IAM service reference
All supported values for each IAM service, permission, and condition are listed below. Use them to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.
- For an overview of Dynatrace IAM, see Manage policies and groups with Dynatrace IAM
- For some syntax help and examples, see IAM policy statement syntax and examples
- To list all REST API calls, see Dynatrace Account Management API 1.0
- To see examples of Dynatrace web UI and REST API configuration procedures, see IAM getting started
Global conditions
Policies with listed permissions can be further refined with global conditions.
cloudautomation
cloudautomation service
cloudautomation:resources:read
Allows to read resources stored in the Git repository
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:resources:write
Allows to write/edit resources stored in the Git repository
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:resources:delete
Allows to delete resources stored in the Git repository
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:metadata:read
Allows to read metadata of Cloud Automation
cloudautomation:events:read
Allows to read events in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:event
- A string that uniquely identifies your Cloud Automation event type.- operators:
IN
,=
,!=
- operators:
cloudautomation:events:write
Allows to send events to Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:event
- A string that uniquely identifies your Cloud Automation event type- operators:
IN
,=
,!=
- operators:
cloudautomation:logs:read
Allows to read logs of Cloud Automation
cloudautomation:logs:write
Allows to write logs for Cloud Automation
cloudautomation:projects:read
Allows to read projects in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:projects:write
Allows to write/edit projects in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:projects:delete
Allows to delete projects in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stages:read
Allows to read stages in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:services:read
Allows to read services in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:services:write
Allows to write/edit services in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:services:delete
Allows to delete services in Cloud Automation
Conditions:
cloudautomation:project
- A string that uniquely identifies your Cloud Automation project.- operators:
IN
,=
,!=
- operators:
cloudautomation:stage
- A string that uniquely identifies your Cloud Automation stage.- operators:
IN
,=
,!=
- operators:
cloudautomation:service
- A string that uniquely identifies your Cloud Automation service.- operators:
IN
,=
,!=
- operators:
cloudautomation:integrations:read
Allows to read integrations used in Cloud Automation
cloudautomation:integrations:write
Allows to write/edit integrations used in Cloud Automation
cloudautomation:integrations:delete
Allows to delete integrations used in Cloud Automation
cloudautomation:secrets:read
Allows to read secrets used in Cloud Automation
cloudautomation:secrets:write
Allows to write secrets used in Cloud Automation
cloudautomation:secrets:delete
Allows to delete secrets used in Cloud Automation
cloudautomation:instance:manage
Enables the management of a Cloud Automation instance.
cloudautomation:statistics:read
Allows to read the usage statistics of a Cloud Automation instance.
deployment
Deployment service
deployment:activegates.network-zones:write
Enables writing of ActiveGates network zones
deployment:activegates.groups:write
Enables writing of ActiveGates groups
deployment:oneagents.network-zones:write
Enables writing of OneAgents network zones
deployment:oneagents.host-groups:write
Enables writing of OneAgents host groups
environment
Environment and management-zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.
environment:roles:viewer
Grants user the Access environment permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:manage-settings
Grants user the Change monitoring settings permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:agent-install
Grants user the Download/install OneAgent permission.
environment:roles:view-sensitive-request-data
Grants user the View sensitive request data permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:configure-request-capture-data
Grants user the Configure capture of sensitive data permission.
environment:roles:replay-sessions-without-masking
Grants user the Replay session data without masking permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:replay-sessions-with-masking
Grants user the Replay session data permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:manage-security-problems
Grants user the Manage security problems permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
environment:roles:logviewer
Grants user the View logs permission.
Conditions:
environment:management-zone
- A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.- operators:
IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
extensions
Extensions service
extensions:definitions:read
Enables READ operations for extensions and environment configurations
Conditions:
extensions:extension-name
- A string that uniquely identifies a single extension- operators:
IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
- operators:
extensions:definitions:write
Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions and environment configurations
Conditions:
extensions:extension-name
- A string that uniquely identifies a single extension- operators:
IN
,NOT IN
,startsWith
,NOT startsWith
,!=
,=
- operators:
extensions:configurations:read
Enables READ operations for extensions monitoring configurations
Conditions:
extensions:host
- A string that uniquely identifies a single host for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:host-group
- A string that uniquely identifies a single host group for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:ag-group
- A string that uniquely identifies a single Active Gate group for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:management-zone
- A string that uniquely identifies a single Management Zone for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:configurations:write
Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions monitoring configurations
Conditions:
extensions:host
- A string that uniquely identifies a single host for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:host-group
- A string that uniquely identifies a single host group for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:ag-group
- A string that uniquely identifies a single Active Gate group for monitoring configuration assignment- operators:
IN
,=
- operators:
extensions:management-zone
- A string that uniquely identifies a single Management Zone for monitoring configuration assignment- operators:
IN
,=
- operators:
settings
Settings service
settings:objects:read
Enables reading of settings objects belonging to the schema
Conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.- operators:
IN
,=
,!=
,startsWith
,NOT startsWith
- operators:
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.- operators:
IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.- operators:
IN
,=
- operators:
settings:entity.hostGroup
- The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.- operators:
IN
,=
,!=
- operators:
settings:scope
- The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.- operators:
IN
,=
,!=
- operators:
environment:management-zone
- The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.- operators:
IN
,=
,startsWith
- operators:
settings:objects:write
Enables writing of settings objects belonging to the schema
Conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.- operators:
IN
,=
,!=
,startsWith
,NOT startsWith
- operators:
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.- operators:
IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.- operators:
IN
,=
- operators:
settings:entity.hostGroup
- The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.- operators:
IN
,=
,!=
- operators:
settings:scope
- The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.- operators:
IN
,=
,!=
- operators:
environment:management-zone
- The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.- operators:
IN
,=
,startsWith
- operators:
settings:schemas:read
Enables reading settings schemas
Conditions:
settings:schemaId
- A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.- operators:
IN
,=
,!=
,startsWith
,NOT startsWith
- operators:
shared:app-id
- A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.- operators:
IN
,NOT IN
,startsWith
,NOT startsWith
,=
,!=
- operators:
settings:schemaGroup
- A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.- operators:
IN
,=
- operators: