This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mask logs for some roles

Go to solution
fTrujillo
Visitor

‎10 Apr 2025 10:52 PM - last edited on ‎09 May 2025 03:59 PM by Community Team

Hi, team

Is there a way to mask log fields for specific roles?

I'd like Team A to have access to the original data, while Team B would like the field masked.

 

 

0 Kudos
Reply
3 REPLIES 3

Go to solution
AravindhanV
Advisor

‎11 Apr 2025 07:13 AM

hi @fTrujillo

You can create the User roles respective to your approach RBAC or ABAC with admin and monitor/view role by by restricting the role "sensitive-request-data" in the policy. 

With Admin and Viewer role now you can maintain two set of users to control the permission of seeing the data in logs.

Now, you can create your rule to mask the data from the logs 

AravindhanV_0-1744351799208.png

refer the below link for steps.

Sensitive data masking in OneAgent — Dynatrace Docs

Please be aware that this role will be applicable for masking the information in Traces, User session and Other areas as well.

Hope this help full.

Add On:  Upgrade role-based permissions to Dynatrace IAM policies — Dynatrace Docs - helps you to understand the Policies and permissions

Thanks

 
aravind
Reply

Go to solution
ChadTurner
DynaMight Legend
DynaMight Legend

‎11 Apr 2025 01:07 PM

FYI - What @AravindhanV showcased, while true, it will not allow you to "UnMask". The word is a bit misleading and I've provided this feedback to Dynatrace. There are a few things to note with that Log 'masking segment'.

Only applies to ingested logs from the OneAgent.  
REPLACES the data before ingesting rather than masking it.
Will not allow you to 'unmask' the data as the data was replaced before it was ingested. 

These rules will apply to all users of Dynatrace as Original data / Replaced data is not stored in tandem. Only Replaced data is stored. 

-Chad
Reply

Go to solution
AustinSabel
Dynatrace Enthusiast
Dynatrace Enthusiast

‎12 May 2025 05:10 PM

Hi @fTrujillo 

While we don't support conditional masking based on role, we do have field permission options in Grail: https://docs.dynatrace.com/docs/discover-dynatrace/platform/grail/data-model/assign-permissions-in-g...

This means that you can send data unmasked for ingestion, extract sensitive data to their own fields in the log record, then obfuscate/mask the original content field. Finally, using IAM policies, they could restrict user access to the unmasked fields by group.

Reply
Ask a question

Featured Posts