topic Re: Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected beh in Automations

Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected behavior ?

RamkumarTIH — Fri, 06 Feb 2026 08:04:25 GMT

Hi,

We have the workflows which are set as public are viewable and editable by the "Monitoring Viewer" users.

They are the read only users in Dynatrace and not suppose to edit any of the workflows.

Is it the expected behavior ?

Thanks,

Ram

Re: Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected beh

DanielS — Thu, 05 Feb 2026 20:05:29 GMT

Hello @RamkumarTIH you can configure your expected access using policies. Role Based Access like Monitoring Viewer is different from Attribute-Based Access Control is more granular. With this you can control the expected behavior of Dynatrace permissions.
https://docs.dynatrace.com/docs/shortlink/migrate-roles

Re: Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected beh

RamkumarTIH — Thu, 05 Feb 2026 20:24:16 GMT

Hi @DanielS - Does it mean by default "Monitoring Viewer" will be able to edit the workflows set as public ?

Do i need to create specific Attribute based access to restrict the workflow edit access for "Monitoring Viewer" users ?

Re: Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected beh

DanielS — Thu, 05 Feb 2026 20:32:52 GMT

Hi @RamkumarTIH I don't have a Vanilla tenant to check basic access but I can assure you that if you set a correct set of ABAC policies you can restrict all of this items:

automation:workflows:read

Grants permission to read workflows

automation:workflows:write

Grants permission to write workflows

automation:workflows:run

Grants permission to execute workflows

automation:workflows:admin

Grant admin permissions for workflows.

automation:rules:read

Grants permission to read scheduling rules

automation:rules:write

Grants permission to write scheduling rules

automation:calendars:read

Grants permission to read business calendars

automation:calendars:write

Grants permission to write business calendars

Hope it helps.

Re: Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected beh

RamkumarTIH — Fri, 13 Feb 2026 20:30:56 GMT

Thanks @DanielS

I have assigned the in-built "Standard User" policy to the Operators.

Looks like below one is mandatory for users to access new UI..

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

Have created a custom Denial policy with the rules below and assigned to the group as i am unable to modify the default Standard user policy. Now Operators are able to access both old UI and new UI but with restriction to Workflows App and few others as per DENY statements.. Thanks for the help

//Davis
DENY davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
DENY davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//Grail
DENY storage:bucket-definitions:read;
DENY storage:fieldset-definitions:read;
DENY storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

//AutomationEngine
DENY automation:workflows:read, automation:calendars:read, automation:rules:read;
DENY automation:workflows:write;
DENY automation:workflows:run;

//Extensions
DENY extensions:definitions:read;