This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Automations
All questions related to Workflow Automation, AutomationEngine, and EdgeConnect, as well as integrations with various tools.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Workflows set as Public access are having view and edit access for "Monitoring Viewer" users. Is it the expected behavior ?

Go to solution
RamkumarTIH
Participant

‎05 Feb 2026 07:19 PM - last edited on ‎06 Feb 2026 08:04 AM by Community Team

Hi,

We have the workflows which are set as public are viewable and editable by the "Monitoring Viewer" users.

They are the read only users in Dynatrace and not suppose to edit any of the workflows.

Is it the expected behavior ?

Thanks,

Ram

Labels:
Reply
4 REPLIES 4

Go to solution
DanielS
DynaMight Guru
DynaMight Guru

‎05 Feb 2026 08:05 PM

Hello @RamkumarTIH you can configure your expected access using policies. Role Based Access like Monitoring Viewer is different from Attribute-Based Access Control is more granular. With this you can control the expected behavior of Dynatrace permissions.
https://docs.dynatrace.com/docs/shortlink/migrate-roles 

Dynatrace Certified Professional @ www.dosbyte.com
Reply

Go to solution
RamkumarTIH
Participant
In response to DanielS

‎05 Feb 2026 08:24 PM

Hi @DanielS  - Does it mean by default "Monitoring Viewer" will be able to edit the workflows set as public ?

Do i need to create specific Attribute based access to restrict the workflow edit access for "Monitoring Viewer" users ?

0 Kudos
Reply

Go to solution
DanielS
DynaMight Guru
DynaMight Guru
In response to RamkumarTIH

‎05 Feb 2026 08:32 PM

Hi @RamkumarTIH I don't have a Vanilla tenant to check basic access but I can assure you that if you set a correct set of ABAC policies you can restrict all of this items:

  • automation:workflows:read
Grants permission to read workflows

  • automation:workflows:write
Grants permission to write workflows

  • automation:workflows:run
Grants permission to execute workflows

  • automation:workflows:admin
Grant admin permissions for workflows.

  • automation:rules:read
Grants permission to read scheduling rules

  • automation:rules:write
Grants permission to write scheduling rules

  • automation:calendars:read
Grants permission to read business calendars

  • automation:calendars:write
Grants permission to write business calendars
 
Hope it helps.
Dynatrace Certified Professional @ www.dosbyte.com
Reply

Go to solution
RamkumarTIH
Participant
In response to DanielS

‎13 Feb 2026 08:30 PM

Thanks @DanielS 

I have assigned the in-built "Standard User" policy to the Operators.

 Looks like below one is mandatory for users to access new UI..

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

Have created a custom Denial policy with the rules below and assigned to the group as i am unable to modify the default Standard user policy. Now Operators are able to access both old UI and new UI but with restriction to Workflows App and few others as per DENY statements.. Thanks for the help

//Davis
DENY davis:analyzers:read, davis:analyzers:execute;

//Davis Copilot
DENY davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis-copilot:dql2nl:execute, davis-copilot:document-search:execute;

//Grail
DENY storage:bucket-definitions:read;
DENY storage:fieldset-definitions:read;
DENY storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

//AutomationEngine
DENY automation:workflows:read, automation:calendars:read, automation:rules:read;
DENY automation:workflows:write;
DENY automation:workflows:run;

//Extensions
DENY extensions:definitions:read;

Reply
Ask a question

Featured Posts