https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224113#M28733 <P>At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.</P><P>The only workaround today is&nbsp;<A title="PATs" href="https://www.dynatrace.com/support/help/manage/access-control/access-tokens/personal-access-token" target="_blank" rel="noopener">personal access tokens</A>&nbsp;which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.</P> Thu, 28 Sep 2023 12:59:12 GMT victor_balbuena 2023-09-28T12:59:12Z https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224110#M28731 <P>There is the option to use security policies to give users direct view or edit access on some specific schema's.</P><LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.maintenance-window";</LI-CODE><P>&nbsp;</P><P>But how can I create an API token with only that permission? The API-token scopes are not fine grained I presume.</P> Thu, 28 Sep 2023 12:44:24 GMT https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224110#M28731 Bert_VanderHeyd 2023-09-28T12:44:24Z https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224113#M28733 <P>At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.</P><P>The only workaround today is&nbsp;<A title="PATs" href="https://www.dynatrace.com/support/help/manage/access-control/access-tokens/personal-access-token" target="_blank" rel="noopener">personal access tokens</A>&nbsp;which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.</P> Thu, 28 Sep 2023 12:59:12 GMT https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224113#M28733 victor_balbuena 2023-09-28T12:59:12Z https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224119#M28735 <P>Using personal access tokens is difficult because it would require some kind of technical user which we don't have. It's not the biggest deal off course since we treat tokens as secrets. But if one would leak, it would give access to all settings while it could be restricted.</P> Thu, 28 Sep 2023 13:23:22 GMT https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/224119#M28735 Bert_VanderHeyd 2023-09-28T13:23:22Z https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/236185#M30886 <P>We have the same need here, we would like token (not personal ones) with more granular security to be able to give teams the right to manage only what they are supposed to.<BR />it is a big show stopper for devops practices</P> Fri, 02 Feb 2024 20:13:12 GMT https://community.dynatrace.com/t5/Open-Q-A/Restrict-settings-API-tokens-based-on-policies/m-p/236185#M30886 nicolas_nguyen 2024-02-02T20:13:12Z