17 Aug 2023 12:40 PM - last edited on 22 Aug 2023 07:20 AM by MaciejNeumann
Use case :
I want to allow standard users (currently on monitoring viewer group) to modify configurations of monitoring extensions V1 and V2 deployed on a tenant.
For example:
1- Create an IAM policy
For Read and write permissions on V1 extensions, add the followings instructions on the policy :
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read
WHERE settings:schemaId = "builtin:monitored-technologies";
For Read and write permissions on V2 extensions, add the followings instructions on the policy :
ALLOW extensions:definitions:read,extensions:configurations:read;
ALLOW extensions:definitions:write,extensions:configurations:write;
2- Enable a specific internal flag by support
KNOWN ISSUE (support feedback) :
There is a known issue on product with V2 extensions IAM Policy.
Actually the users that you have given them the previoous policy should be able to edit the extension via Rest API but not on the UI side.
Unless user has "Manage monitoring settings" (which makes him an admin) it wont let him edit the extension.
A workaround exists because this condition can be avoided by enabling a particular flag on dynatrace tenant.
The flag name is "com.compuware.apm.webuiff.HubDisableUiPermissionChecks.hubdupc.feature"
It's an internal flag so only the support can enable it, so you have to create a case support or to ask directly on chat support.
3- Create a group, attach the IAM policy and add users to the group
Create a specific group and attach the previous policy. Add users to the group. All users will inherit from policy permissions.
Additionnal tips :
- Readonly access on V2 extensions is possible by removing the instruction ALLOW extensions:definitions:write,extensions:configurations:write;
But for me it's not really friendly because the user can modify configuration (edit button is enabled) and the error message appears at the validation step.
- Readonly access it's not supported for V1 extensions :
The schema ID and schema groups can be used in policies to provide full access to this settings page. Both 'settings:objects:write' and 'settings:objects:read' are required. Read-only access is not supported.
- You can filter permissions on a specific V2 extension by using a condition based on extension-name :
ALLOW extensions:definitions:read,extensions:configurations:read,
extensions:definitions:write,extensions:configurations:write
WHERE extensions:extension-name = "com.dynatrace.extension.sql-server";
Only extensions filtered will appear on dynatrace hub :
I hope this tip will help some of you.
Regards, Aurélien.