topic Re: Mask logs for some roles in Log Analytics

Mask logs for specific user roles

fTrujillo — Thu, 18 Dec 2025 09:41:01 GMT

Hi, team

Is there a way to mask log fields for specific roles?

I'd like Team A to have access to the original data, while Team B would like the field masked.

Re: Mask logs for some roles

AravindhanV — Fri, 11 Apr 2025 06:13:47 GMT

You can create the User roles respective to your approach RBAC or ABAC with admin and monitor/view role by by restricting the role "sensitive-request-data" in the policy.

With Admin and Viewer role now you can maintain two set of users to control the permission of seeing the data in logs.

Now, you can create your rule to mask the data from the logs

refer the below link for steps.

Sensitive data masking in OneAgent — Dynatrace Docs

Please be aware that this role will be applicable for masking the information in Traces, User session and Other areas as well.

Hope this help full.

Add On: Upgrade role-based permissions to Dynatrace IAM policies — Dynatrace Docs - helps you to understand the Policies and permissions

Thanks

Re: Mask logs for some roles

ChadTurner — Fri, 11 Apr 2025 12:07:04 GMT

FYI - What @AravindhanV showcased, while true, it will not allow you to "UnMask". The word is a bit misleading and I've provided this feedback to Dynatrace. There are a few things to note with that Log 'masking segment'.

Only applies to ingested logs from the OneAgent.
REPLACES the data before ingesting rather than masking it.
Will not allow you to 'unmask' the data as the data was replaced before it was ingested.

These rules will apply to all users of Dynatrace as Original data / Replaced data is not stored in tandem. Only Replaced data is stored.

Re: Mask logs for some roles

AustinSabel — Mon, 12 May 2025 16:10:45 GMT

Hi @fTrujillo

While we don't support conditional masking based on role, we do have field permission options in Grail: https://docs.dynatrace.com/docs/discover-dynatrace/platform/grail/data-model/assign-permissions-in-grail#field-permissions.

This means that you can send data unmasked for ingestion, extract sensitive data to their own fields in the log record, then obfuscate/mask the original content field. Finally, using IAM policies, they could restrict user access to the unmasked fields by group.