@PedroSantos does it solve your case? 🙂

@AgataWlodarczyk,

Unfortunately, no. It seems it's not possible. As the use-case seems particularly relevant, I have posted a Product Idea: https://community.dynatrace.com/t5/Product-ideas/Hide-Ready-made-dashboards/idi-p/272303

Hello @KeeganNelson ,

Unfortunately, this does not solve my problem. The link or share option, by itself, doesn't grant access to anything.

Case in point, I have a test user with the right "shared" permissions on my dashboard:

(The "Can Edit" option doesn't work either)

And this is what the test user sees:

Generating a link for access provides the following results:

Bluntly put, it's not possible to grant access to a user who doesn't have the permission to, for example, see the dashboards app. In my case the user has permissions to see the dashboards app but something is missing.

In order for a user to be able to see the new dashboards app, and then only the dashboard I want them to see, they need actual permissions likely defined by policies.

I tried to tweak with the policies and grant access but with this access, comes the ability to see to a lot of pre-set dashboards:

I don't want them to be able to see any of this.

So my question evolves to:

What permissions and/or policies do I need to define in order to ensure a user only has access to a single dashboard?

I understand that at the very least they'll need to have access to the dashboards app so I added this:

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.dashboards";

Given there isn't an "easy" way to do this, what else do I need to add?

Hye @PedroSantos , im new to dynatarce and facing the same issue. have u succeed in creating the policy stated? the initial policy im creating include these permissions:
\\unified-analysis – for dashboard structure
ALLOW unified-analysis:screen-definition:read;
\\Grail
ALLOW storage:metrics:read;
ALLOW storage:logs:read;
ALLOW storage:entities:read;
ALLOW storage:buckets:read;
\\slo - ONLY if SLO widgets exist
ALLOW slo:slos:read;

however w that permissions only, user cant even access the environment, so i add ALLOW environment:roles:viewer to the policy, but now, user have more than just read dashboard access(can edit and create etc). so is there a solution for this? any help would be greatly appreciated

Hello @Irdina ,

What we did was create a policy with the following permissions:

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.dashboards";
//Grail
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;
ALLOW storage:system:read;
//Metrics
ALLOW storage:buckets:read WHERE storage:table-name = "metrics";
ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.service.request";
ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.synthetic.http";
ALLOW storage:metrics:read WHERE storage:metric.key startsWith "dt.synthetic.browser";
//Entities
ALLOW storage:entities:read;
//Documents
ALLOW document:environment-shares:read;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, app-settings:objects:read, app-settings:objects:write;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
ALLOW environment:roles:viewer WHERE environment:management-zone IN ("YOUR-MANAGEMENT-ZONE-NAME");

 It's not a perfect solution but it's close enough.

We only allow access to the dashboard app. Then we allow access to the metrics bucket, and finally only allow access to specific metrics which are needed to populate this specific dashboard.

We also limited access to a single, specific, management zone.

That being said, this might not work for your specific dashboard because you need to figure out which metrics your dashboard uses and make a policy for those.

Hello @PedroSantos , @moin_DT1 ,
I have successfully created the intended policy and yes, it is similar to the approach you provided, thank you for the help !!!