Mask logs for some roles

fTrujillo · ‎10 Apr 2025

Hi, team

Is there a way to mask log fields for specific roles?

I'd like Team A to have access to the original data, while Team B would like the field masked.

AravindhanV · ‎11 Apr 2025

You can create the User roles respective to your approach RBAC or ABAC with admin and monitor/view role by by restricting the role "sensitive-request-data" in the policy.

With Admin and Viewer role now you can maintain two set of users to control the permission of seeing the data in logs.

Now, you can create your rule to mask the data from the logs

refer the below link for steps.

Sensitive data masking in OneAgent — Dynatrace Docs

Please be aware that this role will be applicable for masking the information in Traces, User session and Other areas as well.

Hope this help full.

Add On: Upgrade role-based permissions to Dynatrace IAM policies — Dynatrace Docs - helps you to understand the Policies and permissions

Thanks

aravind

ChadTurner · ‎11 Apr 2025

FYI - What @AravindhanV showcased, while true, it will not allow you to "UnMask". The word is a bit misleading and I've provided this feedback to Dynatrace. There are a few things to note with that Log 'masking segment'.

Only applies to ingested logs from the OneAgent.
REPLACES the data before ingesting rather than masking it.
Will not allow you to 'unmask' the data as the data was replaced before it was ingested.

These rules will apply to all users of Dynatrace as Original data / Replaced data is not stored in tandem. Only Replaced data is stored.

-Chad