Dashboarding
Dynatrace dashboards, notebooks, and data explorer explained.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DQL available for viewing and modifying in Dashboards Tiles with viewer role

luisbsantos
Frequent Guest

I am working on some Dashboards that will be shared with other teams. My current solution, after trying to give the least possible available permissions, still lets anyone not only see but also modify and run DQL queries however they want - they just can't save the dashboard afterwards.

So a user with the least possible permissions (viewer only) can go to a simple dashboard, modify the DQL to something as simple as "fetch events" and have access to all the events within the timeframe. Or any other DQL query.

I tried restricting the accessm through exploring the Users/Groups Policies and also the Boundaries, but the only working solutions I got still let me run DQL queries with my test user. 

Does anyone know how can I disable/block this behaviour? 

3 REPLIES 3

p_devulapalli
Leader

@luisbsantos If you are giving access to a dashboard for a user , you may not be able to block that user from running queries based on the way permissions work in Dynatrace at this point of time.  When a user tries to access a dashboard the system would need to execute a DQL query in the backend to fetch the data based on the user permissions. So, we may not be able to allow dashboard access while explicitly preventing DQL execution.

If the concern is about unauthorized data access you can try limiting the access to data with policies instead 

Phani Devulapalli

luisbsantos
Frequent Guest

@p_devulapalli thank you for your response!

I obviously want the Dashboard to execute DQL - I need to display data with it so the clients can actually observe their systems. What I am very uncomfortable allowing is in any user being able to see and execute DQL queries after the initial DQL queries are displayed. 

I've been reading the Dynatrace documentation but couldn't solve the unauthorized data access problem with policies, but I'm still on this (specially around the IAM policy reference - link here) Do you have any suggestion that might be useful?

@luisbsantos As mentioned you may not be able to restrict a user from looking at the queries or running them, but you would be able to limit what data they would be able to see or run queries against 

There are few different ways of achieving this, you can partition the data using buckets and use IAM policies to limit the user access to only those buckets

https://docs.dynatrace.com/docs/platform/grail/organize-data/partition-data

You can also use security contexts 

https://docs.dynatrace.com/docs/manage/identity-access-management/use-cases/access-security-context

These might be helpful references 

https://www.youtube.com/watch?v=Pwh0hmqqjIk

https://www.youtube.com/watch?v=ChgiqA63hiE

 

 

Phani Devulapalli
In this Observability Lab, Andreas Grabner and Florian Aigner dive deep into Identity and Access Management (IAM) for observability in Dynatrace. Learn why access control matters, explore attribute-based access control (ABAC) vs. role-based access control (RBAC), and see how policies, boundaries ...
In this video, our product experts cover the best practices for setting up #Dynatrace Grail buckets, defining data retention times, and using the Storage Management app. Find out more about DQL concepts → https://dynatr.ac/3SU4LeQ Have a question? You can ask it in our forum → ...

Featured Posts