This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to grant access to a user to only access data/entities/etc for a specific Management Zone or equivalent

Go to solution
ajvillarroelp1
Visitor

‎07 Mar 2025 12:55 PM

Hi,

I've been trying to do this but I could not find a solution.

user "A" belongs to Group "G"

Objetive: 

-user A access to environment

- user A: read access to host/process/services data for only the entities in MZ "M".

What permissions or custom policy should I specify to accomplish this? Please provide details here.

Any help is appreciated.

Regards,

Antonio

 

0 Kudos
Reply
3 REPLIES 3

Go to solution
DanielS
DynaMight Guru
DynaMight Guru

‎07 Mar 2025 02:24 PM

Hello @ajvillarroelp1 I can share with you the main points to be able to do it:

  1. The concept of MZ has been deprecated in the new environment so you need to use the dt.security_context field. With this in mind Dynatrace provide us with the option to set for any entity the dt.security_context  easily.
  2. Go to Settings - Topology model - Grail security context for monitored entities and bind your entities to the Management Zones.
  3. This example applies for entities

 

//Grail read data
ALLOW storage:entities:read;
ALLOW storage:buckets:read WHERE storage:table-name IN ("entities");}​

 

  • Then create a Boundary to apply to this policy, with your MZ data

 

storage:dt.security_context = "<Your MZ Name>";​

 

  • Then you need to replicate this for data, metrics with different policies.
  • To Give user A access you can use this standard policy (feel free to modify as needed):

     

 

//States
ALLOW state:app-states:delete, state:app-states:read, state:app-states:write, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all;

//Documents
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;

//Unified analysis screens
ALLOW unified-analysis:screen-definition:read;

//Grail
ALLOW storage:bucket-definitions:read;
ALLOW storage:fieldset-definitions:read;
ALLOW storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete;

//OpenPipeline
ALLOW openpipeline:configurations:read;

//Hub
ALLOW hub:catalog:read;

//AppEngine
ALLOW app-engine:apps:run, app-engine:functions:run, app-engine:edge-connects:read;

//Notifications
ALLOW email:emails:send, notification:self-notifications:read, notification:self-notifications:write;

//AutomationEngine
ALLOW automation:workflows:read, automation:calendars:read, automation:rules:read;
ALLOW automation:workflows:write WHERE automation:workflow-type = "SIMPLE";
ALLOW automation:workflows:run;

//Davis
ALLOW davis:analyzers:read, davis-copilot:conversations:execute, davis-copilot:nl2dql:execute, davis:analyzers:execute;

//Settings
ALLOW settings:objects:read, settings:schemas:read, app-settings:objects:read;

//Classics
ALLOW environment:roles:viewer, environment:roles:view-security-problems;

//Geolocations
ALLOW geolocation:locations:lookup;

// Vulnerability service
ALLOW vulnerability-service:vulnerabilities:read;

//SLOs
ALLOW slo:slos:read, slo:objective-templates:read;

//BusinessInsights
ALLOW insights:opportunities:read;

 

 

The true delight is in the finding out rather than in the knowing.
Reply

Go to solution
DanielS
DynaMight Guru
DynaMight Guru

‎07 Mar 2025 02:48 PM

For further read I also post similar solution here.

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

Go to solution
ajvillarroelp1
Visitor

‎13 Mar 2025 03:25 PM

Hi,

Thank you for the answer. At the end, the solution that worked for me  was this:

1.- Create a boundary

environment:management-zone = "MZNAME";
storage:dt.security_context = "MZNAME";

2.- Add the following custom policy (let's call it ACCESSREAD):

ALLOW environment:roles:viewer;
ALLOW storage:entities:read;

3.- Assign the ACCESSREAD policy to the group  indicating the boundary created in the first step

4.- Assign the following permissions to the group indicating the boundary created in the first step

Read Entities, Standard User, Read Events, Read Security Events, All Grail data read access

 

Thanks again for the help.

Regards,

Antonio

 

 

 

Reply
Ask a question

Featured Posts