• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage user groups and permissions
  • Manage policies and groups with Dynatrace IAM
  • IAM policy statement syntax and examples

IAM policy statement syntax and examples

This page uses some simple examples to give you a quick overview of how to work with IAM policy statements.

  • For a generated list of all supported values for each IAM service, permission, and condition, see IAM services reference.

  • Additionally, global conditions can be used in any policy.

  • These examples use the Dynatrace Settings service (settings), which enables you to manage the following permissions:

    • schemas:read
    • objects:read
    • objects:write

    It supports condition settings:schemaId, which supports operators =, !=, and IN.

Syntax

In its most basic form, a policy statement starts with the ALLOW keyword, which is followed by the service (in these examples, settings), and then a permission (such as schemas:read). A statement can include an optional condition.

ALLOW <service>:<permission> WHERE <condition>;

Syntax details
ComponentPossible values

policy

A policy consists of one or more policy statements, with one statement per line.

<statement>

ALLOW <service>:<permission> <condition>;

<service>

  • settings
  • cloudautomation
  • environment:roles

<permission>

<condition>

  • null
  • WHERE <condition name> <condition operator> "<condition value>"

Example: WHERE settings:schemaId = "builtin:container.monitoring-rule"

  • Conditions are optional.
  • To add multiple conditions to a statement, use AND

<condition name>

TBD

<condition operator>

  • =
  • !=
  • IN
    (Applies only to lists.)

<condition value>

If <condition operator> is = or !=, the <condition value> must be a single value in quotations like this:
"<value1>"

In this example <condition>:
WHERE settings:schemaId = "builtin:container.monitoring-rule"

  • <condition name> is settings:schemaId
  • <condition value> is one possible value of settings:schemaId

If <condition operator> is IN, the <condition value> must be a comma-separated list of values in parentheses like this:
("<value1>", … , "<valueN>")

In this example <condition>:
WHERE settings:schemaId IN ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule")

  • <condition name> is settings:schemaId
  • <condition value> is a list containing two possible values of settings:schemaId

Example 1: simple statement

In this example, a user that belongs to a group to which this policy is assigned has read access to all schemas in the Dynatrace settings service.

plaintext
ALLOW settings:schemas:read;

Example 2: condition - single value

This example modifies example 1 by adding a condition to limit read access to just one specific schema in the Dynatrace settings service.

plaintext
ALLOW settings:schemas:read WHERE settings:schemaId = "builtin:container.monitoring-rule";

The condition is added to this example statement by adding keyword WHERE followed by the condition, which consists of three parts:

  • condition name (settings:schemaId)
  • condition operator (=)
  • condition value ("builtin:container.monitoring-rule")

So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema is equal to builtin:container.monitoring-rule.

If you instead used the condition operator !=, it would mean that a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema is NOT equal to builtin:container.monitoring-rule.

Example 3: condition - list of values

This example modifies example 2 to show how to use the IN operator with a list of values.

plaintext
ALLOW settings:schemas:read WHERE settings:schemaId IN ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule");

The condition value in this case takes form of a list of schema IDs enclosed with parentheses and delimited with commas.

So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings service, but only if the schema ID is in this list, and then it defines a comma-separated list of two schema IDs: ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule")

Example 4: statements on separate lines

Each policy can have multiple statements.

Example policy with two statements:

plaintext
ALLOW settings:objects:read;

ALLOW settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

In this example, a user that belongs to a group to which this policy is assigned can:

  • read all objects in the settings service (there is no condition in the first statement)
  • write objects in the settings service only where settings:schemaId is equal to builtin:container.monitoring-rule

Example 5: statements combined

Instead of listing permission statements on separate lines, you can combine statements into one line:

plaintext
ALLOW settings:objects:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

A policy with this statement grants read and write access to builtin:container.monitoring-rule, with the WHERE condition applying to both.