Solved: Document service and Document access

henk_stobbe · ‎22 May 2025

Hello All!

Easy question, from below permissions:

-Grants permission to read documents of the document service document:documents:read

-Grants permission to read environment shares of the document service document:environment-shares:read

-Grants permission to read direct shares of the document service document:direct-shares:read

Does this means that these are 3 different kinds of entities and does ":documents:" mean my-documents and public documents?

KR Henk

henk_stobbe · ‎22 May 2025

Tested all options,

Looks like "document:documents:read" is to make it possible to read all your owned/to you assigned/public documents

The other two are more so you can create an environment share or direct share. (Little confusing if you ask me)-;

KR Henk

haris · ‎27 May 2025

Hi Henk,

the info that explains the concept regarding it (which makes permission more understandable in context of documents) is here: https://developer.dynatrace.com/plan/platform-services/document-service/

For the permissions:

document:documents:read

Grants permission to read documents of the document service

document:environment-shares:read

Grants permission to read environment shares of the document service

document:direct-shares:read

Grants permission to read direct shares of the document service

this basically translates into 3 tier permissions, which reflect this concept here:

Users can share the document with other users. The document owner can grant either read-only or read-write access to the document for other users. Document service also prevents accidental overwriting due to collaboration using optimistic locking

There are three ways a user can share documents:

Public: A document's owner can grant read-only access to the document to all users of the same environment.
Environment: A document's owner can grant access to the document to all users of the same environment. Each user must opt in individually.
Direct: A document's owner can grant specific users or groups access to a document.

So to summarize,

document:documents:read is for the public documents, and the other two are for environment and direct shared documents as you mentioned yourself above.

What is the biggest confusion, or what would resolve the confusion for you?

henk_stobbe · ‎27 May 2025

Hallo Haris,

Thanks for your reply!

I have tested above, but it seems that the documentation seems incorrect.

document:environment-shares

Grants permission to read environment shares of the document service => looks more like the privilege to create an environment share, and to list your create environment shares

document:direct-shares

Grants permission to read direct shares of the document service => Seems more that this is about the privilege to be able to create a share or list your shared shares

Without:

document:documents:read

There are absolute no documents you can see,

KR Henk

As always, I could be wrong (-;

haris · ‎04 Jun 2025

Thank you Henk, I've forwarded your feedback to our team.

haris · ‎06 Jun 2025

Hi Henk, I've had a chat with our team, and here's some information regarding what we've discussed above:

henk_stobbe · ‎07 Jun 2025

Hello Haris,

Thanks for going the extra mile (-; Great explanation thanks!

KR Henk

Document service and Document access

document:documents:read

document:environment-shares:read

document:direct-shares:read

Sharing documents​

document:environment-shares

document:direct-shares

document:documents:read

Sharing documents