topic How do you bind “Segments” (saved filters) to IAM/RBAC policies? in Open Q&A

How do you bind “Segments” (saved filters) to IAM/RBAC policies?

JonhBk201 — Tue, 16 Sep 2025 08:05:47 GMT

We want Group A to use only Segments S1 and S2—and see only that data. They should not see or find any other Segments. Is this supported? If yes, how do we configure it (permissions/settings/API)? A short example would help.

Thank you in advance for your help and any concrete examples—much appreciated.

Re: How do you bind “Segments” (saved filters) to IAM/RBAC policies?

michiel_otten — Mon, 15 Sep 2025 15:55:16 GMT

Segments cannot be used in IAM policies. You should use the dt security context in your permissions. You can use this to prevent people from accessing certain data in Grail.

Re: How do you bind “Segments” (saved filters) to IAM/RBAC policies?

JonhBk201 — Mon, 15 Sep 2025 16:35:36 GMT

Thanks. One concern: we’re in a shared environment. If we enforce dt security context for Grail, will that limit Davis’ correlation scope and risk hiding true root causes? Does Davis analyze all data and then filter by permissions, or is its analysis itself constrained by the security context? Any best-practice for shared envs?

Re: How do you bind “Segments” (saved filters) to IAM/RBAC policies?

michiel_otten — Wed, 10 Dec 2025 09:36:07 GMT

Hi John,

Setting up IAM policies gives or remove access to metrics, traces, logs and entities for users in a group, not Davis itself. So root cause analysis will work. Also problem correlation will work accordingly.

The only challenge you can face is that users are not allowed to view every event or entities that is referred to in the problem (dt security context prevents this of course).

I guess for a best practice I would recommend only reduce access if absolutely needed: f.e vendor 1 cannot see information of vendor B.

Tip: create a group that uses policy boundaries, that way you can use 1 permission to access data and bound the group to different boundaries.

https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/iam-policy-boundaries

KR.

Michiel

Re: How do you bind “Segments” (saved filters) to IAM/RBAC policies?

JonhBk201 — Mon, 15 Sep 2025 18:08:42 GMT

Appreciate the thorough explanation, Michiel. Knowing Davis isn’t constrained by user IAM lets us proceed confidently. We’ll minimize restrictions (mainly to separate vendors/teams), adopt policy boundaries per group to reuse the same permission set, and set expectations that some events/entities in a problem may be hidden by dt security context. Thanks again for the guidance.

Kind regards,

Jonh