This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security on Metrics - SaaS - Possible?

Go to solution
stevene1900
Frequent Guest

‎03 Apr 2025 09:55 PM

Hello, we have an Logs OpenPipeline where we extract metrics. 

In this pipeline we also set a security context and send the logs to a dedicated Logs Storage Bucket.

We have been asked to limit access to these logs, which we have done in IAM. This seems to be working ok.

I am unsure if we can limit access to the metrics that are extracted from the logs, though. We only have the default metrics storage bucket and cannot create a new metrics bucket (option not there) and I can't see any information as to security context when querying the metrics.

If these metrics are not restricted via the related Logs OpenPipeline, how might we restrict access to the metrics?

We are on SaaS and using DQL/Grail to present this data.

Thanks,

Steve

0 Kudos
Reply
3 REPLIES 3

Go to solution
DanielS
DynaMight Guru
DynaMight Guru

‎03 Apr 2025 11:09 PM

Hello @stevene1900 . Yes. You can do it using a policy and a boundary.

You can create a policy with the following format:

ALLOW storage:buckets:read WHERE storage:table-name = "metrics";
ALLOW storage:metrics:read;

then for that policy, you can work with a boundary like the following:

storage:metric.key startsWith "log.Accounting";

my suggestion here is that you teach the teams to use a standard name like the one in my example. For example, for accounting all the logs metrics should start the same and then they can put whatever they want. This helps you to maintain the policies and boundaries with less admin effort.

Dynatrace Certified Professional @ www.dosbyte.com
Reply

Go to solution
stevene1900
Frequent Guest
In response to DanielS

‎04 Apr 2025 01:42 AM

Hi DanielS, thanks.

I will have to understand boundaries better, but the answer is definitely in the information you provided.

One thing I wonder is if this applies to accessing the metrics via Data Explorer? 

Reply

Go to solution
DanielS
DynaMight Guru
DynaMight Guru
In response to stevene1900

‎06 Apr 2025 01:18 AM

Yes, this also applies. Here you can see a metric I don't have permissions for, which contains data because the last field entered is in the same time interval as the query, but the query doesn't return anything.

DanielS_0-1743898562341.png

 

Dynatrace Certified Professional @ www.dosbyte.com
0 Kudos
Reply
Ask a question

Featured Posts