Re: 📚 Introducing the new IAM

GosiaMurawska · ‎10 Feb 2025

Hello, Community!

Here it is, another chapter in our series of knowledge resources for the newly launched Dynatrace Apps and Frameworks. Today, we're thrilled to introduce our Identity and Access Management (IAM) FAQ! 🎉

If you missed our previous articles, make sure to catch up on Anomaly Detection, Automations, Business Analytics, Clouds, Databases, DEM, Discovery and Coverage, Distributed Tracing, Infrastructure and Operations, OpenPipeline, Problems, Services, and NAM FAQ articles.

Dynatrace’s IAM framework enables administrators to manage user identities and access permissions to platform resources and data. It includes user onboarding, automatic provisioning, and self-service features, as well as tools for configuring and monitoring user authorization.

Together with Jon Ujkani @Jon2, Principal Product Manager, and Florian Aigner @florian_APIgner, Senior Product Manager, we've created a comprehensive knowledge base to help you get the most out of IAM.

If you want to stay updated on all our FAQ articles for new applications, follow the "faq" label. Now, to the links below!

Users & Groups:

What are the different ways to invite users into your Dynatrace?

Why do I need to assign users to groups?

Are there any pre-built groups?

Do I need to manually create my own groups?

Why would I use a service user?

Platform Access:

What is the easiest way to grant my users access to Dynatrace?

Is there an easy way to get up and running with IAM policies?

I’m using default policies, but I’d like to restrict permissions further. How do I do that?

Why would I consider using Policy Templating?

‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?

External Identity Provider / 3rd Party IdP Configuration:

What is SAML federation and how do I configure it?

How do I set up user and group provisioning using SCIM?

API Access:

So many tokens. Which one do I use for what?

How do I generate and use OAuth clients?

What are platform tokens and how do I use them?

How can I create and manage service users?

zaid-bashir · ‎11 Feb 2025

Hi @GosiaMurawska
Using Dynatrace's New ABAC based access management is really very good in terms of scalability and fine grained access control.
But still there are some issues that I face like, I was assigning a boundary for Infrastructure & Operations App for accessing metrics "ALLOW storage:metrics:read" but the boundary is not working, I mean the metrics are not shown.
But If I am not assigning any boundary then I am able to see metrics.
Docs Link : https://docs.dynatrace.com/docs/shortlink/iam-policystatements#storage-metrics-read

Jon2 · ‎11 Feb 2025

Hi @zaid-bashir

Would you kindly share the boundary statement you have?

zaid-bashir · ‎11 Feb 2025

Hi @Jon2
Boundary statement that i used is as : storage:host.name = "My-Selected-Host-Name"

Jon2 · ‎11 Feb 2025

Hi @zaid-bashir

I tried the following:

- 1 user assigned to one group
- Group bound to default policies: Standard User, Read Metrics and Read Entities
- Use can run a timeseries DQL and get back all host entities (5 in my case)
- Then applied a boundary to the 'Read Metrics' permission. Boundary statement: 'storage:host.name = "pi5";'
- With the boundary applied same query only returns host named 'pi5'

Is that what you are trying to achieve or did I miss the point?

zaid-bashir · ‎12 Feb 2025

Hi @Jon2
Thanku for the input, but can you check whether the metrics of the same host are visible on Infrastructure & Operations App.

Jon2 · ‎13 Feb 2025

HI @zaid-bashir

on my setup it works. Could you load some screenshots with your example use case?

Thank you in advance.

VenkataSainath · ‎11 Feb 2025

Can we enabled Personal Access tokens to Specific Groups only? Or Specific Users?