Bucket and table permissions in Grail
powered by Grail
The Grail data model consists of buckets, tables and views. Records are stored in buckets , and buckets are assigned to tables , including logs, events, metrics, and bizevents tables. Fetching from a table returns all records from all buckets that are assigned to that table. Views are reserved for entities, such as dt.entity
. Entities are not stored in buckets and cannot be fetched directly.
Built-in Grail buckets
There is a set of predefined built-in buckets that cannot be modified, including:
- Default buckets, whose name starts with
default_
- System buckets, whose name starts with
dt.
Custom Grail buckets
You can create a bucket tailored to your needs. Grail buckets behave like folders in a file system and are designed for records that should be handled together . For example, you might need to store together:
- Data with the same retention period
- Data that needs to be queried/analyzed together
- Data that needs to be deleted at the same time.
Defining buckets can improve query performance by reducing query execution time and the scope of data read. Finally, having your data stored in a bucket streamlines your permission management, because you can easily provide a user group or single users with access to needed data .
Managing custom Grail buckets
You can manage your custom Grail buckets via REST API.
- Open the user menu in the lower-left corner and make sure the Latest Dynatrace toggle is turned on.
- In the Search field, enter 'API' and select Dynatrace API.
- In the Select a definition field, select Bucket Management.
- Authenticate with your API token. See Authentication for details.
- You can perform the following actions:
- To list your buckets , go to Bucket Definitions and select GET/bucket-definitions.
- To create buckets, go to Bucket Definitions and select POST/bucket-definitions.
- To truncate buckets, go to Bucket Definitions and select POST/bucket-definitions/{bucketName}: truncate.
Note: A maximum of 80 custom buckets can be created per environment .
Bucket and table permissions
Permissions can be assigned on the bucket, table and entity levels. Without permissions, your users cannot fetch any data from a bucket or a table.
Set up permissions
To set up the bucket and table-level permissions:
- In the Dynatrace menu, go to Account settings and select Identity management > Policy management.
- On The Policy management page, enter the policy name and description.
- In the Policy statements field, enter a statement of the following format:
ALLOW <bucket permission> where <condition>;
ALLOW <table permission>;
Supported bucket permissions
All bucket permissions need to start with storage:buckets:read
. Their scope can be limited by a WHERE
clause that includes one of the three operators:
- equals,
=
, indicating an exact match. STARTSWITH
with a an expression put in quotation marks.IN
, indicating a range.
You can filter your stored buckets by a specific bucket name or a defined table name, after the WHERE
clause:
- WHERE storage:bucket-name
- WHERE storage: table-name
Supported table permissions
All tables related to log monitoring have their corresponding permissions that need to be set.
Table name | Permission |
---|---|
logs | storage:logs:read |
events | storage:events:read |
metrics | storage:metrics:read |
bizevents | storage:bizevents:read |
spans | storage:spans:read |
entities | storage:entities:read |
dt.system.events | storage:system:read |
Choose a predefined policy
There are six predefined global policies, each set per one table (logs, events, bizevents, metrics, entities, spans), and three additional, general policies:
- Read all data
- Read default monitoring data
- Read all system data
Global policy for the logs table
This policy provides access to all logs from Grail, and narrows the bucket permission with a where
condition that limits the results to the log table. Note: This statement provides access to all built-in and custom buckets .
ALLOW storage:buckets:read WHERE storage:table-name= "logs";
ALLOW storage:logs:read;
Read all data
This permission statement gives you access to all tables and all buckets, therefore it needs to be used only in justified cases.
ALLOW storage:buckets:read;
ALLOW storage:system:read;
storage:events:read;
storage:logs:read;
storage:metrics:read;
storage:entities:read;
storage:bizevents:read;
storage:spans:read;
Read default monitoring data
This policy retrieves all default monitoring data .
In the first line, this policy statement gives access to all default buckets. The where
condition narrows the search to buckets whose name starts with default
. Subsequently, the next lines list all the needed table permissions. Note: This statement does not give access to custom buckets.
ALLOW storage:buckets:read WHERE storage:bucket-name STARTSWITH "default_";
ALLOW storage:events:read;
storage:logs:read;
storage:metrics:read;
storage:entities:read;
storage:bizevents:read;
storage:spans:read;
Read all system data
This permission statement first narrows the results to system buckets, whose name starts with dt
. Then, it gives you access to all tables that contain system data, for example audit events, billing events, and query execution events . It can be useful for system admins.
ALLOW storage:buckets:read WHERE storage:bucket-name STARTSWITH "dt.";
ALLOW storage:system:read;