Cluster remote access
Dynatrace ONE can assist you remotely with Dynatrace Managed cluster upgrades and troubleshooting when you run into problems. To make this happen, a Dynatrace ONE product specialist must have permission to remotely access your Dynatrace Managed cluster. You can configure remote access permissions for your Dynatrace Managed cluster to authorize Dynatrace ONE to provide you with updates and pro-active support.
You must have cluster administrator privileges to access Cluster Management Console.
To configure the level of permissions within your cluster, in the Cluster Management Console, go to Settings > Remote access permissions.
On this page, you can allow the Dynatrace ONE team remote access to your cluster. If this setting is enabled and events are detected, the Dynatrace ONE team can remotely adjust your cluster settings to ensure optimum performance and stability.
All communication with Mission Control is secure and performed via HTTPS with browser-like certificate checks. All Dynatrace Managed configuration changes are fully audit-logged and each remote access is logged as a separate event (In the Dynatrace menu, go to Events to view the list of recorded events). The Mission Control team can't access certificates or user credentials. They also can't gain root access to any servers.
Once Dynatrace support remote access is enabled, you can set the scope of remote access permissions for Dynatrace ONE to one of the following scopes:
The entire Dynatrace ONE team of experts can access your cluster to provide you with the full power of pro-active support and optimize your cluster settings.
Read-only access to all
The entire Dynatrace ONE team of experts can access your cluster but they can't edit any cluster settings. This option significantly limits the level of pro-active support. With this option, only the Viewer role is available for a remote-access user. Dynatrace ONE will contact you to make required changes if necessary.
Only approved Dynatrace ONE team members can access your cluster. Your cluster administrators will receive an email notification about pending remote access requests. The cluster administrator has to approve each request to grant permissions. You can adjust the duration and role you grant. You can also grant permissions to known Dynatrace ONE team members up front.
This scope gives you maximum control over who can access your cluster but it significantly impacts the Dynatrace ONE team's ability to provide you with pro-active support.
You can assign the Admin, User, or Viewer role for a remote-access user. Refer to the following table for details on the permissions each role is assigned.
Permissions Admin User Viewer Description
Allows read-only access to an environment. Specifically, Dynatrace employees have access to:
- User-related settings – Signed-in user profile and signed-in user settings (for example, scheduled reports, favorite dashboards, and menu entries)
- Dynatrace Hub pages - Installation pages for OneAgent or ActiveGate.
- Settings in read-only mode
- Cluster Management Console in read-only mode
- Request data capture rules configuration in read-only mode
- Internal-only diagnostic data
- Audit log reading
- Support archive access
- Synthetic credentials vault access, update/delete actions for credentials owned by the user
Dynatrace employees can't change settings or install OneAgent with this permission alone.
Allows the user to change monitoring settings of an environment.
Download OneAgent and ActiveGate
Allows the user to download OneAgent and ActiveGate from Hub and install on hosts.
Cluster Management Console configuration change
Allows the user to change Cluster-related settings in Cluster Management Console.
Allows the user to access the Logs page and log content of your applications. Logs may have sensitive information.
Configure capture of sensitive data
Allows the user to configure request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search. Also allows the user to manually trigger memory dumps.
View sensitive request data
Allows the user to view potentially personal data captured by Dynatrace, including permission to download memory dumps. Users who do not have this permission see that the data point exists, but the personal data is masked by asterisks (*****). Also allows the user to manually trigger memory dumps.
Enable OneAgent debug flags
Allows the user to execute read-only diagnostic operations and set OneAgent debug flags.
Execute diagnostic operations
Allows the user to execute diagnostic operations such as service restarts, run diagnostic scripts on cluster node hosts, and access the database.
Replay session data with masking
Allows the user to replay recorded user sessions with playback masking rules applied at the time of replay. Note that data masked during recording is never captured and therefore is always masked during replay.
Replay session data without masking
Allows the user to replay recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.
Manage security problem
Allows the user to manage problems reported by Dynatrace Application Security.
View security problems
Allows the user to view security problems.
You can also use the Remote Access REST API to adjust settings and remote-access permissions. For details, see Dynatrace Cluster API.