topic Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context in Alerting

IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

anaidu — Mon, 24 Mar 2025 07:51:23 GMT

Hello Dynatracers,

I'm currently facing a challenge in configuring IAM policies to restrict problem visibility in the New Problems App.

We have a user group, ABC, which is assigned the Standard user policy, and is further restricted by a policy boundary that includes:

A specific Management Zone (MZ) rule
A separate Security Context rule

When a user from this ABC group logs in:

They are able to access the New Problems App, but
No problems are visible in the app (nor on any dashboard widgets based on the new Problems view)

Interestingly, as soon as we remove the policy boundary, they are able to view all problems — but this is not acceptable, as we don't want users to view problems beyond their relevant MZ.

With the traditional Problems App, the same boundary configuration works as expected — problems are scoped correctly to their MZ.

Our challenge is:

The New Problems App does not honor the MZ/Security Context restriction in the same way
Our new dashboards rely on this new Problems view, meaning these restricted users now see nothing

Request: How can we configure IAM policies and boundaries so that:

Users can view problems in the New Problems App and dashboards
But only those problems within their assigned Management Zone or Security Context

Is there a supported way to achieve this today? Or a roadmap plan to support MZ-based scoping in the New Problems App similar to the legacy behavior?

Thanks in advance.

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

patryk_ozimek2 — Mon, 24 Mar 2025 20:53:52 GMT

Hi,

You just need to create a custom IAM policy with the storage:events:read permission.

For example:
ALLOW storage:events:read WHERE storage:dt.security_context = "<value>";

You can find other conditions here: https://docs.dynatrace.com/docs/shortlink/iam-policystatements#storage-events-read

Best Regards
Patryk

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

patryk_ozimek2 — Mon, 24 Mar 2025 21:06:04 GMT

The whole permissions list is available in DT Hub

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

Mohamed_Hamdy — Tue, 25 Mar 2025 04:52:34 GMT

Hello @anaidu ,

I suggest opening a support ticket, as the current behavior doesn't align with what's described in the documentation: https://docs.dynatrace.com/docs/shortlink/iam-policystatements. Some conditions and operators don’t seem to function as expected.

As a temporary workaround—which may not cover all scenarios—you could try creating a separate policy specifically for event access. Be sure to use the condition within the policy itself, not as a boundary.

You can use the dt.host_group.id with the IN operator. For example:

ALLOW storage:events:read WHERE storage:dt.host_group.id IN ("")

This might not fully resolve the issue, but it could serve as a helpful interim step.

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

anaidu — Tue, 25 Mar 2025 05:40:18 GMT

Hi @patryk_ozimek2,

Thanks for sharing. We've applied the same configuration using these rules across both events and other storage types, but it's still not working.

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

anaidu — Tue, 25 Mar 2025 05:42:40 GMT

Hello @Mohamed_Hamdy,

Thanks for sharing the workaround, we will use as interim solution till the issue is completely resolved.

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

Peter_Youssef — Tue, 25 Mar 2025 05:54:00 GMT

Hello @anaidu

In parallel while applying the relevant solutions provided by @Mohamed_Hamdy , @patryk_ozimek2 , feel free to raise the case as a product idea

KR,

Peter

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

patryk_ozimek2 — Sun, 30 Mar 2025 19:16:07 GMT

Are you sure that you have events in grail enabled in your tenant?

Best Regards

Patryk

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

J01am — Thu, 03 Apr 2025 16:44:37 GMT

Hi all !
I have the same problem

What I see is that my Problem didn't have a dt.security_context field filled. I tried to apply the documentation here, but the field still keep empty.
Anyone already fix that ?

Thank you

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

patryk_ozimek2 — Thu, 22 May 2025 12:10:51 GMT

Hi,

I encountered the same problem. Seems like there is no permissions for dt.davis.problems.

If you open developer tools in your browser and query something in the new problems app you can find a request with query: "{ canonicalQuery: 'fetch dt.davis.problems, from:now() - 2h ..."

So we have to follow this doc.

I don't know how should I set problem fields for security context. I can add only one field that maps something to the security context and I have no idea what to use here to make sure that every event will have security context mapped.

Is there any recommended approach?

I don't know why DT complicated it that much.

Best Regards
Patryk

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

ftmazzone — Thu, 10 Jul 2025 08:02:35 GMT

Hello,

We are facing the same issue, do you know when the fix will be delivered ?

Best Regards,

Florent

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

ftmazzone — Tue, 15 Jul 2025 08:55:58 GMT

Hello @peter,
I've created a ticket to the support. Do you have any update on your side about this issue? Currently the boundaries cannot be used as they won't work with all Dynatrace apps.

Kr,

Florent

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

Prema — Tue, 06 Jan 2026 08:56:26 GMT

Hello,

We are also facing the same issue. Has anyone found a solution or been able to resolve it?

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

ftmazzone — Tue, 06 Jan 2026 13:42:09 GMT

Hello @Prema ,
I've found a solution using security context and OpenPipeline Davis Problems. I set the security context of the problems with an open pipeline and configure the access of the users with a template policy.

Example of policy :

ALLOW storage:events:read WHERE storage:dt.security_context IN ("${bindParam:security-context-ids}");

However it would be much more logic, if the problems generated with one agents generated traces or metrics already had a security context set per default.

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

kranthi — Fri, 06 Feb 2026 17:08:13 GMT

Hi @ftmazzone , Can i have this in detailed way. because we are using boundaries restricted with management zone and security context. But unfortunately, users with these permissions are unable to view the latest UI/ Gen3 based environment like data/metrics/logs

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

ftmazzone — Mon, 09 Feb 2026 12:56:24 GMT

Hi @kranthi ,

We don't use boundaries but template policies however both should work.

1. Could you check if the field `dt.security_context` is set and visible in the page `Problems` ?
2. Are the logs or metrics with the same `dt.security_context` visible for the users havbing this boundary ?

Re: IAM Policies for New Problems App: Restricting Problem Visibility by Management Zone or Security Context

kranthi — Mon, 09 Feb 2026 13:13:41 GMT

@ftmazzone , Actually this parameter is available for account admins, environments admis.
In our case we are actually looking to restrict the user with boundaries for latest UI we are using `dt.security_context` as suggested by Dynatrace Vendor similarly for Classic UI we are using management zones. User's able to view all of the allowed information in Classic UI but, when it comes to latest UI of dynatrace entities and its names along with `dt.security_context` is visible but user's unable to view the metrics, logs, kuberenetes node names, workload names, etc. But data/metrics/logs related to them is not visible to the user's.