Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict settings API tokens based on policies

There is the option to use security policies to give users direct view or edit access on some specific schema's.

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read
WHERE settings:schemaId = "builtin:alerting.maintenance-window";


But how can I create an API token with only that permission? The API-token scopes are not fine grained I presume.


Dynatrace Mentor
Dynatrace Mentor

At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.

The only workaround today is personal access tokens which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.

Using personal access tokens is difficult because it would require some kind of technical user which we don't have. It's not the biggest deal off course since we treat tokens as secrets. But if one would leak, it would give access to all settings while it could be restricted.


We have the same need here, we would like token (not personal ones) with more granular security to be able to give teams the right to manage only what they are supposed to.
it is a big show stopper for devops practices

Featured Posts