• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage user permissions with IAM policies
  • IAM service reference

IAM service reference

All supported values for each IAM service, permission, and condition are listed below. Use them to define access policies based on a fine-grained set of permissions and conditions that can be enforced per service.

  • For an overview of Dynatrace IAM, see Manage policies and groups with Dynatrace IAM
  • For some syntax help and examples, see IAM policy statement syntax and examples
  • To list all REST API calls, see Dynatrace Account Management API 1.0
  • To see examples of Dynatrace web UI and REST API configuration procedures, see IAM getting started

Global conditions

Policies with listed permissions can be further refined with global conditions.

app-engine

App Engine

app-engine:apps:install

Enables installing and updating apps

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The id of the user that installed the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:apps:run

Enables listing and running apps and gives basic access to the Launcher

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The id of the user that installed the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:apps:delete

Enables uninstalling apps

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith
  • app-engine:app-installer - The id of the user that installed the app.
    • operators: IN ,= ,!= ,startsWith ,NOT IN ,NOT startsWith

app-engine:functions:run

Enables usage of the function-executor

app-settings

App settings service

app-settings:objects:read

Enables reading of app settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single app settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

app-settings:objects:write

Enables writing of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can be found in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

automation

Automation Server

automation:workflows:read

Read access to workflows.

automation:workflows:write

Write access to workflows.

automation:workflows:run

Execute permissions for workflows.

automation:workflows:admin

Grant admin permissions for workflows.

automation:rules:read

Read access to scheduling rules.

automation:rules:write

Write access to scheduling rules.

automation:calendars:read

Read access to business calendars.

automation:calendars:write

Write access to business calendars.

cloudautomation

cloudautomation service

cloudautomation:resources:read

Allows to read resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:write

Allows to write/edit resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:resources:delete

Allows to delete resources stored in the Git repository

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:metadata:read

Allows to read metadata of Cloud Automation

cloudautomation:events:read

Allows to read events in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type.
    • operators: IN ,= ,!=

cloudautomation:events:write

Allows to send events to Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=
  • cloudautomation:event - A string that uniquely identifies your Cloud Automation event type
    • operators: IN ,= ,!=

cloudautomation:logs:read

Allows to read logs of Cloud Automation

cloudautomation:logs:write

Allows to write logs for Cloud Automation

cloudautomation:projects:read

Allows to read projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:write

Allows to write/edit projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:projects:delete

Allows to delete projects in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=

cloudautomation:stages:read

Allows to read stages in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=

cloudautomation:services:read

Allows to read services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:write

Allows to write/edit services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:services:delete

Allows to delete services in Cloud Automation

Conditions:

  • cloudautomation:project - A string that uniquely identifies your Cloud Automation project.
    • operators: IN ,= ,!=
  • cloudautomation:stage - A string that uniquely identifies your Cloud Automation stage.
    • operators: IN ,= ,!=
  • cloudautomation:service - A string that uniquely identifies your Cloud Automation service.
    • operators: IN ,= ,!=

cloudautomation:integrations:read

Allows to read integrations used in Cloud Automation

cloudautomation:integrations:write

Allows to write/edit integrations used in Cloud Automation

cloudautomation:integrations:delete

Allows to delete integrations used in Cloud Automation

cloudautomation:secrets:read

Allows to read secrets used in Cloud Automation

cloudautomation:secrets:write

Allows to write secrets used in Cloud Automation

cloudautomation:secrets:delete

Allows to delete secrets used in Cloud Automation

cloudautomation:instance:manage

Enables the management of a Cloud Automation instance.

cloudautomation:statistics:read

Allows to read the usage statistics of a Cloud Automation instance.

davis

Davis Service

davis:analyzers:read

Allows viewing Davis analyzers

davis:analyzers:execute

Allows execution of Davis analyzers

deployment

Deployment service

deployment:activegates.network-zones:write

Enables writing of ActiveGates network zones

deployment:activegates.groups:write

Enables writing of ActiveGates groups

deployment:oneagents.network-zones:write

Enables writing of OneAgents network zones

deployment:oneagents.host-groups:write

Enables writing of OneAgents host groups

deployment:oneagents.host-tags:write

Enables writing of OneAgents host tags

deployment:oneagents.host-properties:write

Enables writing of OneAgents host properties

document

Document-service

document:documents:write

Allows to create and update documents of the document-service.

document:documents:read

Allows to read documents of the document-service.

document:documents:delete

Allows to delete documents of the document-service.

document:environment-shares:read

Allows to read environment-shares of the document-service.

document:environment-shares:write

Allows to create and update environment-shares of the document-service.

document:environment-shares:claim

Allows to claim environment-shares of the document-service.

document:environment-shares:delete

Allows to delete environment-shares of the document-service.

document:direct-shares:delete

Allows to delete direct-shares of the document-service.

document:direct-shares:read

Allows to read direct-shares of the document-service.

document:direct-shares:write

Allows to create and update direct-shares of the document-service.

environment

Environment and management-zone user permissions. See Migrate role-based permissions to Dynatrace IAM for more information.

environment:roles:viewer

Grants user the Access environment permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-settings

Grants user the Change monitoring settings permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:agent-install

Grants user the Download/install OneAgent permission.

environment:roles:view-sensitive-request-data

Grants user the View sensitive request data permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:configure-request-capture-data

Grants user the Configure capture of sensitive data permission.

environment:roles:replay-sessions-without-masking

Grants user the Replay session data without masking permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:replay-sessions-with-masking

Grants user the Replay session data permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:manage-security-problems

Grants user the Manage security problems permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:view-security-problems

Grants user the View security problems permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

environment:roles:logviewer

Grants user the View logs permission.

Conditions:

  • environment:management-zone - A string that uniquely identifies a management-zone. Applies the permission on management-zone-level for the specified management-zone.
    • operators: IN ,startsWith ,NOT startsWith ,= ,!=

extensions

Extensions service

extensions:definitions:read

Enables READ operations for extensions and environment configurations

Conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:definitions:write

Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions and environment configurations

Conditions:

  • extensions:extension-name - A string that uniquely identifies a single extension
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,!= ,=

extensions:configurations:read

Enables READ operations for extensions monitoring configurations

Conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    • operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single Active Gate group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single Management Zone for monitoring configuration assignment
    • operators: IN ,=

extensions:configurations:write

Enables WRITE operations (UPDATE/CREATE/DELETE) for extensions monitoring configurations

Conditions:

  • extensions:host - A string that uniquely identifies a single host for monitoring configuration assignment
    • operators: IN ,=
  • extensions:host-group - A string that uniquely identifies a single host group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:ag-group - A string that uniquely identifies a single Active Gate group for monitoring configuration assignment
    • operators: IN ,=
  • extensions:management-zone - A string that uniquely identifies a single Management Zone for monitoring configuration assignment
    • operators: IN ,=

platform-management

PlatformManagement

platform-management:tenants:write

Enables creation of a new tenant or updating an existing one

platform-management:tenants:read

Enables retrieving a tenant or list of tenants

settings

Settings service

settings:objects:read

Enables reading of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,= ,startsWith

settings:objects:write

Enables writing of settings objects belonging to the schema

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the object's schemaId property matches.
    • operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema of the object has a schemaGroup property that matches.
    • operators: IN ,=
  • settings:entity.hostGroup - The host group attribute of an entity for which a setting is stored. This is e.g. useful to grant access to settings scopes of all hosts which belong to the same host group.
    • operators: IN ,= ,!=
  • settings:scope - The exact scope identifier a setting object has or will have. This condition allows to grant access to the scope of e.g., an individual host. In this case the scope equals the entity identifier, e.g. HOST-48B8F52F33098830.
    • operators: IN ,= ,!=
  • environment:management-zone - The name of a management zone. This condition is applicable to either: settings objects of some schemas that are allowed in the environment scope or any settings object that is allowed on the scope of an entity that can be matched into a management zone.
    • operators: IN ,= ,startsWith

settings:schemas:read

Enables reading settings schemas

Conditions:

  • settings:schemaId - A string that uniquely identifies a single settings schema. The identifier of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,= ,!= ,startsWith ,NOT startsWith
  • shared:app-id - A string that matches an app identifier. Only applicable to objects of schemas that have been added via apps. The condition will match if the object's app-id property matches.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=
  • settings:schemaGroup - A schema group that allows to address multiple individual schemas at once. The group of a schema can either be found via the dedicated schema endpoint in the Dynatrace Environment API or in the info box of a settings screen. The condition will match if the schema's schemaId property of the schema matches.
    • operators: IN ,=

state

Platform State Service

state:app-states:read

Read app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:app-states:write

Write app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:app-states:delete

Delete app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:read

Read user-app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:write

Write user-app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

state:user-app-states:delete

Delete user-app-states

Conditions:

  • shared:app-id - The id of the app.
    • operators: IN ,NOT IN ,startsWith ,NOT startsWith ,= ,!=

storage

Grail

storage:events:read

Read records from the events-table

storage:metrics:read

Read timeseries from the metrics-table

storage:logs:read

Read records from the logs-table

storage:entities:read

Read records from the entities-table

storage:bizevents:read

Read records from the bizevents-table

storage:system:read

Read records from all system tables (e.g. dt.system.events).

storage:buckets:read

Bucket permission. Allows a user to read records from Grail buckets. Required additionally to a table permission.

Conditions:

  • storage:table-name - Table name of the bucket which can be accessed
    • operators: = ,IN ,startsWith
  • storage:bucket-name - Name of the bucket which can be accessed
    • operators: = ,IN ,startsWith

storage:bucket-definitions:read

Read bucket definitions from Grail

storage:bucket-definitions:write

Write bucket definitions to Grail

storage:bucket-definitions:truncate

Delete all records from a bucket (not the bucket) in Grail.