This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy to only allow user to configure service settings

Go to solution
Chen
Visitor

‎03 Dec 2024 04:45 PM - last edited on ‎04 Dec 2024 07:28 AM by Community Team

I want to allow the users to modify settings (such as anomaly configuration) on a single service/entity level, without granting them the global settings on environment or cluster level for all services as global configuration.

I first tried the following:

 

 

ALLOW settings:objects:read, settings:objects:write
WHERE settings:scope startsWith 'SERVICE-';

 

 

The above policy statement does not seem to work as they do not see the setting option on the service/entity.

Then I tried the following:

 

ALLOW settings:objects:read, settings:objects:write
WHERE settings:schemaId = "builtin:anomaly-detection.services”;

 

The above policy statement does work on the service/entity level, but at the same time they also see the global environment settings option which I do not want.

How can I have a policy statement that allow the user to only modify the settings on service and entity level, but not globally? Thanks in advance!

0 Kudos
Reply
2 REPLIES 2

Go to solution
RohitBisht
Dynatrace Helper
Dynatrace Helper

‎05 Dec 2024 01:21 AM

Hi, for this you may have to append management zone with this. Please try

https://docs.dynatrace.com/docs/shortlink/iam-policystatements#settings-objects-write
https://docs.dynatrace.com/docs/shortlink/iam-policy-boundaries#expressing-management-zones-inside-o...

  • environment:management-zone - The name of a management zone. This condition is applicable to either: any settings object that is allowed on the scope of an entity that can be matched into a management zone or settings objects of the schemas builtin:alerting.maintenance-window, builtin:alerting.profile, builtin:anomaly-detection.metric-events, builtin:monitoring.slo and builtin:problem.notifications.
    operators: IN ,= ,startsWith
Reply

Go to solution
Chen
Visitor

‎09 Dec 2024 04:29 PM

Lovely, it worked perfectly after implementing the management-zone. Thanks a lot!

Reply
Ask a question

Featured Posts