https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/259546#M1467 <P>Service Users have been around in Dynatrace for some time now. Although first only createable via API, they can now be created via the Account management UI as well. However I ran into a not-so obvious challenge there when I wanted to create a service user for my monaco deployment pipeline.<BR />Monaco requires an OAuth Client to work. So I wanted to create an OAuth Client for a service user. When you do that via the UI you will be challenged by this message:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="service-user-oauth.png" style="width: 502px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23729i465994E26D40941F/image-dimensions/502x414?v=v2" width="502" height="414" role="button" title="service-user-oauth.png" alt="service-user-oauth.png" /></span></P><P>The problem is that you cannot easily assign the "account-user-mangement" permission to a service user. If you try to edit the service user you will not get this permission listed to add it (likely because it is a account permission with no policy available?).</P><P>My intuitive thought was:</P><P><EM>"OK, lets create a group; give that group account user management permissions; bind monaco required policies to it and then add the service user to that group"</EM></P><P>This also fails because you can't add a service user to a group like any other user! (<STRONG>IMO that is a bug!</STRONG>)</P><P>So I tried this, which worked:</P><P>First: create a group "Monaco" assign it account permissions and bind some policies to it:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_0-1729160252798.png" style="width: 714px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23730i231795139941BDCD/image-dimensions/714x356?v=v2" width="714" height="356" role="button" title="r_weber_0-1729160252798.png" alt="r_weber_0-1729160252798.png" /></span></P><P>Second: since you can't add a service user to the group via UI, add it to the "Monaco" group via API.<BR />In my case I did this via monaco (using another OAuth client):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_1-1729160478619.png" style="width: 638px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23731iA7167BDAC554FEA4/image-dimensions/638x88?v=v2" width="638" height="88" role="button" title="r_weber_1-1729160478619.png" alt="r_weber_1-1729160478619.png" /></span></P><P>Now the service user has the required permissions so that we can create a OAuth client for it. The UI will not complain about missing permissions of the service user:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_2-1729160629227.png" style="width: 620px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23732i63A29E4CC7E550B5/image-dimensions/620x333?v=v2" width="620" height="333" role="button" title="r_weber_2-1729160629227.png" alt="r_weber_2-1729160629227.png" /></span></P><P>And you can now change your Monaco setup to use the new service user OAuth client. Any configuration change will now be recorded as done by the service user instead of any personalized account:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_3-1729160783341.png" style="width: 833px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23733iE7AB7005AB739EFA/image-dimensions/833x102?v=v2" width="833" height="102" role="button" title="r_weber_3-1729160783341.png" alt="r_weber_3-1729160783341.png" /></span></P><P>I think after the creation of the OAuth client you can also remove the service user from the "Monaco" group again, but I haven't tested that so far.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 17 Oct 2024 10:28:18 GMT r_weber 2024-10-17T10:28:18Z https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/259546#M1467 <P>Service Users have been around in Dynatrace for some time now. Although first only createable via API, they can now be created via the Account management UI as well. However I ran into a not-so obvious challenge there when I wanted to create a service user for my monaco deployment pipeline.<BR />Monaco requires an OAuth Client to work. So I wanted to create an OAuth Client for a service user. When you do that via the UI you will be challenged by this message:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="service-user-oauth.png" style="width: 502px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23729i465994E26D40941F/image-dimensions/502x414?v=v2" width="502" height="414" role="button" title="service-user-oauth.png" alt="service-user-oauth.png" /></span></P><P>The problem is that you cannot easily assign the "account-user-mangement" permission to a service user. If you try to edit the service user you will not get this permission listed to add it (likely because it is a account permission with no policy available?).</P><P>My intuitive thought was:</P><P><EM>"OK, lets create a group; give that group account user management permissions; bind monaco required policies to it and then add the service user to that group"</EM></P><P>This also fails because you can't add a service user to a group like any other user! (<STRONG>IMO that is a bug!</STRONG>)</P><P>So I tried this, which worked:</P><P>First: create a group "Monaco" assign it account permissions and bind some policies to it:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_0-1729160252798.png" style="width: 714px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23730i231795139941BDCD/image-dimensions/714x356?v=v2" width="714" height="356" role="button" title="r_weber_0-1729160252798.png" alt="r_weber_0-1729160252798.png" /></span></P><P>Second: since you can't add a service user to the group via UI, add it to the "Monaco" group via API.<BR />In my case I did this via monaco (using another OAuth client):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_1-1729160478619.png" style="width: 638px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23731iA7167BDAC554FEA4/image-dimensions/638x88?v=v2" width="638" height="88" role="button" title="r_weber_1-1729160478619.png" alt="r_weber_1-1729160478619.png" /></span></P><P>Now the service user has the required permissions so that we can create a OAuth client for it. The UI will not complain about missing permissions of the service user:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_2-1729160629227.png" style="width: 620px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23732i63A29E4CC7E550B5/image-dimensions/620x333?v=v2" width="620" height="333" role="button" title="r_weber_2-1729160629227.png" alt="r_weber_2-1729160629227.png" /></span></P><P>And you can now change your Monaco setup to use the new service user OAuth client. Any configuration change will now be recorded as done by the service user instead of any personalized account:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="r_weber_3-1729160783341.png" style="width: 833px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/23733iE7AB7005AB739EFA/image-dimensions/833x102?v=v2" width="833" height="102" role="button" title="r_weber_3-1729160783341.png" alt="r_weber_3-1729160783341.png" /></span></P><P>I think after the creation of the OAuth client you can also remove the service user from the "Monaco" group again, but I haven't tested that so far.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 17 Oct 2024 10:28:18 GMT https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/259546#M1467 r_weber 2024-10-17T10:28:18Z https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/259562#M1468 <P>You can remove the account management permissions after you create the service client, it will continue to work.</P> Thu, 17 Oct 2024 12:25:48 GMT https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/259562#M1468 eduard_van_der1 2024-10-17T12:25:48Z https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/275779#M1617 <P>Hi,</P><P>Thank you!</P><P>I think it was a bug, you can <SPAN>easily assign the "account-user-mangement" permission to a service user, from the UI, right now.</SPAN></P><P><SPAN>Best regards</SPAN></P> Wed, 23 Apr 2025 15:32:50 GMT https://community.dynatrace.com/t5/Dynatrace-tips/Pro-Tip-Run-Monaco-Deployments-as-OAuth-Service-User/m-p/275779#M1617 AntonPineiro 2025-04-23T15:32:50Z