which you do not have access are masked and the corresponding part of the replay is not shown.
    • Playback buttons are grayed out for users who have access to applications but do not have permission to replay sessions.
    Example Session Details page: settings

    Session replay in a management zone

    Example Session Details page: notifications

    Session replay in a management zone

    For details on management zones, see Management zones.

  • Manage monitoring settings: Allows the changing of entity settings within a management zone, for example, the ability to record or edit synthetic monitors. It also grants access to some items in the global settings menu but only allows making modifications to assigned management zones. For example, alerting profiles can only be created and changed for a specific management zone.
  • Manage security problems: Allows viewing and management of vulnerabilities reported by Dynatrace Application Security.

  • View security problems: Allows viewing (but not management) of vulnerabilities reported by Dynatrace Application Security.

    For details on Application Security permissions, see Fine-tune permissions.

Relationship between environment and management zone permissions

When you provide any permission other than View environment at the environment level, View environment is automatically enabled as well for the environment. Likewise, when you provide any permission other than View environment at the management-zone level, View environment is automatically enabled for the management zone.

Management zones are designed to provide targeted and limited access to certain entities within an environment. If you wish to provide a permission to users accessing a management zone, we recommend that you use the management-zone-level permissions. Any permission you provide at the environment level supersedes and adds to those at the management-zone level. In other words, management-zone permissions cannot be used to limit permissions already provided at the environment level.

Take the example of a management zone containing three hosts out of five total hosts in an environment. If you grant the View logs permission to the management zone, viewers can see the Logs tab with information for the three hosts in the management zone. However, if you remove the same permission at the management-zone level and provide it at the environment level, users will be able to:

  • Access All management zones from the management zones filter on the menu bar.
  • See the Logs tab for all five hosts in the environment when viewing All management zones.
  • See the Logs tab for the three hosts in the assigned management zone when they switch to it.

Users

Dynatrace provides separate permissions for account and environment users. To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.

Environment users

These are users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.

Dynatrace offers the following user groups with environment permissions.

User groupAccount permissions

Confidential data admin

Can view personal data (for example, method arguments) and configure request-data capture rules.

Default permissions:

  • View environment
  • Replay sessions with masking
  • View sensitive request data
  • Manage capturing of sensitive request data
  • Manage monitoring settings

Deployment admin

Can download and install OneAgent. Has read-only access to the environment. Can’t change settings.

Default permissions:

  • View environment
  • Replay sessions with masking
  • Install OneAgent

Log viewer

Can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights.

Default permissions:

  • View environment
  • Replay sessions with masking
  • View logs

Monitoring admin

Has full environment access. Can change monitoring settings. Can download and install OneAgent.

Default permissions:

  • View environment
  • Replay sessions with masking
  • Manage monitoring settings
  • Manage support tickets
  • Install OneAgent

Monitoring viewer

Can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.

Default permissions:

  • View environment
  • Replay sessions with masking

Security admin

Can view and manage vulnerabilities.

Default permissions:

  • Manage security problems

Account users

These are users who are involved in managing account details such as company addresses, billing, payment information, and user management.

Dynatrace offers the following user groups with account permissions.

User groupAccount permissions

Account manager

Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.

Default permissions:

  • View account
  • View and manage account and billing information
  • View and manage users and groups

Account viewer

Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Default permissions:

  • View account

Finance admin

Can enter credit card data and review invoices. Has access to environment consumption data, Documentation, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.

Default permissions:

  • View account
  • View and manage account and billing information
Related topics
  • Dynatrace compliance with GDPR for EU citizens

    See how GDPR improves data protection by letting Dynatrace users control personal data within social networks and in the cloud.

  • Data protection at Dynatrace

    Find out how Dynatrace ensures that your data is secured.

  • Personal data captured by Dynatrace

    Find out what types of end-user data may be captured during Dynatrace monitoring and the methods that are available for masking personal end-user data.

  • Levels of data protection

    Learn how Dynatrace protects end-user information by applying situation-dependent levels of protection.

  • Cookies

    Learn about first-party cookie usage in Dynatrace.

  • Data security controls

    Learn about data security and operational security controls.

  • Report a security-related concern

    Find out how to report vulnerabilities and whom to contact in case of security concerns.

  • Configure environment-wide data privacy settings

    Learn how to set up data privacy masking for end user IP addresses, geolocations, and user action names.

  • Data privacy and exchange in Managed deployments

    Learn what information is exchanged between your Dynatrace Managed cluster and Mission Control and how often this exchange takes place.