• Home
  • Observe and explore
  • Metrics
  • Management-zone security

Management-zone security and metrics

Management zones allow you to restrict data access to specified user groups. In certain situations, however, data can be accessed by users outside a management zone.

Classic metrics

The affected classic metrics are those that have a polymorphic monitored entity. Currently, these are metrics with the MONITORED_ENTITY dimension. Check the following metrics in the Metric browser—in the Dynatrace menu, go to Metrics.

  • builtin:billing.ddu.metrics.byEntity
  • builtin:billing.ddu.metrics.byEntityRaw
  • builtin:billing.ddu.log.byEntity
  • builtin:billing.ddu.events.byEntity
  • builtin:billing.ddu.serverless.byEntity
  • builtin:billing.ddu.traces.byEntity

Management-zone filtering does not take place for these metrics; if a user has permission to access any metric, they can access the data from these classic metrics, regardless of management zone.

Schemaless metrics

Schemaless metrics can have more than one dimension with a monitored-entity value. For example, a data point could have both dt.entity.process_group_instance and dt.entity.host. In such cases, management-zone filtering is based on the most specific entity. More specifically, filtering based on the first dimension from the list below that is present in the data.

  1. dt.entity.service
  2. dt.entity.process_group_instance
  3. dt.entity.cf_application_instance
  4. dt.entity.docker_container_group_instance
  5. dt.entity.container_group_instance
  6. dt.entity.cloud_application_instance
  7. dt.entity.custom_device
  8. dt.entity.host

Metric-selector operators

The metric-selector operators parents and names add information to metric data queries, which can expose the ID of the parent monitored entity (such as the ID of a host that is parent to a process) or the display name of the entity in the case of the names operator.

Impact

While these caveats are noteworthy, the practical security impact is limited. The data from the affected classic metrics is typically not sensitive. For security-sensitive environments, we recommend taking the caveats regarding metric-selector operators (monitored entity IDs such as HOST-27A71FA663E7F352 and display names such as hostnames) into account when granting a user permission to read any metric data. For security-sensitive schemaless metrics, we recommend special care regarding which dimensions are sent as part of the data to ensure that the desired read-access restrictions are effective.