https://community.dynatrace.com/t5/Dynatrace-tips/IAM-Policy-Read-and-write-permissions-on-extensions/m-p/220907#M986 <P><STRONG><U>Use case :</U></STRONG></P> <P>I want to allow standard users (currently on monitoring viewer group) to modify configurations of monitoring extensions V1 and V2 deployed on a tenant.</P> <P>For example:&nbsp;</P> <UL> <LI>Add a new SQL server endpoint on Sql Server Extension (V2.0)</LI> <LI>Modify a db query a "Generic DB Query Plugin" (V1.0) endpoint</LI> <LI>Remove a device from "Generic Cisco Device" configuration</LI> </UL> <P><BR /><U><STRONG>1- Create an IAM policy</STRONG></U></P> <P>For Read and write permissions on V1 extensions, add the followings instructions on the policy :<BR /><EM>ALLOW settings:objects:read, settings:objects:write, settings:schemas:read</EM><BR /><EM>WHERE settings:schemaId = "builtin:monitored-technologies";</EM></P> <P>For Read and write permissions on V2 extensions, add the followings instructions on the policy :<BR /><EM>ALLOW extensions:definitions:read,extensions:configurations:read;</EM><BR /><EM>ALLOW extensions:definitions:write,extensions:configurations:write;</EM></P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2023-08-17_11h56_44.png" style="width: 637px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13651i9C4252C7098F2CA2/image-size/large?v=v2&amp;px=999" role="button" title="2023-08-17_11h56_44.png" alt="2023-08-17_11h56_44.png" /></span></EM></P> <P><STRONG><U>2- Enable a specific internal flag by support</U></STRONG></P> <P>&nbsp;</P> <P><EM>KNOWN ISSUE (support feedback) :</EM></P> <P>There is a known issue on product with V2 extensions IAM Policy.<BR />Actually the users that you have given them the previoous policy should be able to edit the extension via Rest API <STRONG>but not on the UI side.</STRONG><BR />Unless user has "Manage monitoring settings" (which makes him an admin) it wont let him edit the extension.</P> <P>A workaround exists because this condition can be avoided by enabling a particular flag on dynatrace tenant.<BR />The flag name is <STRONG>"com.compuware.apm.webuiff.HubDisableUiPermissionChecks.hubdupc.feature"</STRONG><BR />It's an internal flag so only the support can enable it, so you have to create a case support or to ask directly on chat support.</P> <P>&nbsp;</P> <P><STRONG>3- Create a group, attach the IAM policy and add users to the group</STRONG></P> <P>Create a specific group and attach the previous policy. Add users to the group. All users will inherit from policy permissions.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><U><STRONG>Additionnal tips :</STRONG></U><BR />- Readonly access on V2 extensions is possible by removing the instruction ALLOW <EM>extensions:definitions:write,extensions:configurations:write;</EM><BR />But for me it's not really friendly because the user can modify configuration (edit button is enabled) and the error message appears at the validation step.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="2023-08-17_11h24_45.png" style="width: 931px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13650i4B3C2B4DE9BCDD3C/image-size/large?v=v2&amp;px=999" role="button" title="2023-08-17_11h24_45.png" alt="2023-08-17_11h24_45.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>- Readonly access it's not supported for V1 extensions :<BR /><EM>The schema ID and schema groups can be used in policies to provide full access to this settings page. Both 'settings:objects:write' and 'settings:objects:read' are required. Read-only access is not supported.</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-08-17_13h19_19.png" style="width: 200px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13652i0EA6F87BC717F419/image-size/small?v=v2&amp;px=200" role="button" title="2023-08-17_13h19_19.png" alt="2023-08-17_13h19_19.png" /></span></P> <P>&nbsp;</P> <P>- You can filter permissions on a specific V2 extension by using a condition based on extension-name :<BR /><EM>ALLOW extensions:definitions:read,extensions:configurations:read,</EM><BR /><EM>extensions:definitions:write,extensions:configurations:write</EM><BR /><EM>WHERE extensions:extension-name = "com.dynatrace.extension.sql-server";</EM></P> <P>Only extensions filtered will appear on dynatrace hub :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AurelienGravier_0-1692271209849.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13653i707AF63465925416/image-size/medium?v=v2&amp;px=400" role="button" title="AurelienGravier_0-1692271209849.png" alt="AurelienGravier_0-1692271209849.png" /></span></P> <P>&nbsp;</P> <P>I hope this tip will help some of you.</P> <P>Regards, Aurélien.</P> Tue, 22 Aug 2023 06:20:45 GMT AurelienGravier 2023-08-22T06:20:45Z https://community.dynatrace.com/t5/Dynatrace-tips/IAM-Policy-Read-and-write-permissions-on-extensions/m-p/220907#M986 <P><STRONG><U>Use case :</U></STRONG></P> <P>I want to allow standard users (currently on monitoring viewer group) to modify configurations of monitoring extensions V1 and V2 deployed on a tenant.</P> <P>For example:&nbsp;</P> <UL> <LI>Add a new SQL server endpoint on Sql Server Extension (V2.0)</LI> <LI>Modify a db query a "Generic DB Query Plugin" (V1.0) endpoint</LI> <LI>Remove a device from "Generic Cisco Device" configuration</LI> </UL> <P><BR /><U><STRONG>1- Create an IAM policy</STRONG></U></P> <P>For Read and write permissions on V1 extensions, add the followings instructions on the policy :<BR /><EM>ALLOW settings:objects:read, settings:objects:write, settings:schemas:read</EM><BR /><EM>WHERE settings:schemaId = "builtin:monitored-technologies";</EM></P> <P>For Read and write permissions on V2 extensions, add the followings instructions on the policy :<BR /><EM>ALLOW extensions:definitions:read,extensions:configurations:read;</EM><BR /><EM>ALLOW extensions:definitions:write,extensions:configurations:write;</EM></P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2023-08-17_11h56_44.png" style="width: 637px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13651i9C4252C7098F2CA2/image-size/large?v=v2&amp;px=999" role="button" title="2023-08-17_11h56_44.png" alt="2023-08-17_11h56_44.png" /></span></EM></P> <P><STRONG><U>2- Enable a specific internal flag by support</U></STRONG></P> <P>&nbsp;</P> <P><EM>KNOWN ISSUE (support feedback) :</EM></P> <P>There is a known issue on product with V2 extensions IAM Policy.<BR />Actually the users that you have given them the previoous policy should be able to edit the extension via Rest API <STRONG>but not on the UI side.</STRONG><BR />Unless user has "Manage monitoring settings" (which makes him an admin) it wont let him edit the extension.</P> <P>A workaround exists because this condition can be avoided by enabling a particular flag on dynatrace tenant.<BR />The flag name is <STRONG>"com.compuware.apm.webuiff.HubDisableUiPermissionChecks.hubdupc.feature"</STRONG><BR />It's an internal flag so only the support can enable it, so you have to create a case support or to ask directly on chat support.</P> <P>&nbsp;</P> <P><STRONG>3- Create a group, attach the IAM policy and add users to the group</STRONG></P> <P>Create a specific group and attach the previous policy. Add users to the group. All users will inherit from policy permissions.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><U><STRONG>Additionnal tips :</STRONG></U><BR />- Readonly access on V2 extensions is possible by removing the instruction ALLOW <EM>extensions:definitions:write,extensions:configurations:write;</EM><BR />But for me it's not really friendly because the user can modify configuration (edit button is enabled) and the error message appears at the validation step.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="2023-08-17_11h24_45.png" style="width: 931px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13650i4B3C2B4DE9BCDD3C/image-size/large?v=v2&amp;px=999" role="button" title="2023-08-17_11h24_45.png" alt="2023-08-17_11h24_45.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>- Readonly access it's not supported for V1 extensions :<BR /><EM>The schema ID and schema groups can be used in policies to provide full access to this settings page. Both 'settings:objects:write' and 'settings:objects:read' are required. Read-only access is not supported.</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-08-17_13h19_19.png" style="width: 200px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13652i0EA6F87BC717F419/image-size/small?v=v2&amp;px=200" role="button" title="2023-08-17_13h19_19.png" alt="2023-08-17_13h19_19.png" /></span></P> <P>&nbsp;</P> <P>- You can filter permissions on a specific V2 extension by using a condition based on extension-name :<BR /><EM>ALLOW extensions:definitions:read,extensions:configurations:read,</EM><BR /><EM>extensions:definitions:write,extensions:configurations:write</EM><BR /><EM>WHERE extensions:extension-name = "com.dynatrace.extension.sql-server";</EM></P> <P>Only extensions filtered will appear on dynatrace hub :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AurelienGravier_0-1692271209849.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/13653i707AF63465925416/image-size/medium?v=v2&amp;px=400" role="button" title="AurelienGravier_0-1692271209849.png" alt="AurelienGravier_0-1692271209849.png" /></span></P> <P>&nbsp;</P> <P>I hope this tip will help some of you.</P> <P>Regards, Aurélien.</P> Tue, 22 Aug 2023 06:20:45 GMT https://community.dynatrace.com/t5/Dynatrace-tips/IAM-Policy-Read-and-write-permissions-on-extensions/m-p/220907#M986 AurelienGravier 2023-08-22T06:20:45Z