https://community.dynatrace.com/t5/Container-platforms/Control-access-to-Kubernetes-related-data-in-Grail/m-p/295649#M3500 <P>Hi,</P> <P>I'm having a hard time segregating access to all data related to Kubernetes. I have an applicationMonitoring deployment with K8s observability deployment, and I need to provide access to the data to the whole K8s team.</P> <P>For this reason, I set up a group that has the&nbsp;<STRONG>Standard User</STRONG> and&nbsp;<STRONG>All Grail Data Read Access&nbsp;</STRONG>assigned. On those policies I bound them to a boundary that filters by MZ at start. In the classic UI I get the expected visibility, but in Gen3 apps I don't get the expected visibility. I tried doing it by a security context that gets populated with the MZ, but still there are gaps, like in the Problems app or the traces.</P> <P>In general, it seems quite complex to implement a unified way of fine-tune these kind of accesses.</P> <P>Does anyone have any experience with this issue before?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>George</P> Thu, 05 Mar 2026 07:39:33 GMT g_kat 2026-03-05T07:39:33Z https://community.dynatrace.com/t5/Container-platforms/Control-access-to-Kubernetes-related-data-in-Grail/m-p/295649#M3500 <P>Hi,</P> <P>I'm having a hard time segregating access to all data related to Kubernetes. I have an applicationMonitoring deployment with K8s observability deployment, and I need to provide access to the data to the whole K8s team.</P> <P>For this reason, I set up a group that has the&nbsp;<STRONG>Standard User</STRONG> and&nbsp;<STRONG>All Grail Data Read Access&nbsp;</STRONG>assigned. On those policies I bound them to a boundary that filters by MZ at start. In the classic UI I get the expected visibility, but in Gen3 apps I don't get the expected visibility. I tried doing it by a security context that gets populated with the MZ, but still there are gaps, like in the Problems app or the traces.</P> <P>In general, it seems quite complex to implement a unified way of fine-tune these kind of accesses.</P> <P>Does anyone have any experience with this issue before?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>George</P> Thu, 05 Mar 2026 07:39:33 GMT https://community.dynatrace.com/t5/Container-platforms/Control-access-to-Kubernetes-related-data-in-Grail/m-p/295649#M3500 g_kat 2026-03-05T07:39:33Z https://community.dynatrace.com/t5/Container-platforms/Control-access-to-Kubernetes-related-data-in-Grail/m-p/296172#M3506 <P>&nbsp;</P><P>Hi,<BR />yes, I’ve seen this issue before, and in my opinion the main challenge is that in Classic/Management, access is often scoped through Management Zones, where visibility is defined using entity selectors.</P><P>In the new apps, however, access is primarily evaluated based on permission-relevant fields and optionally dt.security_context, not only on classic entity visibility. Dynatrace supports Kubernetes-related fields such as k8s.cluster.name and k8s.namespace.name, so for a Kubernetes team this is usually a better foundation for access policies.</P><P>That also explains why everything may look correct in the Classic UI, while you still see gaps in Gen3 apps, for example in Problems or Distributed Tracing. Problems are stored in Grail as events, and tracing plus other Grail data types rely on the permission model based on security context and permission-relevant fields. If the records themselves are not enriched with the expected context, the policy cannot enforce the scope the way you want.</P><P>So I would recommend this approach:</P><UL><LI>build access mainly around native Kubernetes fields in Grail</LI><LI>use dt.security_context only where you need an extra abstraction layer</LI></UL><P><BR />U can also try use our policy calculator:&nbsp;<A href="https://omnilogy.pl/en/policy-manager" target="_self">Dynatrace policy calculator</A>&nbsp;<BR />Here you can also find a related post:&nbsp;<A href="https://community.dynatrace.com/t5/Custom-Solutions-Spotlight/Dynatrace-Policy-Manager/td-p/288993" target="_self">Dynatrace-Policy-Manager</A>&nbsp;</P> Sat, 14 Mar 2026 21:06:20 GMT https://community.dynatrace.com/t5/Container-platforms/Control-access-to-Kubernetes-related-data-in-Grail/m-p/296172#M3506 t_pawlak 2026-03-14T21:06:20Z