15 Jun 2022 07:38 AM - last edited on 31 Aug 2022 04:16 AM by Ana_Kuzmenchuk
is possible to restrict access to show just host data throw IAM? i am looking into iam and i cant assign a policy to just process group, it must be done to full management zone, can it be done more restricted? without using management zones? wanted to apply different permissions to different users in same management zone, else we would need to make at least 6 management zones per app, as each app is deployed in three different sites, and each one could have bind values on and off ...
how would you do this?
Solved! Go to Solution.
I don't think this is doable without using management zones. As the docs explicitly tell you, IAM is used to manage user access to Dynatrace features. It cannot be used to set the "scope". So basically you define new roles in Dynatrace which have a certain set of permissions. The scope of these permissions is defined by a management zone or environment level.
according to doc
User permissions can be also managed with IAM policies, which allow more fine-grained access control. With policies, you can craft your own access permissions and assign them to user groups on either the cluster or environment level just like with the permission mechanism.
i was expecting to be more grained with permissions settings each user its own permission.
how would you manage then multiple instances domains with each instance having its own permissions (at least normal and bind values) having each instance difference from the others. Will we need to create at least 2 Management zone for each instance?????
No, you don't need to create separate zones. On the MZ level you define the scope of your environment (entities), not the permissions.
With RBAC you you have a fixed set permissions such as "Change monitoring settings" which you apply environment wide or for a MZ.
IAM allows you to make these more granular - for example you can define a policy allowing users to define and modify key requests. Still a scope needs to be assigned and the scope is either MZ or environment. IAM is still Early Adopter and not every kind of permission can be applied.
Basically in your case you have two groups. In one group you assign the "View sensitive data" for the management zone in question, for other group you have only "Access environment" permission. IAM is not involved.
The Users in first group will be allowed to see bind variables, users in the second not. You cannot set permissions on a user-level, only on group level and then assign users to groups. IAM policies are not involved here.
so, there is no other form to asign diferent permissions to view data within a service than a mz. so if i see a mz i see all services that apply to that mz. and i cant separate servers within a mz
No, it's not, unfortunately. If you need to have different permissions for services within a management zone, then this is not something IAM will help to solve for you.
what will solve my requirements? any option?
It depends on how your MZ are structured along with your requirements. IAM is about more granular permissions what a user can do and MZ is about where.
So if you need a specific scope of permissions for just few process groups - you need to create a MZ including just those process groups.