https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283228#M37283 <P>Well, this is a broad answer and may vary from organization to organization, but I can share my dedicated policy for power users to use in conjunction with the ALLOW environment:roles:viewer; role:</P><LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name", "builtin:synthetic.browser.scheduling", "builtin:synthetic.http.name", "builtin:synthetic.http.scheduling", "builtin:synthetic.browser.assigned-applications", "builtin:synthetic.http.performance-thresholds", "builtin:synthetic.browser.kpms", "builtin:synthetic.http.assigned-applications", "builtin:synthetic.http.cookies", "builtin:synthetic.browser.performance-thresholds"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.http-parameters", "builtin:failure-detection.service.general-parameters", "builtin:anomaly-detection.metric-events", "builtin:davis.anomaly-detectors", "builtin:metric.metadata", "builtin:settings.calculated-service-metrics", "builtin:user-action-custom-metrics" , "builtin:custom-metrics" , "builtin:tags.auto-tagging", "builtin:tags.manual-tagging", "builtin:alerting.maintenance-window", "builtin:alerting.profile", "builtin:problem.notifications", "builtin:monitoring.slo"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.mobile.name", "builtin:rum.mobile.key-performance-metrics", "builtin:rum.mobile.request-errors", "builtin:rum.source-mappings", "builtin:rum.web.name", "builtin:rum.web.request-errors", "builtin:rum.web.custom-errors"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.mutedrequests", "builtin:settings.subscriptions.service");</LI-CODE><P>Hope it helps! At least is not a blank sheet to work on....</P> Wed, 06 Aug 2025 23:05:09 GMT DanielS 2025-08-06T23:05:09Z https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283187#M37272 <P>Hello,</P><P>We are a small Dynatrace team working within a large organization, focusing on a self-serve model where "Power Users" manage application monitoring. Recently, we've encountered challenges with unintended changes affecting the organization, such as broad Maintenance Windows affecting alerting and issues with accidental OPL deletion.</P><P>We are seeking advice on what settings and applications we should restrict to admin-only access for settings we haven't thought of yet. While we have already secured the above examples and provided guidance on protocols, we would appreciate insights on additional settings or applications that should be exclusively managed by our team.</P> Wed, 06 Aug 2025 17:11:06 GMT https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283187#M37272 eric_holloway 2025-08-06T17:11:06Z https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283198#M37276 <P>Hello&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/65063">@eric_holloway</a>&nbsp;what you want is perfectly doable.</P><P>The way to do it through policies. I leave you the reference to start.&nbsp;<A href="https://docs.dynatrace.com/docs/shortlink/iam-policystatements" target="_blank">https://docs.dynatrace.com/docs/shortlink/iam-policystatements</A>&nbsp;and an overall guide&nbsp;<A href="https://docs.dynatrace.com/docs/shortlink/access-platform" target="_blank">https://docs.dynatrace.com/docs/shortlink/access-platform</A>&nbsp;</P><P>Please let me know if I can be of further assistance.</P><P>&nbsp;</P> Wed, 06 Aug 2025 15:54:44 GMT https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283198#M37276 DanielS 2025-08-06T15:54:44Z https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283199#M37277 <P>I also add this <A href="https://www.dynatrace.com/news/blog/tailored-access-management-for-dynatrace-part-1-one-configuration-for-all-authorization-requirements/" target="_blank" rel="noopener">blog post</A> where you have a longer explanation, have in mind that this is the first one on a series.&nbsp;</P> Wed, 06 Aug 2025 15:57:04 GMT https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283199#M37277 DanielS 2025-08-06T15:57:04Z https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283204#M37279 <P>Yeah, we are doing it through policies. My questions is "what settings can be high impact for an org and should be locked down to admins only?"</P> Wed, 06 Aug 2025 17:09:40 GMT https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283204#M37279 eric_holloway 2025-08-06T17:09:40Z https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283228#M37283 <P>Well, this is a broad answer and may vary from organization to organization, but I can share my dedicated policy for power users to use in conjunction with the ALLOW environment:roles:viewer; role:</P><LI-CODE lang="markup">ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name", "builtin:synthetic.browser.scheduling", "builtin:synthetic.http.name", "builtin:synthetic.http.scheduling", "builtin:synthetic.browser.assigned-applications", "builtin:synthetic.http.performance-thresholds", "builtin:synthetic.browser.kpms", "builtin:synthetic.http.assigned-applications", "builtin:synthetic.http.cookies", "builtin:synthetic.browser.performance-thresholds"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.http-parameters", "builtin:failure-detection.service.general-parameters", "builtin:anomaly-detection.metric-events", "builtin:davis.anomaly-detectors", "builtin:metric.metadata", "builtin:settings.calculated-service-metrics", "builtin:user-action-custom-metrics" , "builtin:custom-metrics" , "builtin:tags.auto-tagging", "builtin:tags.manual-tagging", "builtin:alerting.maintenance-window", "builtin:alerting.profile", "builtin:problem.notifications", "builtin:monitoring.slo"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.mobile.name", "builtin:rum.mobile.key-performance-metrics", "builtin:rum.mobile.request-errors", "builtin:rum.source-mappings", "builtin:rum.web.name", "builtin:rum.web.request-errors", "builtin:rum.web.custom-errors"); ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.mutedrequests", "builtin:settings.subscriptions.service");</LI-CODE><P>Hope it helps! At least is not a blank sheet to work on....</P> Wed, 06 Aug 2025 23:05:09 GMT https://community.dynatrace.com/t5/Open-Q-A/Permission-Restriction-for-High-Impact-Settings/m-p/283228#M37283 DanielS 2025-08-06T23:05:09Z