• Home
  • Dynatrace Managed
  • Configuration
  • Cluster remote access

Cluster remote access

Dynatrace ONE can assist you remotely with Dynatrace Managed cluster upgrades and troubleshooting when you run into problems. To make this happen, a Dynatrace ONE product specialist must have permission to remotely access your Dynatrace Managed cluster. You can configure remote access permissions for your Dynatrace Managed cluster to authorize Dynatrace ONE to provide you with updates and pro-active support.

Admin required

You must have cluster administrator privileges to access Cluster Management Console.

To configure the level of permissions within your cluster, in the Cluster Management Console, go to Settings > Remote access permissions.

On this page, you can allow the Dynatrace ONE team remote access to your cluster. If this setting is enabled and events are detected, the Dynatrace ONE team can remotely adjust your cluster settings to ensure optimum performance and stability.

Security

All communication with Mission Control is secure and performed via HTTPS with browser-like certificate checks. All Dynatrace Managed configuration changes are fully audit-logged and each remote access is logged as a separate event (In the Dynatrace menu, go to Events to view the list of recorded events). The Mission Control team can't access certificates or user credentials. They also can't gain root access to any servers.

Once Dynatrace support remote access is enabled, you can set the scope of remote access permissions for Dynatrace ONE to one of the following scopes:

  • All

    The entire Dynatrace ONE team of experts can access your cluster to provide you with the full power of pro-active support and optimize your cluster settings.

  • Read-only access to all

    The entire Dynatrace ONE team of experts can access your cluster but they can't edit any cluster settings. This option significantly limits the level of pro-active support. With this option, only the Viewer role is available for a remote-access user. Dynatrace ONE will contact you to make required changes if necessary.

  • Approved

    Only approved Dynatrace ONE team members can access your cluster. Your cluster administrators will receive an email notification about pending remote access requests. The cluster administrator has to approve each request to grant permissions. You can adjust the duration and role you grant. You can also grant permissions to known Dynatrace ONE team members up front.

    This scope gives you maximum control over who can access your cluster but it significantly impacts the Dynatrace ONE team's ability to provide you with pro-active support.

    You can assign the Admin, User, or Viewer role for a remote-access user. Refer to the following table for details on the permissions each role is assigned.

    PermissionsAdminUserViewerDescription

    Environment

    Allows read-only access to an environment. Specifically, Dynatrace employees have access to:

    • User-related settings – Signed-in user profile and signed-in user settings (for example, scheduled reports, favorite dashboards, and menu entries)
    • Dynatrace Hub pages - Installation pages for OneAgent or ActiveGate.
    • Settings in read-only mode
    • Reports
    • Cluster Management Console in read-only mode
    • Request data capture rules configuration in read-only mode
    • Internal-only diagnostic data
    • Audit log reading
    • Support archive access
    • Synthetic credentials vault access, update/delete actions for credentials owned by the user

    Dynatrace employees can't change settings or install OneAgent with this permission alone.

    Settings write

    Allows the user to change monitoring settings of an environment.

    Download OneAgent and ActiveGate

    Allows the user to download OneAgent and ActiveGate from Hub and install on hosts.

    Cluster Management Console configuration change

    Allows the user to change Cluster-related settings in Cluster Management Console.

    Logs

    Allows the user to access the Logs page and log content of your applications. Logs may have sensitive information.

    Configure capture of sensitive data

    Allows the user to configure request-attribute capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search. Also allows the user to manually trigger memory dumps.

    View sensitive request data

    Allows the user to view potentially personal data captured by Dynatrace, including permission to download memory dumps. Users who do not have this permission see that the data point exists, but the personal data is masked by asterisks (*****). Also allows the user to manually trigger memory dumps.

    Enable OneAgent debug flags

    Allows the user to execute read-only diagnostic operations and set OneAgent debug flags.

    Execute diagnostic operations

    Allows the user to execute diagnostic operations such as service restarts, run diagnostic scripts on cluster node hosts, and access the database.

    Replay session data with masking

    Allows the user to replay recorded user sessions with playback masking rules applied at the time of replay. Note that data masked during recording is never captured and therefore is always masked during replay.

    Replay session data without masking

    Allows the user to replay recorded user sessions without playback masking rules applied. Note that any data masked during recording is always masked during replay.

    Manage security problem

    Allows the user to manage problems reported by Dynatrace Application Security.

    View security problems

    Allows the user to view security problems.

API

You can also use the Remote Access REST API to adjust settings and remote-access permissions. For details, see Dynatrace Cluster API.