Manage user permissions with roles

Migrate roles to Dynatrace IAM

Starting with Dynatrace version 1.252 you can manage the roles-based access using Dynatrace IAM. For more information, see Migrate role-based permissions to Dynatrace IAM.

In Dynatrace SaaS, select Account settings from the user profile menu in the upper-right to manage users and user groups.

License details—View license quotas and consumption details.
Contact information—Update your company information.
Environment management
- Update environment settings like name and time zone.
- Enable or disable, at the account level, license-related notifications for non-admin users.
Identity management
- User management—Assign users to groups (to provide permissions to users), invite new users, and resend invitations to users who lose their invitations.
- Group management—Assign permissions and IAM policies to groups. Group members inherit the permissions and policies assigned to groups.
- Policy management—Add, edit, and delete IAM policies that can be assigned to groups.
- Single sign-on—Configure SSO user authentication.
- SCIM configuration—Manage user identities in cloud-based applications and services.
Account management API—Configure and manage account API OAuth clients.

Password policy

Dynatrace passwords must meet the following requirements:

Minimum length: 12 characters
A mix of uppercase and lowercase letters
At least one number or special character

There is no enforced password expiration.

Account permissions

Dynatrace provides the following account-level permissions.

Access account: Allows access to the account to view environment data (host hours, sessions, synthetic monitors) and Dynatrace Documentation (documentation) links. Also allows access Dynatrace ONE (to view and create support tickets) and the Dynatrace Community user forum. There is no access to billing or user/group management.
Edit billing & account info: Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).
Manage users: Allows access to user management (add, edit, remove users to groups) and group management (create, edit, delete groups). Users with this permission can do the following operations:
User management
- View a list of users: Go to Identity management > User management.
- Export a list of users: Go to Identity management > User management and then select Export user list to create a CSV file of users.
- Invite users to an account: Go to Identity management > User management and then select Invite user. A user must be assigned to at least one group.
  - Permissions preview shows permissions that the user inherits from selected groups.
  - Resend invitation sends another invitation if an invited user loses their invitation.
- Edit group assignments: Go to Identity management > User management, find the user you want to edit, select in the Edit column for that user, and then select or clear group checkboxes to change the selected user's group assignments.
  - Set a filter to focus the list on just the groups you want to see
  - Click the Select column header to sort the list by whether the group is selected
- Delete a user: Go to Identity management > User management, find the user you want to delete, and then select in the Delete column for that user.
Group management
You can assign a predefined set of permissions to a group. Once a group is defined, you can add users to the group. Users can belong to more than one group and inherit the permissions of the groups that they belong to. You can modify or create groups to suit your needs.
- View a list of groups: Go to Identity management > Group management.
- Create group: Go to Identity management > Group management and select Add group. At least one permission per group must be selected.
- Edit group: Go to Identity management > Group management and then select in the Edit column the group you want to edit.
- Delete group: Go to Identity management > Group management and then select in the Delete column for the group you want to delete.
Policy management
For details on policy management, see Manage user permissions with IAM policies.
- View a list of policies: Go to Identity management > Policy management.
- Create policy: Go to Identity management > Policy management and select Add policy.
- View policy: Go to Identity management > Policy management and then select in the Actions column for the policy you want to view.
- Edit policy: Go to Identity management > Policy management and then select in the Actions column for the policy you want to edit.
- Delete policy: Go to Identity management > Policy management, select in the Actions column for the policy you want to delete, and then select Delete policy.
Single sign-on
On Identity management > Single sign-on, you can configure user authentication for multiple domains. If you want to use your corporate credentials for authentication in Dynatrace SaaS, you can set up SAML to delegate the authentication to your identity provider. As a prerequisite, you need to verify ownership of your domain by adding a resource record to your domain.
For details, see Manage users and groups with SAML in Dynatrace SaaS.

SCIM configuration
Early Adopter
On Identity management > SCIM configuration, you can configure SCIM to manage user identities in cloud-based applications and services. SCIM automates the exchange of user identities between different domains and systems. Before starting with the configuration, you need to verify ownership of the domain to which your users belong by adding a resource record to your domain. The list of verified domains is shared with the single sign-on configuration.
For details, see Manage users and groups with SCIM in Dynatrace SaaS.

Environment permissions

Dynatrace provides the following environment-level permissions. Select all that apply:

Access environment: Allows read-only access to the environment. You cannot change settings or install OneAgent with this permission alone.
Important
Access environment permission is required for any of the other environment permissions, so Access environment is automatically selected for the environment when you select any other environment permission.

Change monitoring settings: Allows changing of all environment settings. To install OneAgent, you must provide the Download/install OneAgent permission.

Manage support tickets: Allows access to all support tickets that have been created for this environment.

View logs: Allows access to sensitive log file data in the Logs tab.

View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace, including downloading memory dumps. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****). Also allows manually triggering memory dumps.

Download/install OneAgent: Allows download of OneAgent and installation on hosts. To change/edit settings, you must provide the Change monitoring settings permission.
Configure capture of sensitive data: Allows configuration of request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search. Also allows manually triggering memory dumps.

Replay session data: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.
Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.

Manage security problems: Allows management of problems reported by Dynatrace Application Security.

Management zone permissions

Dynatrace provides the following management-zone-level permissions. Select all that apply:

Access environment: Allows read-only access to the entities within the management zone. To change/edit settings, you must provide the Change monitoring settings permission.
Important
Access environment permission is required for any of the other management zone permissions, so Access environment is automatically selected for the management zone when you select any other management zone permission.

Change monitoring settings: Allows the changing entity settings within a management zone, for example, the ability to record or edit synthetic monitors. It also grants access to some items in the global settings menu but only allows making modifications to assigned management zones. For example, alerting profiles can only be created and changed for a specific management zone.

View logs: Allows access to sensitive log file data in the Logs tab for hosts explicitly included within the management zone. Note that it is not sufficient to provide management-zone-level access to the host groups that the hosts belong to—see Management zone rules for details.

View sensitive request data: Allows viewing of potentially personal data captured by Dynatrace for the entities within the management zone. Users who do not have this permission see that the data point exists but the personal data is masked by asterisks (*****)—see also Environment permissions above.

Replay session data: Allows replay of recorded user sessions with playback masking rules applied at the time of replay. Note that any data masked during recording is never captured and, therefore, always masked during replay.
Replay session data without masking: Allows replay of recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.
Important
For Session Replay permissions to work within a management zone, the user also needs to have access to the requisite applications.
- If a user session spans multiple applications that are not all assigned to the management zone, users can see still see and replay the session. However, user actions associated with the application to which you do not have access are masked and the corresponding part of the replay is not shown.
- Playback buttons are grayed out for users who have access to applications but do not have permission to replay sessions.
Example Session Details page: settings
Example Session Details page: notifications
For details on management zones, see Management zones.

Manage security problems: Allows management of problems reported by Dynatrace Application Security.

Relationship between environment and management zone permissions

Important
When you provide any permission other than Access environment at the environment level, Access environment is automatically enabled as well for the environment. Likewise, when you provide any permission other than Access environment at the management-zone level, Access environment is automatically enabled for the management zone.

Management zones are designed to provide targeted and limited access to certain entities within an environment. If you wish to provide a permission to users accessing a management zone, we recommend that you use the management-zone-level permissions. Any permission you provide at the environment level supersedes and adds to those at the management-zone level. In other words, management-zone permissions cannot be used to limit permissions already provided at the environment level.

Take the example of a management zone containing three hosts out of five total hosts in an environment. If you grant the View logs permission to the management zone, viewers can see the Logs tab with information for the three hosts in the management zone. However, if you remove the same permission at the management-zone level and provide it at the environment level, users will be able to:

Access All management zones from the management zones filter on the menu bar.
See the Logs tab for all five hosts in the environment when viewing All management zones.
See the Logs tab for the three hosts in the assigned management zone when they switch to it.

Users

Dynatrace provides separate permissions for account and environment users. To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.

Environment users

These are users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.

Dynatrace offers the following user groups with environment permissions.

User group	Account permissions
Confidential data admin	Can view personal data (for example, method arguments) and configure request-data capture rules. Default permissions: Access environment Replay session data View sensitive request data Configure capture of sensitive data Change monitoring settings
Deployment admin	Can download and install OneAgent. Has read-only access to the environment. Can’t change settings. Default permissions: Access environment Replay session data Download/install OneAgent
Log viewer	Can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights. Default permissions: Access environment Replay session data View logs
Monitoring admin	Has full environment access. Can change monitoring settings. Can download and install OneAgent. Default permissions: Access environment Replay session data Change monitoring settings Manage support tickets Download/install OneAgent
Monitoring viewer	Can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent. Default permissions: Access environment Replay session data
Security admin	Can view and manage vulnerabilities. Default permissions: Manage security problems

Account users

These are users who are involved in managing account details such as company addresses, billing, payment information, and user management.

Dynatrace offers the following user groups with account permissions.

User group	Account permissions
Account manager	Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support. Default permissions: Access account Edit billing & account info Manage users
Account viewer	Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups. Default permissions: Access account
Finance admin	Can enter credit card data and review invoices. Has access to environment consumption data, Documentation, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info. Default permissions: Access account Edit billing & account info

User group

Account permissions

Account manager

Has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Documentation, and Support.

Default permissions:

Access account
Edit billing & account info
Manage users

Account viewer

Has access to environment consumption data, Documentation, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Default permissions:

Access account

Finance admin

Can enter credit card data and review invoices. Has access to environment consumption data, Documentation, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.

Default permissions:

Access account
Edit billing & account info