topic Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell in Dynatrace tips

RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2 — Thu, 03 Oct 2024 06:35:40 GMT

The attached Zip file contains two scripts that are provided 'as is' to help Administrators planning on migrating their Dynatrace role-based permissions to attribute-based ones in order to leverage the IAM policies.

One script comes in the form of a Notebook export, which you can import and execute in your Dynatrace. The other is a PowerShell script which you can run from any machine with PowerShell installed and access to the Internet.

Both script serve the same purpose; they generate a list of RBAC permissions you have currently assigned to your groups. For each discoveredRBAC permission they also recommend potential replacement with permissions defined within policies.

Scripts connect to your Dynatrace using your provided OAuth token and generate current RBAC role assignments within your Dynatrace.

Pre-Reqs:

Generate an OAuth Client within Account Management -> Identity and access management -> OAuth clients) with following permissions:
- "View users and groups" = account-idm-read
- "View and manage policies" = iam-policies-management, iam:policies:write, iam:policies:read, iam:bindings:write, iam:bindings:read, iam:effective-permissions:read
- "View environments" = account-env-read, which allows reading ClientID and Secret from a credential

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

JonU2 — Mon, 04 Nov 2024 07:51:07 GMT

Some users have reported and error when using credentialVault to retrieve your OAuth clientId/Secret and enable lines 47-57 of the notebook script. In this case, line 49 of this script (import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";) needs to go outside the export, so in line one.

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

pmilbrandt — Thu, 05 Dec 2024 20:24:02 GMT

The Notebook script times out after 120 seconds, is there a way to increase the timeout?

{
"error": {
"code": 541,
"message": "Execution crashed.",
"details": {
"logs": "",
"type": "TIMEOUT",
"message": "Timeout limit (120s) exceeded"
}
}
}

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2 — Fri, 06 Dec 2024 11:35:24 GMT

This could be related to the default AppEngine 120 max execution timeout AppEngine Functions (Serverless Functions) which I do not think is configurable.

Maybe consider doing the same but with the provided PowerShell script if that is possible for you. The syntax from a terminal window is:

AssessRBACPermissions.ps1 <clientId> <clientSecret>

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

pmilbrandt — Mon, 09 Dec 2024 15:55:21 GMT

After a bit of tweaking the powershell script, I was able to get that to run successfully.

Thanks!

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

pmilbrandt — Thu, 12 Dec 2024 13:48:43 GMT

Although I did get the powershell version of this to work, it doesn't provide the same information that is listed in the documentation (Migrate role-based permissions to Dynatrace IAM policies — Dynatrace Docs). Namely it's missing the recommended policies. That would be the part that would be especially helpful.

From documentation:

Actual powershell results:

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2 — Thu, 12 Dec 2024 14:40:47 GMT

Most likely a screen res. issue on the terminal window. Lower res should show it.

Alternatively, since you already touched the ps file, you can instead export out to .csv
Replace this line at the end of the script:

$candidateRBACPermissions | Format-Table -AutoSize -Wrap

with this:
$candidateRBACPermissions | Export-Csv -path ./Output.csv

If running Windows OS might need to tweak the path...

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

pmilbrandt — Thu, 12 Dec 2024 21:17:10 GMT

Thanks Jon, CSV is a much better options for us anyway, great suggestion.

Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2 — Wed, 19 Mar 2025 14:36:06 GMT

Some users are reporting the PowerShell script is not filling out last to columns.

It turns out some older versions of PowerShell do not seem to interpret this line well for the PSCustomObject:
if ($recommend.length -gt 0)

If that's your case, consider changing it to:

if ($null -ne $recommend)