cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM Policy - Read and write permissions on extensions configurations

AurelienGravier
DynaMight Champion
DynaMight Champion

Use case :

I want to allow standard users (currently on monitoring viewer group) to modify configurations of monitoring extensions V1 and V2 deployed on a tenant.

For example: 

  • Add a new SQL server endpoint on Sql Server Extension (V2.0)
  • Modify a db query a "Generic DB Query Plugin" (V1.0) endpoint
  • Remove a device from "Generic Cisco Device" configuration


1- Create an IAM policy

For Read and write permissions on V1 extensions, add the followings instructions on the policy :
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read
WHERE settings:schemaId = "builtin:monitored-technologies";

For Read and write permissions on V2 extensions, add the followings instructions on the policy :
ALLOW extensions:definitions:read,extensions:configurations:read;
ALLOW extensions:definitions:write,extensions:configurations:write;

2023-08-17_11h56_44.png

2- Enable a specific internal flag by support

 

KNOWN ISSUE (support feedback) :

There is a known issue on product with V2 extensions IAM Policy.
Actually the users that you have given them the previoous policy should be able to edit the extension via Rest API but not on the UI side.
Unless user has "Manage monitoring settings" (which makes him an admin) it wont let him edit the extension.

A workaround exists because this condition can be avoided by enabling a particular flag on dynatrace tenant.
The flag name is "com.compuware.apm.webuiff.HubDisableUiPermissionChecks.hubdupc.feature"
It's an internal flag so only the support can enable it, so you have to create a case support or to ask directly on chat support.

 

3- Create a group, attach the IAM policy and add users to the group

Create a specific group and attach the previous policy. Add users to the group. All users will inherit from policy permissions.

 

 

Additionnal tips :
- Readonly access on V2 extensions is possible by removing the instruction ALLOW extensions:definitions:write,extensions:configurations:write;
But for me it's not really friendly because the user can modify configuration (edit button is enabled) and the error message appears at the validation step.

2023-08-17_11h24_45.png

 

 

 

 

- Readonly access it's not supported for V1 extensions :
The schema ID and schema groups can be used in policies to provide full access to this settings page. Both 'settings:objects:write' and 'settings:objects:read' are required. Read-only access is not supported.

2023-08-17_13h19_19.png

 

- You can filter permissions on a specific V2 extension by using a condition based on extension-name :
ALLOW extensions:definitions:read,extensions:configurations:read,
extensions:definitions:write,extensions:configurations:write
WHERE extensions:extension-name = "com.dynatrace.extension.sql-server";

Only extensions filtered will appear on dynatrace hub :

AurelienGravier_0-1692271209849.png

 

I hope this tip will help some of you.

Regards, Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified
0 REPLIES 0

Featured Posts