Bucket and table permissions in Grail

The Grail data model consists of buckets, tables and views. Records are stored in buckets , and buckets are assigned to tables , including logs, events, metrics, and bizevents tables. Fetching from a table returns all records from all buckets that are assigned to that table. Views are reserved for entities, such as dt.entity. Entities are not stored in buckets and cannot be fetched directly.

Built-in Grail buckets

There is a set of predefined built-in buckets that cannot be modified, including:

Default buckets, whose name starts with default_
System buckets, whose name starts with dt.

Examples of built-in buckets with corresponding retention periods

Name	Table	Retention
default_events	events	35 days
default_bizevents	bizevents	35 days
default_logs	logs	35 days
default_metrics	metrics	15 months
default_spans	spans	10 days
dt_system_events	dt.system.events	1 year

Custom Grail buckets

You can create a bucket tailored to your needs. Grail buckets behave like folders in a file system and are designed for records that should be handled together . For example, you might need to store together:

Data with the same retention period
Data that needs to be queried/analyzed together
Data that needs to be deleted at the same time.

Defining buckets can improve query performance by reducing query execution time and the scope of data read. Finally, having your data stored in a bucket streamlines your permission management, because you can easily provide a user group or single users with access to needed data .

Managing custom Grail buckets

You can manage your custom Grail buckets via REST API.

Open the user menu in the lower-left corner and make sure the Latest Dynatrace toggle is turned on.
In the Search field, enter 'API' and select Dynatrace API.
In the Select a definition field, select Bucket Management.
Authenticate with your API token. See Authentication for details.
You can perform the following actions:
- To list your buckets , go to Bucket Definitions and select GET/bucket-definitions.
- To create buckets, go to Bucket Definitions and select POST/bucket-definitions.
- To truncate buckets, go to Bucket Definitions and select POST/bucket-definitions/{bucketName}: truncate.

Note: A maximum of 80 custom buckets can be created per environment .

Bucket and table permissions

Permissions can be assigned on the bucket, table and entity levels. Without permissions, your users cannot fetch any data from a bucket or a table.

Set up permissions

To set up the bucket and table-level permissions:

In the Dynatrace menu, go to Account settings and select Identity management > Policy management.
On The Policy management page, enter the policy name and description.
In the Policy statements field, enter a statement of the following format:

plaintext
ALLOW <bucket permission> where <condition>;
ALLOW <table permission>;

Supported bucket permissions

All bucket permissions need to start with storage:buckets:read. Their scope can be limited by a WHERE clause that includes one of the three operators:

equals, =, indicating an exact match.
STARTSWITH with a an expression put in quotation marks.
IN, indicating a range.

You can filter your stored buckets by a specific bucket name or a defined table name, after the WHERE clause:

WHERE storage:bucket-name
WHERE storage: table-name

Supported table permissions

All tables related to log monitoring have their corresponding permissions that need to be set.

Table name	Permission
logs	storage:logs:read
events	storage:events:read
metrics	storage:metrics:read
bizevents	storage:bizevents:read
spans	storage:spans:read
entities	storage:entities:read
dt.system.events	storage:system:read

Choose a predefined policy

There are six predefined global policies, each set per one table (logs, events, bizevents, metrics, entities, spans), and three additional, general policies:

Read all data
Read default monitoring data
Read all system data

Global policy for the logs table

This policy provides access to all logs from Grail, and narrows the bucket permission with a where condition that limits the results to the log table. Note: This statement provides access to all built-in and custom buckets .

plaintext
ALLOW storage:buckets:read WHERE storage:table-name= "logs";
ALLOW storage:logs:read;

Read all data

This permission statement gives you access to all tables and all buckets, therefore it needs to be used only in justified cases.

plaintext
ALLOW storage:buckets:read;
ALLOW storage:system:read;
      storage:events:read;
      storage:logs:read;
      storage:metrics:read;
      storage:entities:read;
      storage:bizevents:read;
      storage:spans:read;

Read default monitoring data

This policy retrieves all default monitoring data .

In the first line, this policy statement gives access to all default buckets. The where condition narrows the search to buckets whose name starts with default. Subsequently, the next lines list all the needed table permissions. Note: This statement does not give access to custom buckets.

plaintext
ALLOW storage:buckets:read WHERE storage:bucket-name STARTSWITH "default_";
ALLOW storage:events:read;
      storage:logs:read;
      storage:metrics:read;
      storage:entities:read;
      storage:bizevents:read;
      storage:spans:read;

Read all system data

This permission statement first narrows the results to system buckets, whose name starts with dt. Then, it gives you access to all tables that contain system data, for example audit events, billing events, and query execution events . It can be useful for system admins.

plaintext
ALLOW storage:buckets:read WHERE storage:bucket-name STARTSWITH "dt.";
ALLOW storage:system:read;