26 Sep 2023
09:11 PM
- last edited on
27 Sep 2023
09:17 AM
by
MaciejNeumann
I am working to setup a “Power User” IAM Policy. I have a feeling this is going to be a huge policy.
I found out that you can only have 100 policy statements in an IAM Policy.
Is there a # of IAM Policies that you can attach to a group?
Has anybody done a “Power User” policy?
Basically, I am trying to give them access to make changes on hosts, processes, services and settings that make sense like MZs, services naming rules, Application detection, etc.
Did you check if out of the box global policies available in account management view cover your needs?
There is no limit for number of policies bound to particular group, however there is a limit for number of policy bindings within a level - account or environment - 15 000.
Yes I did and did not see one or two that matched what we trying to do.
Is there a max groups that can be created in Dynatrace for SAML SSO?
I'm aware of limit of 50k groups for single account
Hello @Kenny_Gillette the following is my power user policy:
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name", "builtin:synthetic.browser.scheduling", "builtin:synthetic.http.name", "builtin:synthetic.http.scheduling", "builtin:synthetic.browser.assigned-applications", "builtin:synthetic.http.performance-thresholds", "builtin:synthetic.browser.kpms", "builtin:synthetic.http.assigned-applications", "builtin:synthetic.http.cookies", "builtin:synthetic.browser.performance-thresholds");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.http-parameters", "builtin:failure-detection.service.general-parameters", "builtin:anomaly-detection.metric-events", "builtin:metric.metadata", "builtin:settings.calculated-service-metrics", "builtin:tags.auto-tagging", "builtin:tags.manual-tagging", "builtin:alerting.maintenance-window", "builtin:alerting.profile", "builtin:problem.notifications", "builtin:monitoring.slo");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.mobile.name", "builtin:rum.mobile.key-performance-metrics", "builtin:rum.mobile.request-errors", "builtin:rum.source-mappings", "builtin:rum.web.name", "builtin:rum.web.request-errors", "builtin:rum.web.custom-errors");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.mutedrequests", "builtin:settings.subscriptions.service");
Going to try this.
I believe the same set of permissions can be granted by assigning "Settings Writer" policy to the user's group.