This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Container platforms
Questions about Kubernetes, OpenShift, Docker, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Control access to Kubernetes-related data in Grail

g_kat
Mentor

‎04 Mar 2026 03:46 PM - last edited on ‎05 Mar 2026 07:39 AM by Community Team

Hi,

I'm having a hard time segregating access to all data related to Kubernetes. I have an applicationMonitoring deployment with K8s observability deployment, and I need to provide access to the data to the whole K8s team.

For this reason, I set up a group that has the Standard User and All Grail Data Read Access assigned. On those policies I bound them to a boundary that filters by MZ at start. In the classic UI I get the expected visibility, but in Gen3 apps I don't get the expected visibility. I tried doing it by a security context that gets populated with the MZ, but still there are gaps, like in the Problems app or the traces.

In general, it seems quite complex to implement a unified way of fine-tune these kind of accesses.

Does anyone have any experience with this issue before?

 

Thanks,

George

"Jack of all trades and master of none, still better than master of one."
0 Kudos
Reply
1 REPLY 1

t_pawlak
Leader

‎14 Mar 2026 09:06 PM

 

Hi,
yes, I’ve seen this issue before, and in my opinion the main challenge is that in Classic/Management, access is often scoped through Management Zones, where visibility is defined using entity selectors.

In the new apps, however, access is primarily evaluated based on permission-relevant fields and optionally dt.security_context, not only on classic entity visibility. Dynatrace supports Kubernetes-related fields such as k8s.cluster.name and k8s.namespace.name, so for a Kubernetes team this is usually a better foundation for access policies.

That also explains why everything may look correct in the Classic UI, while you still see gaps in Gen3 apps, for example in Problems or Distributed Tracing. Problems are stored in Grail as events, and tracing plus other Grail data types rely on the permission model based on security context and permission-relevant fields. If the records themselves are not enriched with the expected context, the policy cannot enforce the scope the way you want.

So I would recommend this approach:

  • build access mainly around native Kubernetes fields in Grail
  • use dt.security_context only where you need an extra abstraction layer


U can also try use our policy calculator: Dynatrace policy calculator 
Here you can also find a related post: Dynatrace-Policy-Manager 

0 Kudos
Reply
Ask a question

Featured Posts