https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248482#M32791 <P>Hi folks,&nbsp;</P> <P>I am looking to lock down the ability to view logs from a certain host group with the following IAM policy:<BR /><EM>"ALLOW storage:logs:read WHERE storage:dt.host_group.id = "Hostgroup2";"</EM></P> <P>In theory this should lock down my user to only be able to view logs for logs written by hosts in "Hostgroup2" HOWEVER when applying the policy my user is still able to see logs written by all host groups.&nbsp;<BR /><BR /></P> <P>Is anyone able to advise? i have followed the syntax and conditions defined in the IAM service reference documentation.</P> Tue, 18 Jun 2024 06:58:47 GMT JamesD09 2024-06-18T06:58:47Z https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248482#M32791 <P>Hi folks,&nbsp;</P> <P>I am looking to lock down the ability to view logs from a certain host group with the following IAM policy:<BR /><EM>"ALLOW storage:logs:read WHERE storage:dt.host_group.id = "Hostgroup2";"</EM></P> <P>In theory this should lock down my user to only be able to view logs for logs written by hosts in "Hostgroup2" HOWEVER when applying the policy my user is still able to see logs written by all host groups.&nbsp;<BR /><BR /></P> <P>Is anyone able to advise? i have followed the syntax and conditions defined in the IAM service reference documentation.</P> Tue, 18 Jun 2024 06:58:47 GMT https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248482#M32791 JamesD09 2024-06-18T06:58:47Z https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248484#M32792 <P>You can see from the Policy review below the condition is set but does not take effect:<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JamesD09_0-1718648577622.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/20586iEA75C325620D77A1/image-size/medium?v=v2&amp;px=400" role="button" title="JamesD09_0-1718648577622.png" alt="JamesD09_0-1718648577622.png" /></span></P><P>&nbsp;</P> Mon, 17 Jun 2024 18:23:04 GMT https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248484#M32792 JamesD09 2024-06-17T18:23:04Z https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248529#M32799 <P>Hi&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/50323">@JamesD09</a>&nbsp;<BR /><BR />have you checked with the "effective policies" tool whether there isn't another access right that would extend this policy and make this limitation ineffective?<BR />You also have to check that no RBAC permission gives the user&nbsp;more rights over logs than you'd expect.</P> Tue, 18 Jun 2024 09:46:14 GMT https://community.dynatrace.com/t5/Open-Q-A/IAM-policy-not-taking-effect/m-p/248529#M32799 GerardJ 2024-06-18T09:46:14Z