https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264290#M34905 <P>I want to allow the users to modify settings (such as anomaly configuration) on a single service/entity level, without granting them the global settings on environment or cluster level for all services as global configuration.</P> <P>I first tried the following:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write WHERE settings:scope startsWith 'SERVICE-';</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The above policy statement does not seem to work as they do not see the setting option on the service/entity.</P> <P>Then I tried the following:</P> <P>&nbsp;</P> <LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write WHERE settings:schemaId = "builtin:anomaly-detection.services”;</LI-CODE> <P>&nbsp;</P> <P>The above policy statement does work on the service/entity level, but at the same time they also see the global environment settings option which I do not want.</P> <P>How can I have a policy statement that allow the user to only modify the settings on service and entity level, but not globally? Thanks in advance!</P> Wed, 04 Dec 2024 07:28:08 GMT Chen 2024-12-04T07:28:08Z https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264290#M34905 <P>I want to allow the users to modify settings (such as anomaly configuration) on a single service/entity level, without granting them the global settings on environment or cluster level for all services as global configuration.</P> <P>I first tried the following:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write WHERE settings:scope startsWith 'SERVICE-';</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The above policy statement does not seem to work as they do not see the setting option on the service/entity.</P> <P>Then I tried the following:</P> <P>&nbsp;</P> <LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write WHERE settings:schemaId = "builtin:anomaly-detection.services”;</LI-CODE> <P>&nbsp;</P> <P>The above policy statement does work on the service/entity level, but at the same time they also see the global environment settings option which I do not want.</P> <P>How can I have a policy statement that allow the user to only modify the settings on service and entity level, but not globally? Thanks in advance!</P> Wed, 04 Dec 2024 07:28:08 GMT https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264290#M34905 Chen 2024-12-04T07:28:08Z https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264432#M34916 <P>Hi, for this you may have to append management zone with this. Please try<BR /><BR /><A href="https://docs.dynatrace.com/docs/shortlink/iam-policystatements#settings-objects-write" target="_blank" rel="noopener">https://docs.dynatrace.com/docs/shortlink/iam-policystatements#settings-objects-write</A><BR /><A href="https://docs.dynatrace.com/docs/shortlink/iam-policy-boundaries#expressing-management-zones-inside-of-policy-boundaries" target="_blank" rel="noopener">https://docs.dynatrace.com/docs/shortlink/iam-policy-boundaries#expressing-management-zones-inside-of-policy-boundaries</A><BR /><BR /></P><UL class=""><LI>environment:management-zone<SPAN>&nbsp;</SPAN>-<SPAN>&nbsp;</SPAN>The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.<BR /><SPAN>operators:&nbsp;IN&nbsp;,=&nbsp;,startsWith</SPAN></LI></UL> Thu, 05 Dec 2024 01:21:55 GMT https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264432#M34916 RohitBisht 2024-12-05T01:21:55Z https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264795#M34977 <P>Lovely, it worked perfectly after implementing the management-zone. Thanks a lot!</P> Mon, 09 Dec 2024 16:29:52 GMT https://community.dynatrace.com/t5/Open-Q-A/Policy-to-only-allow-user-to-configure-service-settings/m-p/264795#M34977 Chen 2024-12-09T16:29:52Z