Solved: Re: Create User Group with Management Zone level permissions

Ingrida · ‎23 Mar 2021

Hi everybody,

I hope someone here can help me here: I would like to create User Groups with permissions just for certain Management Zones in Environments, but in Dynatrace Help for Cluster api v1 (Cluster API v1 | Dynatrace Help) where is no description how to do it (Actually where is no description for this endpoint at all).

Anybody has an idea? Thanks!

Radoslaw_Szulgo · ‎23 Mar 2021

To set management zone permissions call

PUT /groups/managementZones

Sample payload:

{
 "groupId": "test1",
 "mzPermissionsPerEnvironment": [
  {
   "environmentUuid": "e2888c6a-607e-4c18-b817-f317c10a1aa6",
   "mzPermissions": [
    {
     "mzId": "3827223878816945918",
     "permissions": [
      "VIEW_SENSITIVE_REQUEST_DATA",
      "VIEWER",
      "LOG_VIEWER"
     ]
    }
   ]
  },
  {
   "environmentUuid": "0f13a010-f581-4b52-915f-746c96a4c977",
   "mzPermissions": []
  },
  {
   "environmentUuid": "65ca87ab-62eb-41ef-9939-d523a3b20cae",
   "mzPermissions": [
    {
     "mzId": "-263036454330135551",
     "permissions": [
      "VIEWER",
      "REPLAY_SESSION_DATA"
     ]
    }
   ]
  },
  {
   "environmentUuid": "7776be40-7389-42bc-a6dd-e0d4eab206da",
   "mzPermissions": []
  },
  {
   "environmentUuid": "4a74b19f-fd0d-4a92-acc0-bb8e0abb7e1a",
   "mzPermissions": []
  },
  {
   "environmentUuid": "73938789-9f75-4f77-b7d6-54d2dbfbc4a0",
   "mzPermissions": []
  },
  {
   "environmentUuid": "c9a67fe6-8bf8-4bb8-82a1-3ebe8d9ca4d2",
   "mzPermissions": []
  }
 ]
}

Senior Product Manager,
Dynatrace Managed expert

Ingrida · ‎24 Mar 2021

Thanks for quick reply. Tested and works.

So, it mean in case I need to have User Group which has to have access just for certain Management Zones inside some Environments, I have to use two steps approach:

1. Create Group

2. Adjust Groups access regarding Management Zones

Correct?

Some remakrs / clarification request if possible:

I had a group defined as:

 {
    "isClusterAdminGroup": false,
    "id": "test",
    "name": "Test",
    "ldapGroupNames": [
      "test"
    ],
    "accessRight": {
      "VIEWER": [
        "0d267653-6cb1-429f-a5bb-a04afb247e18",
        "9fe2a41e-b402-4a47-b577-9fa64cadd69c"
      ],
      "MANAGE_SETTINGS": [
        "0d267653-6cb1-429f-a5bb-a04afb247e18"
      ]
    }
  }

I used /groups/managementZones with following content:

{
 "groupId": "test",
 "mzPermissionsPerEnvironment": [
  {
   "environmentUuid": "19000021-de09-4ea6-8076-81c0163c9c7f",
   "mzPermissions": [
    {
     "mzId": "3477049003423719658",
     "permissions": [
      "VIEW_SENSITIVE_REQUEST_DATA",
      "VIEWER",
      "LOG_VIEWER"
     ]
    }
   ]
  },
  {
   "environmentUuid": "9fe2a41e-b402-4a47-b577-9fa64cadd69c",
   "mzPermissions": []
  },
  {
   "environmentUuid": "0d267653-6cb1-429f-a5bb-a04afb247e18",
   "mzPermissions": [
    {
     "mzId": "1213888254333099543",
     "permissions": [
      "VIEWER",
      "REPLAY_SESSION_DATA" 
      ],
     "mzId": "-3471389981007631349",
     "permissions": [
      "VIEW_SENSITIVE_REQUEST_DATA",
      "VIEWER",
      "LOG_VIEWER"
     ]
    }
   ]
  }
 ]
}

In UI I see excatly what is defined in the JSON above.

However, output of PUT groups/test shows same content as above (with two Environments)

PUT groups/managementZones/test shows content as expected (including empty "permissions" for not defined Environments and Management Zones (does it mean no access or inheritance from definitions above?

Radoslaw_Szulgo · ‎24 Mar 2021

Hm... there's not resource under `groups/managementZones/test`

If you have a permission set to an environment - you get it to all management zones within an environment.

Senior Product Manager,
Dynatrace Managed expert

Ingrida · ‎24 Mar 2021

Sorry for irritation. I mean I see right set up then I use get groups/managementZones/test. However, with get groups/test I see just set up for 2 Environments. Not 3. I am not sure what it mean.

Another Example: If I check on UI for User Group configuration, I see f.e. that MONITORIG SETTINGS feature is checked for Environment 0d267653-6cb1-429f-a5bb-a04afb247e18 but for none of the Management Zones below. Does it mean it is available for all Zones or for none?

Radoslaw_Szulgo · ‎25 Mar 2021

No worries. Let me rephrase:

1. GET/groups/managementZones/<groupId> returns only management zones permissions for a given group. Should be same as in UI in "Management Zones" permission section.

2. GET /groups/<groupId> returns only environment level permissions for a given group. Should be same as in UI in "Environment Permissions" section for a group.

In the relation to you example:

Group "test" allows to access:

Environment: "0d267653-6cb1-429f-a5bb-a04afb247e18" (viewer + manage settings)
Environment: "9fe2a41e-b402-4a47-b577-9fa64cadd69c" (viewer)

and additionally to management zones:

Environment: "19000021-de09-4ea6-8076-81c0163c9c7f"
- MZ id "3477049003423719658" (sensitive, viewer, log viewer)
Environment: "0d267653-6cb1-429f-a5bb-a04afb247e18"
- MZ id "1213888254333099543" (viewer, session replay)
- MZ id "-3471389981007631349" (sensitive, viewer, log viewer)
Environment: "9fe2a41e-b402-4a47-b577-9fa64cadd69c"
- none

Hope if you look this way, you see what's expected. For example for the environment "0d267653-6cb1-429f-a5bb-a04afb247e18" group allows to:

- viewer (access) to all management zones (env level perm)

- manage settings to all management zones (env level perm)

- session replay only for MZ "1213888254333099543"

- view sensitive data for MZ "-3471389981007631349"

- log viewer for "-3471389981007631349"

Senior Product Manager,
Dynatrace Managed expert