Manage IAM policies

Use these procedures in the Dynatrace web UI to manage Dynatrace IAM policies.

API alternative

To instead use the API to manage IAM policies, go to:

Dynatrace SaaS: Dynatrace Account Management API 1.0
Dynatrace Managed: IAM API is available as part of Cluster API v2

List IAM policies

To list configured IAM policies, go to the Policy management page:

Dynatrace SaaS: in the user menu, go to Account settings and select Identity management > Policy management.
Dynatrace Managed: in the Cluster Management Console, select User authentication > Policy management.

The Policy management page lists all existing policies that you can bind to user groups:

Policy—the name of the policy
Policy Description—a brief description of the policy
Organization level—global, account (cluster in a Dynatrace Managed deployment), or environment
Actions—view, edit, or delete that row's policy

Built-in policies

To let you use policies right away, Dynatrace IAM is shipped with built-in global policies.

On the Policy management page, in the Organizational level column, they're all set to global
They're predefined and managed by Dynatrace
You can apply a global policy by assigning it to a group for the whole account or to any environment.
You can inspect them—select Preview in the Actions column—but you can't edit them

Create a policy

To create a policy, select Add policy and enter the following:

Element	Description
Policy	The name of the policy.
Description	A brief description of the policy.
Organization level	Each policy has a level that determines its scope: `global`: Global policies are predefined and managed by Dynatrace, and they apply to all accounts and environments. They cannot be edited. `account`: Account policies apply to all environments under that account (customer). Use them to set company-wide policies. In a Dynatrace Managed deployment, this is `cluster`. `environment`: Environment policies apply only to a single customer environment.
Policy statements	A statement specifying exactly what this policy allows. Example: 'Policy for Settings 2.0 Write' plaintext `ALLOW settings:objects:read; ALLOW settings:objects:write; ALLOW settings:schemas:read;` It is also possible to combine multiple permissions in a single statement: Example: 'Policy for Settings 2.0 Write' using a single statement plaintext `ALLOW settings:objects:read, settings:objects:write, settings:schemas:read;` This feature is particularly useful for managing policies with complicated conditions.

Note

Organization levels are restricted in the UI to the account \ cluster level (other levels are still available via API). Restriction in UI was provided to avoid confusion between creating and binding. Commonly creating multiple identical policies on the environment levels can be achieved in a more efficient way by defining one policy on account \ cluster level and binding it to environment levels.

SchemaId condition

A schemaId condition defines which part of the settings a user can have access to in the settings UI.

Example schemaId condition in policy statement

plaintext
ALLOW settings:schemas:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";

Services

Currently, only Dynatrace Settings 2.0 service is supported. We plan to add more services.

Available services include:

Service name	Service description
`settings`	Dynatrace Settings 2.0 service.

Edit a policy

To edit an existing policy

Go to the Policy management page:
- Dynatrace SaaS: Identity management > Policy management.
- Dynatrace Managed: User authentication > Policy management.
Find the policy you want to edit.
You can filter the list by name and organization level.
Select the Edit button for the policy.

Delete a policy

To delete a policy

Go to the Policy management page:
- Dynatrace SaaS: Identity management > Policy management.
- Dynatrace Managed: User authentication > Policy management.
Find the policy you want to edit.
You can filter the list by name and organization level.
Select the Edit button for the policy.
Select Delete policy.

Note
In Dynatrace Managed, the change takes effect in a few minutes.
To change the delay, modify property policyRefreshIntervalSeconds in the iam section of the config file.

Copy a policy

To copy an existing policy

Go to the Policy management page:
- Dynatrace SaaS: Identity management > Policy management.
- Dynatrace Managed: User authentication > Policy management.
Open an existing policy for editing.
Copy the contents of Policy statements to the clipboard.
Go back to the Policy management page.
Select Add policy.
Paste the copied policy statements into Policy statements.
Complete the rest of the policy definition.

Apply a policy to a group

To apply a policy to a group, you need to bind the policy to the group. For details on managing group permissions with IAM, see Manage group permissions with IAM policies.