topic Re: How do you allow power users to configure alerts via API without overprivileging them? in Alerting https://community.dynatrace.com/t5/Alerting/How-do-you-allow-power-users-to-configure-alerts-via-API-without/m-p/301317#M6393 <P>Hi,</P><P>As far as I know, settings:write is not currently granular. It grants write access through the Settings API, and it cannot be scoped down to specific settings schemas (for example, only alerting-related settings). In practice, a token with settings:write can modify a much broader set of platform configuration than just alert definitions.</P><P>Because of that, I personally wouldn't hand out settings:write API tokens directly to development teams.</P><P>The patterns that seem to work best are:</P><P>Monitoring as Code – store alert definitions in Git (Terraform, Monaco, or your own deployment pipeline) and let a CI/CD pipeline deploy them using a centrally managed token with settings:write.<BR />Broker/API layer – teams submit requests to an internal service or workflow, which validates things like Management Zones, naming conventions, or allowed alert types before calling the Dynatrace Settings API.<BR />GUI + IAM roles – if the volume of changes is relatively low, using the UI with well-designed IAM roles and policies may actually be the simpler and safer option.</P><P>If your goal is to delegate ownership to individual teams, I'd also recommend combining this with:</P><P>Management Zones,<BR />IAM policies to limit data visibility,<BR />naming standards and change review processes.</P><P>Unfortunately, the Settings API itself doesn't currently provide a way to say, "this token may only manage alert settings for this specific team."</P><P>I'd be interested to hear how other customers approach this, but my impression is that larger organizations generally prefer a centralized GitOps/Monitoring-as-Code workflow over distributing settings:write tokens directly to power users.<BR /><BR />Also, if you're looking at delegating permissions, I'd recommend spending some time on IAM policies rather than relying solely on API token scopes. We built a small Dynatrace Policy Calculator that helps generate least-privilege IAM policies for common use cases, which can be useful when designing roles for power users while keeping permissions as limited as possible:<BR /><A href="https://omnilogy.pl/en/policy-manager" target="_self">Omnilogy Policy Manager / Policy Calculator</A>&nbsp;<BR /><BR /></P> Mon, 29 Jun 2026 12:40:10 GMT t_pawlak 2026-06-29T12:40:10Z How do you allow power users to configure alerts via API without overprivileging them? https://community.dynatrace.com/t5/Alerting/How-do-you-allow-power-users-to-configure-alerts-via-API-without/m-p/301302#M6392 <P>Hi all,</P> <P>We’re currently trying to figure out how other Dynatrace customers handle alert configuration via the API, especially when delegating this to power users in different development areas.</P> <P>Up until now, we’ve mostly managed everything through the Dynatrace GUI. We’re not very mature yet in monitoring as code or in using the API extensively, but we can tell we’re reaching a point where we need to start doing things more systematically.</P> <P>Our idea was:</P> <P>- Give each development area its own API token<BR />- Let those teams configure their own alerts via the API</P> <P>However, from what I can see, alert configuration uses the Settings API, which in turn requires the settings:write scope. My understanding is that this scope allows write access to all settings configurations across the platform, not just alerting related ones.</P> <P>That raises a few questions:</P> <P>1. Is settings:write really all‑or‑nothing, or is there a way to scope it down to specific settings schemas or domains?&nbsp;<BR /><BR />2. How are other customers handling this in practice?<BR />- Do you actually give settings:write tokens to dev teams/power users?<BR />- Do you restrict them in some other way?<BR /><BR />3. Are there recommended patterns or best practices from Dynatrace for:<BR />- Delegating alert configuration safely<BR />- Avoiding “too much power” with a single token</P> <P>Any examples of how you structure roles, tokens, or processes around this would be really helpful. We’re trying to balance flexibility for teams with not opening up the entire settings surface area.</P> <P>In general, we just want users to be able to manage alerting to their liking in the best way possible; maybe we are overthinking it with the API solution.</P> <P>Thanks in advance for any insights or patterns you can share!</P> Tue, 30 Jun 2026 12:39:13 GMT https://community.dynatrace.com/t5/Alerting/How-do-you-allow-power-users-to-configure-alerts-via-API-without/m-p/301302#M6392 rsmsdk 2026-06-30T12:39:13Z Re: How do you allow power users to configure alerts via API without overprivileging them? https://community.dynatrace.com/t5/Alerting/How-do-you-allow-power-users-to-configure-alerts-via-API-without/m-p/301317#M6393 <P>Hi,</P><P>As far as I know, settings:write is not currently granular. It grants write access through the Settings API, and it cannot be scoped down to specific settings schemas (for example, only alerting-related settings). In practice, a token with settings:write can modify a much broader set of platform configuration than just alert definitions.</P><P>Because of that, I personally wouldn't hand out settings:write API tokens directly to development teams.</P><P>The patterns that seem to work best are:</P><P>Monitoring as Code – store alert definitions in Git (Terraform, Monaco, or your own deployment pipeline) and let a CI/CD pipeline deploy them using a centrally managed token with settings:write.<BR />Broker/API layer – teams submit requests to an internal service or workflow, which validates things like Management Zones, naming conventions, or allowed alert types before calling the Dynatrace Settings API.<BR />GUI + IAM roles – if the volume of changes is relatively low, using the UI with well-designed IAM roles and policies may actually be the simpler and safer option.</P><P>If your goal is to delegate ownership to individual teams, I'd also recommend combining this with:</P><P>Management Zones,<BR />IAM policies to limit data visibility,<BR />naming standards and change review processes.</P><P>Unfortunately, the Settings API itself doesn't currently provide a way to say, "this token may only manage alert settings for this specific team."</P><P>I'd be interested to hear how other customers approach this, but my impression is that larger organizations generally prefer a centralized GitOps/Monitoring-as-Code workflow over distributing settings:write tokens directly to power users.<BR /><BR />Also, if you're looking at delegating permissions, I'd recommend spending some time on IAM policies rather than relying solely on API token scopes. We built a small Dynatrace Policy Calculator that helps generate least-privilege IAM policies for common use cases, which can be useful when designing roles for power users while keeping permissions as limited as possible:<BR /><A href="https://omnilogy.pl/en/policy-manager" target="_self">Omnilogy Policy Manager / Policy Calculator</A>&nbsp;<BR /><BR /></P> Mon, 29 Jun 2026 12:40:10 GMT https://community.dynatrace.com/t5/Alerting/How-do-you-allow-power-users-to-configure-alerts-via-API-without/m-p/301317#M6393 t_pawlak 2026-06-29T12:40:10Z