• Home
  • Manage
  • Access control
  • User management and SSO
  • Dynatrace for Government SAML federation
  • Group creation and permissions

Dynatrace for Government group creation and user permissions

Follow these steps to create a group and configure user permissions.

Get OAuth2 token

Create a new group

Add permissions to your group

Get OAuth2 token

Prerequisite: OAuth2 client.

Request

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/sso/oauth2/token" \
-X POST \
-d "client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials&scope=sso20-idm-read-write&resource=urn:dtaccount:<ACCOUNT_UUID>" \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache"

where:

  • <DYNATRACE_SSO_DOMAIN> is a domain provided to you by Dynatrace.
  • <CLIENT_ID> is your client ID provided to you by Dynatrace.
  • <CLIENT_SECRET> is your client secret provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.

Create a new group 

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/groups" \
  -X POST \
  -d "{ \"name\": \"<GROUP_NAME>\", \"federatedAttributeValues\": [\"<ROLE_FROM_IDP>\"]}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.
  • <GROUP_NAME> is a name that you want to use for a new permissions group
  • <ROLE_FROM_IDP> is a role defined in your IDP. This role is passed in the SAML at user sign-in. It has to be set to the value of federatedAttribute. For details on configuring federation, see Dynatrace for Government SAML federation.
  • <ACCESS_TOKEN> is your access token.

Sample response:

plaintext
{
    "createdAt": null,
    "description": null,
    "federatedAttributeValues": [
        "<ROLE_FROM_IDP>"
    ],
    "name": "<GROUP_NAME>",
    "owner": "SAML",
    "updatedAt": null,
    "uuid": "<GROUP_UUID>"
}

Add permissions to your group

This section includes:

3.1 Grant tenant permission
3.2 Grant management zones permission

. Grant tenant permission 

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/groups/<GROUP_UUID>/permissions" \
  -X POST \
  -d "{ \"permissionName\": \"<PERMISSION_NAME>\", \"scope\": \"TENANT_UUID\", \"scopeType\":\"tenant\"}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.
  • <GROUP_UUID> is a UUID of a group created in the previous step.
  • <PERMISSION_NAME> is one of the following:
    • tenant-viewer: User cannot make changes to the monitoring setup or other settings.
    • tenant-user: User has access to all product functionality, but cannot make changes to monitoring setup.
    • tenant-admin: User has full rights to all product functionality, including monitoring setup.
  • <TENANT_UUID> is provided to you by Dynatrace.
  • <ACCESS_TOKEN> is your access token.

. Grant management zones permission 

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/groups/<GROUP_UUID>/permissions" \
  -X POST \
  -d "{ \"permissionName\": \"<PERMISSION_NAME>\", \"scope\": \"<TENANT_UUID>:<MANAGEMENT_ZONE_ID>\", \"scopeType\":\"management-zone\"}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.
  • <GROUP_UUID> is a uuid of a group created in the previous step.
  • <PERMISSION_NAME> is one of the following:
    • tenant-viewer: User cannot make changes to the monitoring setup or other settings.
    • tenant-user: User has access to all product functionality, but cannot make changes to monitoring setup.
    • tenant-admin: User has full rights to all product functionality, including monitoring setup.
  • <TENANT_UUID> is provided to you by Dynatrace.
  • <MANAGEMENT_ZONE_ID> is the ID of a management zone that was created by you. You can take the ID from the URL after you open the management zone in the Dynatrace web UI. Example URL: 
    plaintext
    https://<DYNATRACE_DOMAIN>/e/<TENANT_UUID>/#settings/preferences/mzoverview/mzdetails;itemName=<MANAGEMENT_ZONE_NAME>;itemId=<MANAGEMENT_ZONE_ID>.
    To learn about management zones, see Management zones.
  • <ACCESS_TOKEN> is your access token.

Sample response:

plaintext
{
  "createdAt": "2021-06-29T12:00:56Z",
  "description": null,
  "federatedAttributeValues": [
    "<ROLE_FROM_IDP>"
  ],
  "name": "<GROUP_NAME>",
  "owner": "SAML",
  "permissions": [
    {
      "createdAt": "2021-06-29T12:00:58Z",
      "permissionName": "tenant-viewer",
      "scope": "01234567-0123-0123-0123-0123456789AB:1234567890123456789",
      "scopeType": "management-zone",
      "updatedAt": "2021-06-29T12:00:58Z"
    }
  ],
  "updatedAt": "2021-06-29T12:00:56Z",
  "uuid": "<GROUP_UUID>"
}