topic Re: Permissions to access the latest version of Dynatrace in Open Q&A

Permissions to access the latest version of Dynatrace

gustavodutra — Mon, 08 Sep 2025 20:53:00 GMT

Hi everyone.

I'd like to know what permissions I need to grant users to access the latest version of Dynatrace.

Summary:

I have an environment where users need limited viewing. When accessing the tool, they receive the error below and can only use the old version.

The question is: What permissions are required for them to view the new platform?

By clicking on previous Dynatrace, they can use it normally.

Re: Problem with Latest Dynatrace Version

gustavodutra — Mon, 08 Sep 2025 19:09:30 GMT

Someone?

Re: Permissions to access the latest version of Dynatrace

p_devulapalli — Tue, 09 Sep 2025 02:36:08 GMT

@gustavodutra Have a look at the below, you can start with Standard User and build up on it.

https://docs.dynatrace.com/docs/shortlink/default-policies

https://docs.dynatrace.com/docs/shortlink/default-policies#DynatraceAccessStandardUser

Re: Permissions to access the latest version of Dynatrace

t_pawlak — Tue, 09 Sep 2025 11:56:27 GMT

The new views use AppEngine. So the policy:

//Classics
ALLOW environment:roles:viewer,

only grants access to the "old" version of Dynatrace.
You need to add policies like, for example:

//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read;
ALLOW automation:workflows:write WHERE automation:workflow-type = "SIMPLE";
ALLOW automation:workflows:run;

Re: Permissions to access the latest version of Dynatrace

DanielS — Tue, 09 Sep 2025 13:04:33 GMT

Hello @gustavodutra a minimum policy for them to access should be:

//States ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all; //Documents ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete; //Grail ALLOW storage:bucket-definitions:read; ALLOW storage:fieldset-definitions:read; ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete; //AppEngine ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read; //Notifications ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write, notification:notifications:read, notification:notifications:write; //Davis ALLOW davis:analyzers:read, davis:analyzers:execute; //Davis Copilot ALLOW davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute; //Settings ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read; //Classics ALLOW environment:roles:viewer; //Geolocations ALLOW geolocation:locations:lookup; //SLOs ALLOW slo:slos:read, slo:objective-templates:read; //BusinessInsights ALLOW insights:opportunities:read; ALLOW insights:moments:read;

Re: Permissions to access the latest version of Dynatrace

gustavodutra — Tue, 09 Sep 2025 13:38:53 GMT

Thanks for the reply. I used "Standard User," but it allows more than they should see.

I'm worried they'll see things I don't want, or they'll create/delete settings or extensions that generate additional costs.

Re: Permissions to access the latest version of Dynatrace

gustavodutra — Tue, 09 Sep 2025 13:40:26 GMT

What would this automation engine rule be?

Can they create, view, or delete workflows?

Because this is extremely costly.

Re: Permissions to access the latest version of Dynatrace

gustavodutra — Tue, 09 Sep 2025 13:43:02 GMT

My users shouldn't be able to view configurations, run them, or save any configuration.

My idea is for them to only have monitoring views of hosts, logs, Kubernetes, etc.

Is there specific documentation that explains what each rule does? Our environment is very critical, and we can't afford any lapses.

I'd like to know if there's a specific rule group that allows for viewing the latest Dynatrace interface.

If so, which ones?

Re: Permissions to access the latest version of Dynatrace

t_pawlak — Tue, 09 Sep 2025 13:46:19 GMT

ALLOW – grants the user/role permission to perform the action.
- automation:workflows:write – this is a specific permission type, meaning the ability to create and edit workflows in the AutomationEngine.
- WHERE automation:workflow-type = "SIMPLE" – a conditional restriction.

It doesn’t grant rights to all workflows.

It only allows writing (creating/editing) workflows that have type = SIMPLE.

In practice:
A user with this permission cannot create or edit advanced workflows (e.g., ADVANCED or other types), only those marked as SIMPLE.

In your case It’s enough to have only this:
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

Re: Permissions to access the latest version of Dynatrace

t_pawlak — Tue, 09 Sep 2025 19:30:14 GMT

// Classic environment and problem view (legacy UI)
ALLOW environment:roles:viewer, environment:roles:view-security-problems;

// Running applications (new interface), without configuration changes
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

// Unified analysis screens – read-only
ALLOW unified-analysis:screen-definition:read;

// SLO view – read-only
ALLOW slo:slos:read;

// Vulnerability view (Application Security) – read-only
ALLOW vulnerability-service:vulnerabilities:read;

// Optional (if you need to view extension definitions only)
ALLOW extensions:definitions:read;

u can add also Boundries to management zone.
And in maganement zone add only kubernetes, hosts, and services.
Here example of boundries:
environment:management-zone startsWith "name_of_mz";

Re: Permissions to access the latest version of Dynatrace

p_devulapalli — Tue, 09 Sep 2025 23:54:55 GMT

@gustavodutra You can always create a custom policy with limited permissions , you can limit the permissions to what the end user would need .

You can further restrict by using policy boundaries to limit view to the allowed resources

https://docs.dynatrace.com/docs/shortlink/iam-policy-boundaries

Re: Permissions to access the latest version of Dynatrace

gustavodutra — Tue, 16 Sep 2025 14:03:39 GMT

Hi everyone.

Testing the rules you sent me, I was able to identify that access to the "latest version" of Dynatrace is through the rules below:

ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

I adjusted them until I got it to what I wanted.

Another question: is there a place where these rules are detailed?

Dynatrace has many rules and little explanation of what each one means, and it's very confusing.

Thanks.

Re: Permissions to access the latest version of Dynatrace

p_devulapalli — Wed, 17 Sep 2025 11:41:27 GMT

@gustavodutra Here it is

https://docs.dynatrace.com/docs/shortlink/iam-policystatements

https://docs.dynatrace.com/docs/shortlink/iam-policystatement-syntax

Re: Permissions to access the latest version of Dynatrace

GregOReilly — Thu, 27 Nov 2025 06:59:58 GMT

This worked for me also.

Re: Permissions to access the latest version of Dynatrace

RamkumarTIH — Fri, 13 Feb 2026 19:44:47 GMT

Hi @gustavodutra

I am trying to restrict the workflow automation read/write/execute access for the Standard users. However i am unable to remove the ALLOW statements in the Standard user built-in Policy.

Do i need to create a separate custom policy with the DENY statement and assign it to the Operators ? If yes, will it override the ALLOW policies part of the Standard user group ?

//AppEngine
DENY app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

//AutomationEngine
DENY automation:workflows:read, automation:calendars:read, automation:rules:read;
DENY automation:workflows:write WHERE automation:workflow-type = "SIMPLE";
DENY automation:workflows:run;

Re: Permissions to access the latest version of Dynatrace

RamkumarTIH — Fri, 13 Feb 2026 20:27:32 GMT

I got it now.. As you mentioned, Looks like below one is mandatory for users to access new UI..

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

Have created a custom Denial policy with the rules below. Now standard users are able to access both old UI and new UI but with restriction to Workflows App..

//Davis
DENY davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
DENY davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//Grail
DENY storage:bucket-definitions:read;
DENY storage:fieldset-definitions:read;
DENY storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

//AutomationEngine
DENY automation:workflows:read, automation:calendars:read, automation:rules:read;
DENY automation:workflows:write;
DENY automation:workflows:run;

//Extensions
DENY extensions:definitions:read;

Re: Permissions to access the latest version of Dynatrace

Theodore_x86 — Mon, 16 Feb 2026 13:45:53 GMT

Hello.

Any idea why the standard user cannot see the classic UIs?

Apparently, the "ALLOW environment:roles:viewer" policy is not enough.