Solved: Is It Possible to Create a Policy That Allows the account-idm-read Scope for a Service User?

ntanaka · ‎02 Oct 2025

Goal:
Our customer would like to create a service user that can utilize the User Management API to list all users:
https://docs.dynatrace.com/docs/shortlink/account-api-users-get-all
The reason for creating a service user is to avoid the need to recreate the associated OAuth client when an authorized user leaves the organization and their Dynatrace account is deleted.
To prevent this, they would prefer to use a service user that is not tied to a specific individual.

Problem:
The required scope for the API, account-idm-read, is not listed as a policy statement.
https://docs.dynatrace.com/docs/shortlink/iam-policystatements
However, when attempting to create a service user, it is necessary to define a policy.

Question:
Could you please confirm whether it is possible to create a policy that allows the account-idm-read scope?
If not, are there any plans to support this in future updates?

ASE · ‎21 Oct 2025

Thank you for this, @ntanaka.

We are also in need of this very same thing.

I want to grant the new Service Account the ability to view all Dynatrace Users, without doing it via the Account Management page.

Looks like the Account Management permissions are a completely separate thing, and I'm not finding a breakdown of exactly what they are.

I only want to allow View and that's it.

DanielS · ‎22 Oct 2025

You could do it for service users, but not yet for mere users. But is a little bit different.

For reference Platform Tokens

The user executing this needs to have a policy for handling service users:

ALLOW iam:service-users:use; 
OR IF YOU WANT TO BE MORE SPECIFIC
ALLOW iam:service-users:use WHERE iam:service-user-email = "service-user-email@email.com";

Go to My platform tokens | Account Management
Create a new Platform Token
And select the service user you want to give the required scopes.
⚠️Platform tokens with service users are not supported for multiple environments ⚠️
Then you can assign iam:service-users:use
Call curl -X 'GET' \ 'https://{YOUR TENANT ID}.apps.dynatrace.com/platform/iam/v1/organizational-levels/environment/{YOUR TENANT ID}/service-users' \ -H 'accept: application/json' \ -H 'Authorization: Bearer {YOUR PLATFORM TOKEN}
Here you can see that the Platform Token for service account is used
For users you need to invoke curl -X 'GET' \ 'https://{YOUR TENANT ID}.apps.dynatrace.com/platform/iam/v1/organizational-levels/environment/{YOUR TENANT ID}/users?pageSize=1000' \ -H 'accept: application/json' \ -H 'Authorization: Bearer {YOUR PLATFORM TOKEN} but the only problem here is you cannot assign scope iam:users:read in Platform tokens.
I leave you this product idea to be able to add this scope to Platform Tokens.

Dynatrace Certified Professional @ www.dosbyte.com

ntanaka · ‎30 Oct 2025

Hi @ASE and @DanielS ,

Apologies for the delayed response.
I needed some time to fully understand the new functionality and its implications.

And thank you very much for posting the product idea, @DanielS.
I now understand that our goal is more appropriately achieved using Platform Tokens rather than an OAuth Client — I'm glad to have that clarified.

I’ll share this product idea with my colleagues and the customer.
It would be greatly appreciated if this feature could be considered for implementation!

Best Regards,
Natsumi Tanaka