Re: Custom policy to tags entities in INFRASTRUCTURE & OPERATION app

AurelienGravier · ‎19 Mar 2025

Hello,

I was using this custom policy to allow standard users to assign manual tags on the "Host Classic" app :

ALLOW settings:schemas:read, settings:objects:read WHERE settings:schemaId = "builtin:tags.manual-tagging";
ALLOW settings:objects:write WHERE settings:schemaId = "builtin:tags.manual-tagging";

However, this policy is no longer working with the "INFRASTRUCTURE & OPERATION" app :

I can fix the issue by adding the environment-roles-manage-settings permission, but this applies to all settings.
I would like to restrict it only to modifying tags on entities, or at least to modifying settings exclusively within the "INFRASTRUCTURE & OPERATION" app.

Do you have any ideas?

Thank you. Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified

gjedrzejewsk · ‎20 Mar 2025

Hi Aurélien,

Thank you for reaching out. We're investigating this issue. For a better communication please create an RFA.

Regards,

Grzegorz Jędrzejewski

Product Owner @ Infrastructure & Operations app

AurelienGravier · ‎20 Mar 2025

Hello and thank you @gjedrzejewsk

The RFA is 450946 for the moment no clear answer from support.
Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified

AurelienGravier · ‎25 Mar 2025

Hi @gjedrzejewsk

Have you made any progress in your investigation so far?

Thank you.

Observability consultant - Dynatrace Associate/Pro/Services certified

gjedrzejewsk · ‎26 Mar 2025

Hi @AurelienGravier
I've checked the Zendesk ticket you referred to. The key point here is what you wrote on March 19th:
"if I use environment-roles-manage-settings, I can tag entities correctly. However, this is too permissive (...)"
Unfortunately, at this moment we cannot provide more granularity for permissions in the I&O app.
For future improvements in that area, I let @michal_nalezin explain.

Product Owner @ Infrastructure & Operations app

AurelienGravier · ‎26 Mar 2025

Thank you for your feeback.
Effectively, It's too permissive because if I use it, users will have access to all settings and be able to modify them 🙄.

Observability consultant - Dynatrace Associate/Pro/Services certified

AurelienGravier · ‎31 Mar 2025

Hello @michal_nalezin

Support is telling me that the only way to allow certain users to manually add a tag from the Infra & Ops app is to grant them write access to all settings.
What are the prospects regarding this limitation, please? Should I create an RFE?

Thank you.

Support feedback :
Unfortunately I think this is just a limitation of the infrastructure app at the moment. It's tagging the hosts through an older method to which only the classic permissions apply, like manage-settings.
I'm not sure there's anything we can do about this right now. I'll reach out to the team to see if there's any timeline for when the permissions will be changed to support this.

Observability consultant - Dynatrace Associate/Pro/Services certified

Geri_Puskas · ‎14 Apr 2025

Hello @AurelienGravier let me check the technicalities with the team and get back to you.