Management-zone security and metrics
Management zones allow you to restrict data access to specified user groups. In certain situations, however, data can be accessed by users outside a management zone.
The affected classic metrics are those that have a polymorphic monitored entity. Currently, these are metrics with the
MONITORED_ENTITY dimension. Check the following metrics in the Metric browser—in the Dynatrace menu, go to Metrics.
Management-zone filtering does not take place for these metrics; if a user has permission to access any metric, they can access the data from these classic metrics, regardless of management zone.
Schemaless metrics can have more than one dimension with a monitored-entity value. For example, a data point could have both
dt.entity.host. In such cases, management-zone filtering is based on the most specific entity. More specifically, filtering based on the first dimension from the list below that is present in the data.
The metric-selector operators
names add information to metric data queries, which can expose the ID of the parent monitored entity (such as the ID of a host that is parent to a process) or the display name of the entity in the case of the
While these caveats are noteworthy, the practical security impact is limited. The data from the affected classic metrics is typically not sensitive. For security-sensitive environments, we recommend taking the caveats regarding metric-selector operators (monitored entity IDs such as
HOST-27A71FA663E7F352 and display names such as hostnames) into account when granting a user permission to read any metric data. For security-sensitive schemaless metrics, we recommend special care regarding which dimensions are sent as part of the data to ensure that the desired read-access restrictions are effective.