User groups and permissions

You need to configure user groups in Dynatrace Managed to allow access to your monitoring environment or your Dynatrace Server.

Manage groups and users

A default administrator account is created during Dynatrace Managed installation. This account exists regardless of the authentication type you select (internal or LDAP). The default administrator account has cluster permissions.

You can manage users and groups through Cluster Management Console by navigating to Settings > User authentication.

  1. Create a new group by navigating to User Groups > Add new group.
  2. Assign administrator permissions to the newly created group (by enabling Grant global administrator permissions to this group) or select individual access rights for each environment.
  3. Add a new user by navigating to User accounts > Add new user.
    Note: This only works with an internal database—not with LDAP.
  4. Assign group to the user by navigating to User accounts, selecting a user, and clicking Add within the Add group assignments section.
    Note: A group cannot be assigned if there are no permissions specified for this group.


You can assign a pre-defined set of permissions to a group. Once a group is defined, you can add users to the group. Added users inherit the permissions of the groups they are assigned to. Any group can be modified to fit your needs. You can even create new groups and assign permissions to them.

Cluster permissions

Users assigned to groups with this permission are automatically given administrator access rights for all environments. They have access to Cluster Management Console and can manage your monitoring environments and Dynatrace Server. Users assigned to groups with this permission can also:

  • Add new Dynatrace Server nodes
  • Upgrade Dynatrace Server
  • Manage Dynatrace Managed users and user groups
  • Install Dynatrace OneAgent into any monitoring environment
  • Configure monitoring settings for any monitoring environment

Environment permissions

Dynatrace provides the following environment-based permissions:

  • Access environment. Allows read-only access to the environment. Can't change settings or install OneAgent.
  • Change monitoring settings. Allows changing of all environment settings. Can't install OneAgent.
  • Download & install OneAgent. Allows download of OneAgent and installation on hosts. Can't change settings.
  • View logs. Allows access to sensitive log file data.
  • View sensitive request data. Allows viewing of potentially personal data. Users that don't have this permission see that the data point exists but the personal data is masked out with *****.
  • Configure request capture data (upcoming feature). Allows configuration of request-data capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search.