Management-zone security and metrics
Management zones allow you to restrict data access to specified user groups. In certain situations, however, data can be accessed by users outside a management zone.
Classic metrics
The affected classic metrics are those that have a polymorphic monitored entity. Currently, these are metrics with the MONITORED_ENTITY
dimension. Check the following metrics in the Metric browser—in the Dynatrace menu, go to Metrics.
builtin:billing.ddu.metrics.byEntity
builtin:billing.ddu.metrics.byEntityRaw
builtin:billing.ddu.log.byEntity
builtin:billing.ddu.events.byEntity
builtin:billing.ddu.serverless.byEntity
builtin:billing.ddu.traces.byEntity
Management-zone filtering does not take place for these metrics; if a user has permission to access any metric, they can access the data from these classic metrics, regardless of management zone.
Schemaless metrics
Schemaless metrics can have more than one dimension with a monitored-entity value. For example, a data point could have both dt.entity.process_group_instance
and dt.entity.host
. In such cases, management-zone filtering is based on the most specific entity. More specifically, filtering based on the first dimension from the list below that is present in the data.
dt.entity.service
dt.entity.process_group_instance
dt.entity.cf_application_instance
dt.entity.docker_container_group_instance
dt.entity.container_group_instance
dt.entity.cloud_application_instance
dt.entity.custom_device
dt.entity.host
Metric-selector operators
The metric-selector operators parents
and names
add information to metric data queries, which can expose the ID of the parent monitored entity (such as the ID of a host that is parent to a process) or the display name of the entity in the case of the names
operator.
Impact
While these caveats are noteworthy, the practical security impact is limited. The data from the affected classic metrics is typically not sensitive. For security-sensitive environments, we recommend taking the caveats regarding metric-selector operators (monitored entity IDs such as HOST-27A71FA663E7F352
and display names such as hostnames) into account when granting a user permission to read any metric data. For security-sensitive schemaless metrics, we recommend special care regarding which dimensions are sent as part of the data to ensure that the desired read-access restrictions are effective.