Solved: IAM Policy for a "Power User"

Kenny_Gillette · ‎26 Sep 2023

I am working to setup a “Power User” IAM Policy. I have a feeling this is going to be a huge policy.

I found out that you can only have 100 policy statements in an IAM Policy.

Is there a # of IAM Policies that you can attach to a group?

Has anybody done a “Power User” policy?

Basically, I am trying to give them access to make changes on hosts, processes, services and settings that make sense like MZs, services naming rules, Application detection, etc.

Dynatrace Certified Professional

paweljablonski · ‎28 Sep 2023

Did you check if out of the box global policies available in account management view cover your needs?

There is no limit for number of policies bound to particular group, however there is a limit for number of policy bindings within a level - account or environment - 15 000.

Kenny_Gillette · ‎28 Sep 2023

Yes I did and did not see one or two that matched what we trying to do.

Dynatrace Certified Professional

Kenny_Gillette · ‎30 Sep 2023

Is there a max groups that can be created in Dynatrace for SAML SSO?

Dynatrace Certified Professional

paweljablonski · ‎03 Oct 2023

I'm aware of limit of 50k groups for single account

DanielS · ‎28 Sep 2023

Hello @Kenny_Gillette the following is my power user policy:

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name", "builtin:synthetic.browser.scheduling", "builtin:synthetic.http.name", "builtin:synthetic.http.scheduling", "builtin:synthetic.browser.assigned-applications", "builtin:synthetic.http.performance-thresholds", "builtin:synthetic.browser.kpms", "builtin:synthetic.http.assigned-applications", "builtin:synthetic.http.cookies", "builtin:synthetic.browser.performance-thresholds");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.http-parameters", "builtin:failure-detection.service.general-parameters", "builtin:anomaly-detection.metric-events", "builtin:metric.metadata", "builtin:settings.calculated-service-metrics", "builtin:tags.auto-tagging", "builtin:tags.manual-tagging", "builtin:alerting.maintenance-window", "builtin:alerting.profile", "builtin:problem.notifications", "builtin:monitoring.slo");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.mobile.name", "builtin:rum.mobile.key-performance-metrics", "builtin:rum.mobile.request-errors", "builtin:rum.source-mappings", "builtin:rum.web.name", "builtin:rum.web.request-errors", "builtin:rum.web.custom-errors");
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.mutedrequests", "builtin:settings.subscriptions.service");

Dynatrace Certified Professional @ www.dosbyte.com

Kenny_Gillette · ‎29 Sep 2023

Going to try this.

Dynatrace Certified Professional

paweljablonski · ‎03 Oct 2023

I believe the same set of permissions can be granted by assigning "Settings Writer" policy to the user's group.

Kenny_Gillette · ‎21 Dec 2023

Here is my power user policy:

ALLOW environment:roles:viewer;

ALLOW settings:objects:read;

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:nettracer.traffic");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:os-services-monitoring","builtin:os.services.monitoring");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:monitoring.slo","builtin:monitoring.slo.normalization","builtin:issue-tracking.integration");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:ownership.teams","builtin:ownership.config");

ALLOW settings:objects:read,settings:schemas:read WHERE settings:schemaId IN ("builtin:process-visibility","builtin:process.process-monitoring","builtin:process.built-in-process-monitoring-rule","builtin:process-group.detection-flags","builtin:container.technology","builtin:container.monitoring-rule","builtin:container.built-in-monitoring-rule","builtin:process-group.cloud-application-workload-detection");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:naming.processes-and-containers","builtin:processavailability","builtin:process.custom-process-monitoring-rule","builtin:process-group.simple-detection-rule","builtin:process-group.advanced-detection-rule","builtin:declarativegrouping");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.user-experience-score","builtin:usability-analytics","builtin:custom-metrics","builtin:user-action-custom-metrics","builtin:sessionreplay.web.resource-capturing","builtin:rum.web.enablement","builtin:rum.overload-prevention","builtin:rum.web.rum-javascript-updates","builtin:rum.web.custom-rum-javascript-version","builtin:rum.mobile.enablement","builtin:rum.custom.enablement","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.browser.outage-handling","builtin:synthetic.http.outage-handling");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.source-mappings","builtin:rum.ip-mappings","builtin:rum.ip-determination","builtin:rum.provider-breakdown","builtin:rum.web.resource-cleanup-rules","builtin:rum.web.resource-types","builtin:rum.web.app-detection","builtin:rum.host-headers","builtin:rum.web.beacon-domain-origins","builtin:rum.resource-timing-origins");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.cloudfoundry","builtin:cloud.kubernetes.monitoring");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:virtualization.vmware");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:settings.calculated-service-metrics");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:naming.services","builtin:request-attributes","builtin:apis.detection-rules","builtin:url-based-sampling","builtin:span-capturing","builtin:span-entry-points","builtin:span-context-propagation","builtin:attribute-masking","builtin:attribute-allow-list","builtin:failure-detection.environment.parameters","builtin:failure-detection.environment.rules");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:unified-services-enablement","builtin:unified-services-endpoint-metrics");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:service-detection.full-web-request","builtin:service-detection.full-web-service","builtin:service-detection.external-web-request","builtin:service-detection.external-web-service","builtin:settings.custom-service-detection");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:logmonitoring.custom-log-source-settings","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration","builtin:logmonitoring.log-dpp-rules","builtin:logmonitoring.log-custom-attributes","builtin:logmonitoring.log-events","builtin:logmonitoring.schemaless-log-metric");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:bizevents.http.incoming","builtin:bizevents-processing-pipelines.rule","builtin:bizevents-security-context-rules","builtin:bizevents-processing-metrics.rule","builtin:bizevents-processing-buckets.rule");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:anomaly-detection.rum-web","builtin:anomaly-detection.rum-mobile","builtin:anomaly-detection.rum-mobile-crash-rate-increase","builtin:anomaly-detection.rum-custom","builtin:anomaly-detection.rum-custom-crash-rate-increase","builtin:anomaly-detection.services","builtin:anomaly-detection.databases","builtin:anomaly-detection.frequent-issues","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:anomaly-detection.infrastructure-aws","builtin:anomaly-detection.infrastructure-vmware","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:anomaly-detection.metric-events","builtin:anomaly-detection.disk-rules");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:alerting.profile");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:dashboards.general","builtin:dashboards.presets","builtin:dashboards.image.allowlist");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:custom-unit","builtin:opentelemetry-metrics");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:tokens.token-settings","builtin:remote.environment");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:problem.notifications","builtin:elasticsearch.user-session-export-settings-v2");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:monitoredentities.generic.type","builtin:monitoredentities.generic.relation");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:tags.manual-tagging","builtin:tags.auto-tagging");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:alerting.maintenance-window");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:deployment.oneagent.updates","builtin:deployment.management.update-windows","builtin:deployment.activegate.updates");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:deployment.oneagent.default-version","builtin:oneagent.features","builtin:disk.options","builtin:audit-log","builtin:networkzones","builtin:eec.local","builtin:eula-settings","builtin:activegate-token","builtin:container-registry","builtin:preferences.privacy","builtin:preferences.ipaddressmasking","builtin:sessionreplay.web.privacy-preferences","builtin:hub-channel.subscriptions","builtin:dt-javascript-runtime.allowed-outbound-connections","builtin:management-zones");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:accounting.ddu.limit");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:mainframe.txmonitoring","builtin:mainframe.txstartfilters","builtin:mainframe.mqfilters","builtin:ibmmq.ims-bridges","builtin:ibmmq.queue-sharing-group","builtin:ibmmq.queue-managers");

ALLOW environment:roles:manage-settings WHERE environment:management-zone IN ("PowerUsers");

ALLOW settings:objects:read, settings:schemas:read WHERE settings:schemaId IN ("builtin:host.monitoring.mode","builtin:logmonitoring.custom-log-source-settings");

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:host.monitoring","builtin:host.monitoring.advanced","builtin:container.technology","builtin:disk.options","builtin:disk.analytics.extension","builtin:nettracer.traffic","builtin:exclude.network.traffic","builtin:host.process-groups.monitoring-state","builtin:process-group.detection-flags","builtin:declarativegrouping","builtin:processavailability","builtin:process-visibility","builtin:bizevents.http.incoming","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:deployment.oneagent.updates","builtin:os-services-monitoring","builtin:eec.local","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration");

DENY settings:objects:write WHERE settings:schemaId IN ("builtin:host.monitoring","builtin:host.monitoring.advanced","builtin:container.technology","builtin:disk.options","builtin:disk.analytics.extension","builtin:nettracer.traffic","builtin:exclude.network.traffic","builtin:host.process-groups.monitoring-state","builtin:process-group.detection-flags","builtin:declarativegrouping","builtin:processavailability","builtin:process-visibility","builtin:bizevents.http.incoming","builtin:anomaly-detection.infrastructure-hosts","builtin:anomaly-detection.infrastructure-disks","builtin:deployment.oneagent.updates","builtin:os-services-monitoring","builtin:eec.local","builtin:logmonitoring.timestamp-configuration","builtin:logmonitoring.log-agent-configuration") AND settings:scope="environment";

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.services","builtin:settings.subscriptions.service","builtin:settings.mutedrequests");

DENY settings:objects:write WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.services","builtin:settings.subscriptions.service","builtin:settings.mutedrequests") AND settings:scope="environment";

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.databases","builtin:settings.subscriptions.service","builtin:settings.mutedrequests");

DENY settings:objects:write WHERE settings:schemaId IN ("builtin:failure-detection.service.general-parameters","builtin:anomaly-detection.databases","builtin:settings.subscriptions.service","builtin:settings.mutedrequests") AND settings:scope="environment";

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.kubernetes","builtin:cloud.kubernetes.monitoring","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc");

DENY settings:objects:write WHERE settings:schemaId IN ("builtin:cloud.kubernetes","builtin:cloud.kubernetes.monitoring","builtin:anomaly-detection.kubernetes.cluster","builtin:anomaly-detection.kubernetes.node","builtin:anomaly-detection.kubernetes.namespace","builtin:anomaly-detection.kubernetes.workload","builtin:anomaly-detection.kubernetes.pvc") AND settings:scope="environment";

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:rum.processgroup","builtin:process-group.monitoring.state","builtin:oneagent.features","builtin:oneagent.side.masking.settings","builtin:availability.process-group-alerting","builtin:alerting.connectivity-alerts","builtin:url-based-sampling");

DENY settings:objects:write WHERE settings:schemaId IN ("builtin:rum.processgroup","builtin:process-group.monitoring.state","builtin:oneagent.features","builtin:oneagent.side.masking.settings","builtin:availability.process-group-alerting","builtin:alerting.connectivity-alerts","builtin:url-based-sampling") AND settings:scope="environment";

Dynatrace Certified Professional