topic Re: Restrict metric access via IAM policy in Open Q&A

Restrict metric access via IAM policy

andre_vdveen — Thu, 16 Jan 2025 09:06:03 GMT

Hi, is it possible to restrict user access to specific metrics via IAM policies? Based on the documentation, specifically the storage:metric.key, it seems it is, but I'm curious if anyone's done it before and if so, what would the syntax look like?

The client wants to restrict access to e.g., Azure firewall metrics so that only certain people can see them and the datapoints.

Thanks in advance,
André

Re: Restrict metric access via IAM policy

PacoPorro — Thu, 16 Jan 2025 11:33:18 GMT

Please check the ABAC approach in the documentation.
https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/migrate-roles#abac-implementation-in-your-dynatrace

The overall idea is to apply a boundary to a policy.

https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/iam-policy-boundaries

Re: Restrict metric access via IAM policy

andre_vdveen — Thu, 16 Jan 2025 15:57:54 GMT

Thanks @PacoPorro, I reviewed the docs before posting here 😉
The config I applied doesn't seem to work in my case, hence me hoping for an example or someone confirming it is actually possible to do it for specific metrics 🙂

Here's my policy and boundary syntax, perhaps I'm doing it wrong? I've applied the policy and boundary to my group, and added the user to the group.

Policy: ALLOW storage:metrics:read WHERE storage:metric.key='fragmentation.percentage';
Boundary: storage:metric.key='fragmentation.percentage';

Re: Restrict metric access via IAM policy

DanielS — Mon, 20 Jan 2025 20:14:01 GMT

Hi @andre_vdveen I copy an example of what I have configured and it is working as expected. Hope it helps you.

Re: Restrict metric access via IAM policy

andre_vdveen — Tue, 21 Jan 2025 10:20:49 GMT

Hi @DanielS thanks for sharing.

I've set it up exactly as you have it there in the screenshots, and applied the policy to my group, then added my user to the group (allow access) and made sure my other user (test user, no access) is not in that group, but the test user still has access to the metric 😞

I must be doing something wrong here, clearly...

Re: Restrict metric access via IAM policy

PacoPorro — Tue, 21 Jan 2025 10:25:43 GMT

Is it possible that the test user has unrestricted access to the metric storage?

Re: Restrict metric access via IAM policy

andre_vdveen — Tue, 21 Jan 2025 11:07:46 GMT

Most likely, yes but I thought custom metrics like in my case, would not fall under the scope for a user that is only a member of the 'Monitoring viewer' group, no other.

Re: Restrict metric access via IAM policy

DanielS — Wed, 22 Jan 2025 03:24:47 GMT

Look, @andre_vdveen This is a test group, same policy as previous post, and if I remove everything except the monitoring viewer and keep/remove metrics permissions, the user loses or gains access.

Re: Restrict metric access via IAM policy

andre_vdveen — Wed, 22 Jan 2025 07:52:20 GMT

Thanks @DanielS, does that work in the Data Explorer too though? I think that's where the difference comes in, I was looking there 😉

I've tested it again via Notebooks and it works as you've explained...yet in Data Explorer, the user can still see and access the metric. That's a bit of a problem, since some users who're not yet comfortable with Notebooks, will revert to using Data Explorer and still have access to the metrics they're not supposed to.

Re: Restrict metric access via IAM policy

DanielS — Wed, 22 Jan 2025 13:11:30 GMT

That's right @andre_vdveen for everything under the scope of the Classic Dynatrace I've managed everything with Management Zones and I allow or disallow metrics with the following rules:

Grail data access policies do not work with the classic schema, so during the transition it is necessary to manage both schemas. It may be a bit cumbersome but today we must coexist with both worlds.

Re: Restrict metric access via IAM policy

Maheedhar_T — Mon, 27 Jan 2025 05:19:49 GMT

Hey @andre_vdveen , @DanielS Kind of interesting discussion here.. Never noticed that because I often use DQL even for metrics but have you tried adding that metric to a MZ and then try restricting the user access based on MZs ?
Kind of always works 🙂 or even exploring segments might be a better option as this might replace MZs in far future 😜

Re: Restrict metric access via IAM policy

DanielS — Mon, 27 Jan 2025 18:29:09 GMT

Hi @Maheedhar_T that's right, for all Dynatrace Classic, working with MZ is the way to restrict access. But under the scope of the Latest Dynatrace, the approach is different. Thanks for joining the discussion.

Re: Restrict metric access via IAM policy

Maheedhar_T — Tue, 28 Jan 2025 06:26:06 GMT

Yeah @DanielS ,
Agreed. That's where using segments would be an alternative approach but again, we have to come back to using IAM to control the access of segments too.