cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM Policy for a "Power User"

Kenny_Gillette
DynaMight Leader
DynaMight Leader

I am working to setup a  “Power User” IAM Policy.  I have a feeling this is going to be a huge policy.

 

I found out that you can only have 100 policy statements in an IAM Policy.

Is there a # of IAM Policies that you can attach to a group?

 

Has anybody done a “Power User” policy?

Basically, I am trying to give them access to make changes on hosts, processes, services and settings that make sense like MZs, services naming rules, Application detection, etc.

Dynatrace Certified Professional
8 REPLIES 8

paweljablonski
Dynatrace Promoter
Dynatrace Promoter

Did you check if out of the box global policies available in account management view cover your needs?

There is no limit for number of policies bound to particular group, however there is a limit for number of policy bindings within a level - account or environment - 15 000.

Yes I did and did not see one or two that matched what we trying to do.

Dynatrace Certified Professional

Is there a max groups that can be created in Dynatrace for SAML SSO?

Dynatrace Certified Professional

I'm aware of limit of 50k groups for single account

DanielS
DynaMight Leader
DynaMight Leader

Hello @Kenny_Gillette the following is my power user policy:

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name", "builtin:synthetic.browser.scheduling", "builtin:synthetic.http.name", "builtin:synthetic.http.scheduling", "builtin:synthetic.browser.assigned-applications", "builtin:synthetic.http.performance-thresholds", "builtin:synthetic.browser.kpms", "builtin:synthetic.http.assigned-applications", "builtin:synthetic.http.cookies", "builtin:synthetic.browser.performance-thresholds");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.http-parameters", "builtin:failure-detection.service.general-parameters", "builtin:anomaly-detection.metric-events", "builtin:metric.metadata", "builtin:settings.calculated-service-metrics", "builtin:tags.auto-tagging", "builtin:tags.manual-tagging", "builtin:alerting.maintenance-window", "builtin:alerting.profile", "builtin:problem.notifications", "builtin:monitoring.slo");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.mobile.name", "builtin:rum.mobile.key-performance-metrics", "builtin:rum.mobile.request-errors", "builtin:rum.source-mappings", "builtin:rum.web.name", "builtin:rum.web.request-errors", "builtin:rum.web.custom-errors");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.mutedrequests", "builtin:settings.subscriptions.service");
The true delight is in the finding out rather than in the knowing.

Going to try this.

Dynatrace Certified Professional

I believe the same set of permissions can be granted by assigning "Settings Writer" policy to the user's group.

Kenny_Gillette
DynaMight Leader
DynaMight Leader

Here is my power user policy:

ALLOW environment:roles:viewer;
ALLOW settings:objects:read;
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:nettracer.traffic");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:os-services-monitoring","builtin:os.services.monitoring");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:monitoring.slo","builtin:monitoring.slo.normalization","builtin:issue-tracking.integration");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:ownership.teams","builtin:ownership.config");
ALLOW settings:objects:read,settings:schemas:read WHERE settings:schemaId IN ("builtin:process-visibility","builtin:process.process-monitoring","builtin:process.built-in-process-monitoring-rule","builtin:process-group.detection-flags","builtin:container.technology","builtin:container.monitoring-rule","builtin:container.built-in-monitoring-rule","builtin:process-group.cloud-application-workload-detection");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:naming.processes-and-containers","builtin:processavailability","builtin:process.custom-process-monitoring-rule","builtin:process-group.simple-detection-rule","builtin:process-group.advanced-detection-rule","builtin:declarativegrouping");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.user-experience-score","builtin:usability-analytics","builtin:custom-metrics","builtin:user-action-custom-metrics","builtin:sessionreplay.web.resource-capturing","builtin:rum.web.enablement","builtin:rum.overload-prevention","builtin:rum.web.rum-javascript-updates","builtin:rum.web.custom-rum-javascript-version","builtin:rum.mobile.enablement","builtin:rum.custom.enablement","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.browser.outage-handling","builtin:synthetic.http.outage-handling");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.source-mappings","builtin:rum.ip-mappings","builtin:rum.ip-determination","builtin:rum.provider-breakdown","builtin:rum.web.resource-cleanup-rules","builtin:rum.web.resource-types","builtin:rum.web.app-detection","builtin:rum.host-headers","builtin:rum.web.beacon-domain-origins","builtin:rum.resource-timing-origins");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.cloudfoundry","builtin:cloud.kubernetes.monitoring");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:virtualization.vmware");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.calculated-service-metrics");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:naming.services","builtin:request-attributes","builtin:apis.detection-rules","builtin:url-based-sampling","builtin:span-capturing","builtin:span-entry-points","builtin:span-context-propagation","builtin:attribute-masking","builtin:attribute-allow-list","builtin:failure-detection.environment.parameters","builtin:failure-detection.environment.rules");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:unified-services-enablement","builtin:unified-services-endpoint-metrics");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:service-detection.full-web-request","builtin:service-detection.full-web-service","builtin:service-detection.external-web-request","builtin:service-detection.external-web-service","builtin:settings.custom-service-detection");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:logmonitoring.custom-log-source-settings","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration","builtin:logmonitoring.log-dpp-rules","builtin:logmonitoring.log-custom-attributes","builtin:logmonitoring.log-events","builtin:logmonitoring.schemaless-log-metric");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:bizevents.http.incoming","builtin:bizevents-processing-pipelines.rule","builtin:bizevents-security-context-rules","builtin:bizevents-processing-metrics.rule","builtin:bizevents-processing-buckets.rule");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:anomaly-detection.rum-web","builtin:anomaly-detection.rum-mobile","builtin:anomaly-detection.rum-mobile-crash-rate-increase","builtin:anomaly-detection.rum-custom","builtin:anomaly-detection.rum-custom-crash-rate-increase","builtin:anomaly-detection.services","builtin:anomaly-detection.databases","builtin:anomaly-detection.frequent-issues","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:anomaly-detection.infrastructure-aws","builtin:anomaly-detection.infrastructure-vmware","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:anomaly-detection.metric-events","builtin:anomaly-detection.disk-rules");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:alerting.profile");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:dashboards.general","builtin:dashboards.presets","builtin:dashboards.image.allowlist");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:custom-unit","builtin:opentelemetry-metrics");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:tokens.token-settings","builtin:remote.environment");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:problem.notifications","builtin:elasticsearch.user-session-export-settings-v2");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:monitoredentities.generic.type","builtin:monitoredentities.generic.relation");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:tags.manual-tagging","builtin:tags.auto-tagging");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:alerting.maintenance-window");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:deployment.oneagent.updates","builtin:deployment.management.update-windows","builtin:deployment.activegate.updates");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:deployment.oneagent.default-version","builtin:oneagent.features","builtin:disk.options","builtin:audit-log","builtin:networkzones","builtin:eec.local","builtin:eula-settings","builtin:activegate-token","builtin:container-registry","builtin:preferences.privacy","builtin:preferences.ipaddressmasking","builtin:sessionreplay.web.privacy-preferences","builtin:hub-channel.subscriptions","builtin:dt-javascript-runtime.allowed-outbound-connections","builtin:management-zones");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:accounting.ddu.limit");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:mainframe.txmonitoring","builtin:mainframe.txstartfilters","builtin:mainframe.mqfilters","builtin:ibmmq.ims-bridges","builtin:ibmmq.queue-sharing-group","builtin:ibmmq.queue-managers");
ALLOW environment:roles:manage-settings WHERE environment:management-zone IN ("PowerUsers");
ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:host.monitoring.mode","builtin:logmonitoring.custom-log-source-settings");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:host.monitoring","builtin:host.monitoring.advanced","builtin:container.technology","builtin:disk.options","builtin:disk.analytics.extension","builtin:nettracer.traffic","builtin:exclude.network.traffic","builtin:host.process-groups.monitoring-state","builtin:process-group.detection-flags","builtin:declarativegrouping","builtin:processavailability","builtin:process-visibility","builtin:bizevents.http.incoming","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:deployment.oneagent.updates","builtin:os-services-monitoring","builtin:eec.local","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration");
DENY settings:objects:write WHERE settings:schemaId IN ("builtin:host.monitoring","builtin:host.monitoring.advanced","builtin:container.technology","builtin:disk.options","builtin:disk.analytics.extension","builtin:nettracer.traffic","builtin:exclude.network.traffic","builtin:host.process-groups.monitoring-state","builtin:process-group.detection-flags","builtin:declarativegrouping","builtin:processavailability","builtin:process-visibility","builtin:bizevents.http.incoming","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:deployment.oneagent.updates","builtin:os-services-monitoring","builtin:eec.local","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration") AND settings:scope="environment";
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.services","builtin:settings.subscriptions.service","builtin:settings.mutedrequests");
DENY settings:objects:write WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.services","builtin:settings.subscriptions.service","builtin:settings.mutedrequests") AND settings:scope="environment";
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.databases","builtin:settings.subscriptions.service","builtin:settings.mutedrequests");
DENY settings:objects:write WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.databases","builtin:settings.subscriptions.service","builtin:settings.mutedrequests") AND settings:scope="environment";
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.kubernetes","builtin:cloud.kubernetes.monitoring","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc");
DENY settings:objects:write WHERE settings:schemaId IN ("builtin:cloud.kubernetes","builtin:cloud.kubernetes.monitoring","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc") AND settings:scope="environment";
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.processgroup","builtin:process-group.monitoring.state","builtin:oneagent.features","builtin:oneagent.side.masking.settings","builtin:availability.process-group-alerting","builtin:alerting.connectivity-alerts","builtin:url-based-sampling");
DENY settings:objects:write WHERE settings:schemaId IN ("builtin:rum.processgroup","builtin:process-group.monitoring.state","builtin:oneagent.features","builtin:oneagent.side.masking.settings","builtin:availability.process-group-alerting","builtin:alerting.connectivity-alerts","builtin:url-based-sampling") AND settings:scope="environment";
Dynatrace Certified Professional

Featured Posts