cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2
Dynatrace Enthusiast
Dynatrace Enthusiast

The attached Zip file contains two scripts that are provided 'as is' to help Administrators planning on migrating their Dynatrace role-based permissions to attribute-based ones in order to leverage the IAM policies.

One script comes in the form of a Notebook export, which you can import and execute in your Dynatrace. The other is a PowerShell script which you can run from any machine with PowerShell installed and access to the Internet.

Both script serve the same purpose; they generate a list of RBAC permissions you have currently assigned to your groups. For each discoveredRBAC permission they also recommend potential replacement with permissions defined within policies.

Scripts connect to your Dynatrace using your provided OAuth token and generate  current RBAC role assignments within your Dynatrace.

Pre-Reqs:

  • Generate an OAuth Client within Account Management -> Identity and access management -> OAuth clients) with following permissions:
    • "View users and groups" = account-idm-read
    • "View and manage policies" = iam-policies-management, iam:policies:write, iam:policies:read, iam:bindings:write, iam:bindings:read, iam:effective-permissions:read
    • "View environments" = account-env-read, which allows reading ClientID and Secret from a credential
3 REPLIES 3

JonU2
Newcomer

Some users have reported and error when using credentialVault to retrieve your OAuth clientId/Secret and enable lines 47-57 of the notebook script. In this case, line 49 of this script (import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";) needs to go outside the export, so in line one.

pmilbrandt
Visitor

The Notebook script times out after 120 seconds, is there a way to increase the timeout?

{
"error": {
"code": 541,
"message": "Execution crashed.",
"details": {
"logs": "",
"type": "TIMEOUT",
"message": "Timeout limit (120s) exceeded"
}
}
}

Jon2
Dynatrace Enthusiast
Dynatrace Enthusiast

This could be related to the default AppEngine 120 max execution timeout AppEngine Functions (Serverless Functions) which I do not think is configurable.

Maybe consider doing the same but with the provided PowerShell script if that is possible for you. The syntax from a terminal window is:

AssessRBACPermissions.ps1 <clientId> <clientSecret>

Featured Posts