cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace- User permission- to create Management zone Synthetics and Credential vault

dharm_0101
Participant

Dear Team,

We have a requirement from customer where they are seeking an information to create a user having permission specifically to create management zone, Synthetics and Credential vault.

Is it possible? If yes kindly suggest how will configure it.

Thanks

Dharmender Singh

12 REPLIES 12

Malaik
DynaMight Champion
DynaMight Champion

Dear,

 

No this is only available for admin,

If the user is part of the admins users, he can do it.

Otherwise, he should ask someone that have the admin access.

 

BRs

Sharing Knowledge

jaume_reverte
Dynatrace Advisor
Dynatrace Advisor

Hello Dharm, 

From your list the only one I know is possible to filter is the creation of management zones, you can achieve it using: 

ALLOW settings:objects:write WHERE settings:schemaId = "builtin:management-zones";

For the rest I don't think is it possible at the moment. 

Hope you a good monitoring! 

Hope you a good monitoring!
Jaume Reverte

Hi Jaume,

How will configure this "ALLOW settings:objects:write WHERE settings:schemaId = "builtin:management-zones"; "can you please suggest?

Hello @dharm_0101 

You can create a policy as per attached example and bind this policy to a user group.

So:

  1. Create a user group and give it a name.
  2. assign the users into it.
  3. create a policy and bind it to the recently created group.

BR,

Peter

Dear Peter,

can you please suggest how will create the policy so that user can create management zone specifically?

BR

Dharm

Hello @dharm_0101 

Regarding user permissions assignments:

  • As of now it's either all or none which means if i need to assign cluster admin permissions to user group it means all users within that group will be able to control the cluster and environment configurations.
  • When we move a narrower scope of user privileges either to give control on environment level or management zone level.
  • For accessing and creating credential vaults: it requires either cluster admin roles or environment permissions as below example 

2024-10-18_15h09_55.png

On the management zone permission to be able to adjust the settings on very narrow scope the below permissions should be assigned.

2024-10-18_15h12_15.png

Hoping it adds value.

KR, 

Peter

Hi @peter

Thanks for suggesting, We are not using Dynatrace managed we are using Dynatrace SaaS, so can you please suggest for Dynatrace SaaS? 
How we can create a user having permission specifically to create management zone, Synthetics and Credential vault.

Thanks

Hi @dharm_0101 

I know I've sent you an example to follow, the same will be applied on SaaS

In SaaS. it's better to create a policy and bind it to group.

KR,

Peter

Dear Peter,

if we give enviornment permission with change monitoring setting I believe user belongs to that group having permission to change any type of settings in Dynatrace right?

correct me if my understanding is wrong?

BR

Dharm

Hi @dharm_0101 

  1. That's correct in case the user has change monitoring settings and access environment he will be able to adjust other configurations.
  2. That's why we are giving change monitoring settings only on management zone permission to avoid faulty configurations which might affect other monitored entities. 

KR,

Peter.

Dear Peter,

Thanks for suggesting!


We have created multiple management zones yet no monitored entities added on those management zones, but we are planning to import synthetics from another Dynatrace environment and add them in these multiple management zones.

If we will give environment and management zone permissions manage monitoring settings and view environment this will limit user's who belongs to this group are able to see and configure/add synthetics on these management zones only or he will have control(View and Change) over other Global or individual monitoring setting configurations for other monitoring entities? 

And with these settings user's is able to create New Management zone, Synthetics and credential vaults or not? Kindly suggest? 

dharm_0101_0-1729347976334.png

BR

Dharm

Hi @dharm_0101 

Good to hear good news.

Make it simple as much as you can to facilitate the DT administration tasks:

  1. The user who is capable of managing the environment wide configurations "will take care of management zones, tags, alerting, ......etc " > Give him environment access and change monitoring settings. 
  2. The power user who is intended for specific management zone "Give him access to MZ only" so he will get access to environment which means the monitoring tenant but won't be able to expose other monitored entities in other management zones., change monitoring settings will be assigned to specific MZ not the whole environment.
  3. It will be good to create proper management zone rules to ensure that the intended user group has access to their specific interest only.
  4. AS simple as that: based on the required privilege to conduct daily tasks assign the proper permissions.

Hoping this adds value.

BR,

Peter.

Featured Posts