topic Re: How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent in Open Q&A

How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent

ajvillarroelp1 — Fri, 07 Mar 2025 12:55:32 GMT

Hi,

I've been trying to do this but I could not find a solution.

user "A" belongs to Group "G"

Objetive:

-user A access to environment

- user A: read access to host/process/services data for only the entities in MZ "M".

What permissions or custom policy should I specify to accomplish this? Please provide details here.

Any help is appreciated.

Regards,

Antonio

Re: How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent

DanielS — Fri, 07 Mar 2025 14:24:33 GMT

Hello @ajvillarroelp1 I can share with you the main points to be able to do it:

The concept of MZ has been deprecated in the new environment so you need to use the dt.security_context field. With this in mind Dynatrace provide us with the option to set for any entity the dt.security_context easily.
Go to Settings - Topology model - Grail security context for monitored entities and bind your entities to the Management Zones.
This example applies for entities

//Grail read data ALLOW storage:entities:read; ALLOW storage:buckets:read WHERE storage:table-name IN ("entities");}

Then create a Boundary to apply to this policy, with your MZ data

storage:dt.security_context = "<Your MZ Name>";

Then you need to replicate this for data, metrics with different policies.
To Give user A access you can use this standard policy (feel free to modify as needed):

//States ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all; //Documents ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete; //Unified analysis screens ALLOW unified-analysis:screen-definition:read; //Grail ALLOW storage:bucket-definitions:read; ALLOW storage:fieldset-definitions:read; ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete; //OpenPipeline ALLOW openpipeline:configurations:read; //Hub ALLOW hub:catalog:read; //AppEngine ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read; //Notifications ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write; //AutomationEngine ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read; ALLOW automation:workflows:write WHERE automation:workflow-type = "SIMPLE"; ALLOW automation:workflows:run; //Davis ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute; //Settings ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read; //Classics ALLOW environment:roles:viewer, environment:roles:view-security-problems; //Geolocations ALLOW geolocation:locations:lookup; // Vulnerability service ALLOW vulnerability-service:vulnerabilities:read; //SLOs ALLOW slo:slos:read, slo:objective-templates:read; //BusinessInsights ALLOW insights:opportunities:read;

Re: How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent

DanielS — Fri, 07 Mar 2025 14:48:23 GMT

For further read I also post similar solution here.

Re: How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent

ajvillarroelp1 — Thu, 13 Mar 2025 15:25:18 GMT

Hi,

Thank you for the answer. At the end, the solution that worked for me was this:

1.- Create a boundary

environment:management-zone = "MZNAME";
storage:dt.security_context = "MZNAME";

2.- Add the following custom policy (let's call it ACCESSREAD):

ALLOW environment:roles:viewer;
ALLOW storage:entities:read;

3.- Assign the ACCESSREAD policy to the group indicating the boundary created in the first step

4.- Assign the following permissions to the group indicating the boundary created in the first step

Read Entities, Standard User, Read Events, Read Security Events, All Grail data read access

Thanks again for the help.

Regards,

Antonio