This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM policy not taking effect

JamesD09
Dynatrace Participant
Dynatrace Participant

‎17 Jun 2024 07:15 PM - last edited on ‎18 Jun 2024 07:58 AM by Community Team

Hi folks, 

I am looking to lock down the ability to view logs from a certain host group with the following IAM policy:
"ALLOW storage:logs:read WHERE storage:dt.host_group.id = "Hostgroup2";"

In theory this should lock down my user to only be able to view logs for logs written by hosts in "Hostgroup2" HOWEVER when applying the policy my user is still able to see logs written by all host groups. 

Is anyone able to advise? i have followed the syntax and conditions defined in the IAM service reference documentation.

0 Kudos
Reply
2 REPLIES 2

JamesD09
Dynatrace Participant
Dynatrace Participant

‎17 Jun 2024 07:23 PM

You can see from the Policy review below the condition is set but does not take effect:

JamesD09_0-1718648577622.png

 

0 Kudos
Reply

GerardJ
Advisor

‎18 Jun 2024 09:59 AM - edited ‎18 Jun 2024 10:46 AM

Hi @JamesD09 

have you checked with the "effective policies" tool whether there isn't another access right that would extend this policy and make this limitation ineffective?
You also have to check that no RBAC permission gives the user more rights over logs than you'd expect.

Gerard
0 Kudos
Reply
Ask a question

Featured Posts