topic Re: Dashboard Access Policies/Permissions in Dashboarding

Dashboard Access Policies/Permissions

PedroSantos — Mon, 03 Mar 2025 10:41:15 GMT

Hello community,

The issue I'm facing today is that I'm trying to give a specific user read access to a single dashboard (inside the Dashboards app, so not classic) in my environment. This user should only have this permission, and access to nothing else.

However I can't seem to be able to figure out a simple/effective way to do it.

Can anyone give me pointers on how to do this?

Thanks in advance x)

Re: Dashboard Access Policies/Permissions

KeeganNelson — Fri, 28 Feb 2025 19:11:41 GMT

Hello PedroSantos.

Within individual dashboards there is an option to "share" dashboard. There is an opportunity to share access to people and groups that are in your environment with "can view' or "can edit" access. As well as an opportunity to create a link with the same permissions. Please refer to the screenshot below.

Hope this helps!

Re: Dashboard Access Policies/Permissions

AgataWlodarczyk — Tue, 04 Mar 2025 09:11:19 GMT

@PedroSantos does it solve your case? 🙂

Re: Dashboard Access Policies/Permissions

PedroSantos — Wed, 05 Mar 2025 17:06:39 GMT

Hello @KeeganNelson ,

Unfortunately, this does not solve my problem. The link or share option, by itself, doesn't grant access to anything.

Case in point, I have a test user with the right "shared" permissions on my dashboard:

(The "Can Edit" option doesn't work either)

And this is what the test user sees:

Generating a link for access provides the following results:

Bluntly put, it's not possible to grant access to a user who doesn't have the permission to, for example, see the dashboards app. In my case the user has permissions to see the dashboards app but something is missing.

In order for a user to be able to see the new dashboards app, and then only the dashboard I want them to see, they need actual permissions likely defined by policies.

I tried to tweak with the policies and grant access but with this access, comes the ability to see to a lot of pre-set dashboards:

I don't want them to be able to see any of this.

So my question evolves to:

What permissions and/or policies do I need to define in order to ensure a user only has access to a single dashboard?

I understand that at the very least they'll need to have access to the dashboards app so I added this:

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.dashboards";

Given there isn't an "easy" way to do this, what else do I need to add?

Re: Dashboard Access Policies/Permissions

moin_DT1 — Wed, 05 Mar 2025 17:13:55 GMT

@PedroSantos Also you can try using custom Policies and Boundaries, where you can defined exactly what you want to share and to whom you want to share:

https://docs.dynatrace.com/docs/shortlink/iam

Re: Dashboard Access Policies/Permissions

AntonioSousa — Wed, 12 Mar 2025 18:30:06 GMT

@AgataWlodarczyk,

Unfortunately, no. It seems it's not possible. As the use-case seems particularly relevant, I have posted a Product Idea: https://community.dynatrace.com/t5/Product-ideas/Hide-Ready-made-dashboards/idi-p/272303

Re: Dashboard Access Policies/Permissions

Irdina — Thu, 29 May 2025 03:43:08 GMT

Hye @PedroSantos , im new to dynatarce and facing the same issue. have u succeed in creating the policy stated? the initial policy im creating include these permissions:
\\unified-analysis – for dashboard structure
ALLOW unified-analysis:screen-definition:read;
\\Grail
ALLOW storage:metrics:read;
ALLOW storage:logs:read;
ALLOW storage:entities:read;
ALLOW storage:buckets:read;
\\slo - ONLY if SLO widgets exist
ALLOW slo:slos:read;

however w that permissions only, user cant even access the environment, so i add ALLOW environment:roles:viewer to the policy, but now, user have more than just read dashboard access(can edit and create etc). so is there a solution for this? any help would be greatly appreciated

Re: Dashboard Access Policies/Permissions

PedroSantos — Mon, 02 Jun 2025 09:12:54 GMT

Hello @Irdina ,

What we did was create a policy with the following permissions:

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.dashboards"; //Grail ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete; ALLOW storage:system:read; //Metrics ALLOW storage:buckets:read WHERE storage:table-name = "metrics"; ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.service.request"; ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.synthetic.http"; ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.synthetic.browser"; //Entities ALLOW storage:entities:read; //Documents ALLOW document:environment-shares:read; ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, app-settings:objects:read, app-settings:objects:write; ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete; ALLOW environment:roles:viewer WHERE environment:management-zone IN ("YOUR-MANAGEMENT-ZONE-NAME");

It's not a perfect solution but it's close enough.

We only allow access to the dashboard app. Then we allow access to the metrics bucket, and finally only allow access to specific metrics which are needed to populate this specific dashboard.

We also limited access to a single, specific, management zone.

That being said, this might not work for your specific dashboard because you need to figure out which metrics your dashboard uses and make a policy for those.

Re: Dashboard Access Policies/Permissions

Irdina — Wed, 04 Jun 2025 07:43:43 GMT

Hello @PedroSantos , @moin_DT1 ,
I have successfully created the intended policy and yes, it is similar to the approach you provided, thank you for the help !!!

Re: Dashboard Access Policies/Permissions

SSelvaraj11 — Tue, 03 Mar 2026 22:37:47 GMT

I have an issue; I am a DT admin and want to view all dashboards created in the tenant. But it looks like until the user explicitly shares it with me, I cannot view it. Is it by design? Because it was not the case with managed.

Re: Dashboard Access Policies/Permissions

AntonioSousa — Wed, 04 Mar 2026 00:13:05 GMT

@SSelvaraj11 ,

Since 1.328, administrator can manage dashboards, notebooks and other documents:
https://docs.dynatrace.com/docs/shortlink/release-notes-saas-sprint-328#management-of-dashboards-notebooks-and-other-documents-for-administrators