Solved: Re: RBAC to ABAC migration helper scripts: Notebook and PowerShell

Jon2 · ‎02 Oct 2024

The attached Zip file contains two scripts that are provided 'as is' to help Administrators planning on migrating their Dynatrace role-based permissions to attribute-based ones in order to leverage the IAM policies.

One script comes in the form of a Notebook export, which you can import and execute in your Dynatrace. The other is a PowerShell script which you can run from any machine with PowerShell installed and access to the Internet.

Both script serve the same purpose; they generate a list of RBAC permissions you have currently assigned to your groups. For each discoveredRBAC permission they also recommend potential replacement with permissions defined within policies.

Scripts connect to your Dynatrace using your provided OAuth token and generate current RBAC role assignments within your Dynatrace.

Pre-Reqs:

Generate an OAuth Client within Account Management -> Identity and access management -> OAuth clients) with following permissions:
- "View users and groups" = account-idm-read
- "View and manage policies" = iam-policies-management, iam:policies:write, iam:policies:read, iam:bindings:write, iam:bindings:read, iam:effective-permissions:read
- "View environments" = account-env-read, which allows reading ClientID and Secret from a credential

JonU2 · ‎04 Nov 2024

Some users have reported and error when using credentialVault to retrieve your OAuth clientId/Secret and enable lines 47-57 of the notebook script. In this case, line 49 of this script (import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";) needs to go outside the export, so in line one.

pmilbrandt · ‎05 Dec 2024

The Notebook script times out after 120 seconds, is there a way to increase the timeout?

{
"error": {
"code": 541,
"message": "Execution crashed.",
"details": {
"logs": "",
"type": "TIMEOUT",
"message": "Timeout limit (120s) exceeded"
}
}
}

Jon2 · ‎06 Dec 2024

This could be related to the default AppEngine 120 max execution timeout AppEngine Functions (Serverless Functions) which I do not think is configurable.

Maybe consider doing the same but with the provided PowerShell script if that is possible for you. The syntax from a terminal window is:

AssessRBACPermissions.ps1 <clientId> <clientSecret>

pmilbrandt · ‎09 Dec 2024

After a bit of tweaking the powershell script, I was able to get that to run successfully.

Thanks!

pmilbrandt · ‎12 Dec 2024

Although I did get the powershell version of this to work, it doesn't provide the same information that is listed in the documentation (Migrate role-based permissions to Dynatrace IAM policies — Dynatrace Docs). Namely it's missing the recommended policies. That would be the part that would be especially helpful.

From documentation:

Actual powershell results:

Jon2 · ‎12 Dec 2024

Most likely a screen res. issue on the terminal window. Lower res should show it.

Alternatively, since you already touched the ps file, you can instead export out to .csv
Replace this line at the end of the script:

$candidateRBACPermissions | Format-Table -AutoSize -Wrap

with this:
$candidateRBACPermissions | Export-Csv -path ./Output.csv

If running Windows OS might need to tweak the path...

pmilbrandt · ‎12 Dec 2024

Thanks Jon, CSV is a much better options for us anyway, great suggestion.