https://community.dynatrace.com/t5/Log-Analytics/Generic-Grail-POLICY-for-more-than-6K-management-zones/m-p/257352#M49 <P><SPAN>We enabled GRAIL in our environment and need your help to create generic GRAIL policy using RBAC permission.&nbsp;Its not feasible to write 6k+ policies for each management zone. I want to write one to restrict user access to their respective MZ's.</SPAN></P> Mon, 30 Sep 2024 05:55:11 GMT nicemukesh 2024-09-30T05:55:11Z https://community.dynatrace.com/t5/Log-Analytics/Generic-Grail-POLICY-for-more-than-6K-management-zones/m-p/257352#M49 <P><SPAN>We enabled GRAIL in our environment and need your help to create generic GRAIL policy using RBAC permission.&nbsp;Its not feasible to write 6k+ policies for each management zone. I want to write one to restrict user access to their respective MZ's.</SPAN></P> Mon, 30 Sep 2024 05:55:11 GMT https://community.dynatrace.com/t5/Log-Analytics/Generic-Grail-POLICY-for-more-than-6K-management-zones/m-p/257352#M49 nicemukesh 2024-09-30T05:55:11Z https://community.dynatrace.com/t5/Log-Analytics/Generic-Grail-POLICY-for-more-than-6K-management-zones/m-p/257562#M50 <P>Hi&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/70937">@nicemukesh</a>&nbsp;,<BR />You can simply add <STRONG>ALLOW&nbsp;</STRONG><SPAN><STRONG>storage:logs:read</STRONG> for allowing read permissions to logs for the users. By default, if I have permission to only one management zone, I will be able to view logs only for that management zone. You need not configure any other permissions.<BR /><BR />The control is essentially at the access level not at this policy level.<BR /><BR />Regards,<BR />Maheedhar Talluri.</SPAN></P> Mon, 30 Sep 2024 12:16:59 GMT https://community.dynatrace.com/t5/Log-Analytics/Generic-Grail-POLICY-for-more-than-6K-management-zones/m-p/257562#M50 Maheedhar_T 2024-09-30T12:16:59Z