cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

I’m using default policies, but I’d like to restrict permissions further. How do I do that?

GosiaMurawska
Community Team
Community Team

How can you restrict read access to settings for a user group with the "Standard User" policy applied?

1 REPLY 1

Jon2
Dynatrace Helper
Dynatrace Helper

There are basically two mechanisms to consider. If for example one of the default policies you are using with a user group is too permissive or too restrictive, you can consider constricting or relaxing that permission through a separate custom policy that you can then apply to the same group. 

Say you do not want users of a group with default “Standard User” policy applied to be able to read settings, even though this is granted through that policy. You can create a new custom policy with:  

DENY settings:objects:read, settings:schemas:read, app-settings:objects:read; 

And assign it to the same group. 

Another powerful mechanism for restricting permissions granted through default policies (or even own custom policies) is using policy boundaries. These help further restrict group permissions by allowing you to add your specific business-specific conditions. 

For example, say a number of your user groups have the “Storage All Grail Data Read” permission applied but you only want to allow read access to a specific bucket. In that case, you can create a new policy boundary with the following condition: 

Storage:bucket-name="myBucketNameHere"; 

Featured Posts