• Home
  • Platform modules
  • Cloud Automation
  • Set up Cloud Automation
  • Cloud Automation user permissions

Cloud Automation user permissions

To work with the Cloud Automation UI (bridge) and API, you need permissions as described below.

Define policies

Cloud Automation provides three default policies with view, approve, or admin permissions. They can be bound to groups, but we don't recommend that you customize them. Instead, create a new policy as described below.

json
ALLOW
cloudautomation:events:read,
cloudautomation:integrations:read,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:projects:read,
cloudautomation:resources:read,
cloudautomation:secrets:read,
cloudautomation:services:read,
cloudautomation:stages:read;
  • An approver has viewer permissions and is allowed to send an event.
json
ALLOW
cloudautomation:events:write WHERE  cloudautomation:event = "sh.keptn.event.approval.finished";
  • An admin has all permissions to manage a Cloud Automation instance.
json
ALLOW
cloudautomation:events:read,
cloudautomation:events:write,
cloudautomation:integrations:read,
cloudautomation:integrations:write,
cloudautomation:integrations:delete,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:projects:read,
cloudautomation:projects:write,
cloudautomation:projects:delete,
cloudautomation:resources:read,
cloudautomation:resources:write,
cloudautomation:secrets:read,
cloudautomation:secrets:write,
cloudautomation:secrets:delete,
cloudautomation:services:read,
cloudautomation:services:write,
cloudautomation:services:delete,
cloudautomation:stages:read;

To define a custom policy for a certain user group:

  1. In the Dynatrace user menu , go to Account settings.

  2. Select Accounts, then select your account tile.

  3. Select Identity management > Policy management.

  4. Select Add policy.

  5. Enter a policy name and, optionally, a description of your policy. For example, to create an approver policy with a project restriction, you need to create two policies containing the following policy statements:

    Policy for meta-data
    json
    ALLOW
cloudautomation:integrations:read,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:secrets:read,
cloudautomation:projects:read,
cloudautomation:events:read;
    Policy for the approver role
    json
    ALLOW
cloudautomation:resources:read,
cloudautomation:services:read,
cloudautomation:stages:read,
cloudautomation:events:write WHERE cloudautomation:project = "project-name";

  6. optional Depending on the policy statement you have defined, you can select different conditions as shown in the example of an approver with project restriction. See below for the conditions allowed for each policy statement.

    Policy statements with conditions
    Policy statementConditionsDescription
    cloudautomation:events:readcloudautomation:project 1, cloudautomation:stage, cloudautomation:service, cloudautomation:eventPermission to read events in Cloud Automation.
    cloudautomation:events:writecloudautomation:project, cloudautomation:stage, cloudautomation:service, cloudautomation:eventPermission to send events to Cloud Automation.
    cloudautomation:projects:readcloudautomation:project 1Permission to read projects in Cloud Automation.
    cloudautomation:projects:writecloudautomation:projectPermission to write or edit projects in Cloud Automation.
    cloudautomation:projects:deletecloudautomation:projectPermission to delete projects in Cloud Automation.
    cloudautomation:stages:readcloudautomation:project, cloudautomation:stagePermission to read stages in Cloud Automation.
    cloudautomation:services:readcloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to read services in Cloud Automation.
    cloudautomation:services:writecloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to write or edit services in Cloud Automation.
    cloudautomation:services:deletecloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to delete services in Cloud Automation.
    cloudautomation:resources:readcloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to read resources stored in the Git repository.
    cloudautomation:resources:writecloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to write or edit resources stored in the Git repository.
    cloudautomation:resources:deletecloudautomation:project, cloudautomation:stage, cloudautomation:servicePermission to delete resources stored in the Git repository.
    1

    On account of a known limitation, this condition doesn't work in the Cloud Automation frontend. Do not set this condition if the policy should control user interactions.

    Policy statements with no conditions
    Policy statementDescription
    cloudautomation:metadata:readPermission to read the API token and metadata of Cloud Automation.
    cloudautomation:logs:readPermission to read logs of Cloud Automation.
    cloudautomation:logs:writePermission to write logs for Cloud Automation.
    cloudautomation:integrations:readPermission to read integrations used in Cloud Automation.
    cloudautomation:integrations:writePermission to write/edit integrations used in Cloud Automation.
    cloudautomation:integrations:deletePermission to delete integrations used in Cloud Automation.
    cloudautomation:secrets:readPermission to read secrets used in Cloud Automation.
    cloudautomation:secrets:writePermission to write secrets used in Cloud Automation.
    cloudautomation:secrets:deletePermission to delete secrets used in Cloud Automation.

  7. Select Save.

Define a group

To define a group

  1. In the Dynatrace user menu , go to Account settings.
  2. Select Accounts, and then select your account tile.
  3. Select Identity management > Group management.
  4. Select Add group.
  5. Enter a group name and, optionally, a group description.
  6. Under Account permissions select Policies.
  7. Filter by the policy name for the default policy or the policy you created in Define policies, and then select Bind.
  8. Select Save.

Assign a user to a group

To assign a user to a group

  1. In the Dynatrace user menu , go to Account settings.
  2. Select Accounts, then select your account tile.
  3. Select Identity management > User management.

To add an existing user to the group

  1. Filter for the user and then select Edit.
  2. Scroll down to Assign groups to user and filter for the group name you created in Define groups.
  3. Select your group and then select Save.

To add a new user to the group

  1. Select Invite user.
  2. Enter the required details.
  3. Go to Assign groups to user and filter for the group name you created in Define groups.
  4. Select your group and then select Invite.

Authenticate the Cloud Automation user

After assigning a user to a user group that contains at least a viewer permission, the user can authenticate

  • On the Cloud Automation bridge

    Authenticate on the CA bridge

    Open https://<YOUR-CLOUD-AUTOMATION-INSTANCE>/bridge, making sure to replace the placeholder (<YOUR-CLOUD-AUTOMATION-INSTANCE>) with your own value.

  • With the Cloud Automation CLI

    Authenticate with the CA CLI

    Run the command below, making sure to replace the placeholder (<YOUR-CLOUD-AUTOMATION-INSTANCE>) with your own value.

    plaintext
    keptn auth --oauth --oauth-discovery=https://sso.dynatrace.com/.well-known/openid-configuration --oauth-client-id=dt0s03.dynatrace-cloudautomation-cli-prod --endpoint=https://<YOUR-CLOUD-AUTOMATION-INSTANCE>/api --oauth-scopes=cloudautomation:resources:read,cloudautomation:resources:delete,cloudautomation:metadata:read,cloudautomation:events:read,cloudautomation:events:write,cloudautomation:projects:read,cloudautomation:projects:delete,cloudautomation:stages:read,cloudautomation:services:read,cloudautomation:services:delete,cloudautomation:secrets:read