30 Mar 2023 02:55 PM - last edited on 05 May 2023 02:35 PM by AgataWlodarczyk
Can we talk about the elephant in the room.... with the latest cluster update to 1.263.115.20230329-073241 users will find that they can no longer close out problems unless they have full 'Change Monitoring Settings' on the given environment.
Users will get the illusion that they indeed can close out a problem but will be confronted with an error once they close it.
you can read the relapse notes here: https://www.dynatrace.com/support/help/shortlink/release-notes-saas-sprint-263#restriction-of-writin...
I am in the process of seeing if there is a policy schema(s) that will allow us to grant 'change monitoring settings' but remove what the user can edit/have access to.
I understand the need to prevent or hold users accountable for closing out problems, but why cant we have a blocker set in the settings, much like we limit the images and presets of dashboards for our basic users? And from an auditing standpoint, if you do close out a problem manually it is recorded, maybe remove the delete capability.
Solved! Go to Solution.
30 Mar 2023 07:16 PM
Agree @ChadTurner , I have lots of user claiming for this!!! A great headache for me!!!!
30 Mar 2023 07:39 PM
so there are a few potential solutions:
Solution 1 – Posting Closure API via Web UI
Pros:
Users would be able to access a UI Web front that will allow them to post the closure comments along with the problem ID and trigger the closure of the ticket.
No additional access is granted to the user.
No change in account permissions needed.
Cons:
UI Web front would need to be built.
Tokens would need to be formulated.
Solution 2 – Granting Environment Wide Change Monitoring Settings Access
Pros:
Quick/Easy change.
Tickets closed form Dynatrace UI.
Cons:
Users will get Admin level permissions.
Ability to trigger upgrades, change monitoring settings, levels etc.. which will directly impact licensing.
Solution 3 - Granting Management Zone Change Monitoring Settings Access
Pros:
Allows us to provide the ability to close tickets via the UI.
Reduces the amount of admin permissions seen.
Can strip out permissions via Policy Schemas to lock down “Admin Level’ functionality.
Cons:
A New MZ is needed for teams.
Policy Schemas will need to be built and tested.
Run the Risk of Dynatrace Upgrades granting more access, leaving Administrators unaware of this new access.
Users might still have the ability to edit monitored entity settings such as trigger upgrades, change anomaly detection settings etc…
30 Mar 2023 07:49 PM
Hi @ChadTurner I'm trying number 3 because I read the manage-settings environment role and discard it. I didn't see any valid scheme for escalating permissions.
30 Mar 2023 07:58 PM
Honestly, it should be an option in the setting for each individual tenant, just liek we have options for Dashboards:
30 Mar 2023 07:59 PM
yes sir!
30 Mar 2023 10:06 PM
I can confirm that with manage-settings for a MZ this works.
30 Mar 2023 07:49 PM
Where did this come from? Did they ask the community if this should be implemented? I am guessing this was a RFE
Solution 4:
Dynatrace roll this change back and allow users to close problem cards.
30 Mar 2023 07:52 PM
I have an entire call center claiming for this, a schema would be great as Solution 5.
30 Mar 2023 08:00 PM
I'm working on a set of Policy Schemas to grant the access but deny everything else. If someone beats me to it please share 😛
30 Mar 2023 08:14 PM - edited 30 Mar 2023 08:14 PM
The following Schema Set will remove the Settings option from the Menu for the environment:
DENY settings:objects:read, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.maintenance-window";
DENY settings:objects:read, settings:schemas:read WHERE settings:schemaId = "builtin:monitoring.slo";
DENY settings:objects:read, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.metric-events";
DENY settings:objects:read, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.profile";
DENY settings:objects:read, settings:schemas:read WHERE settings:schemaId = "builtin:problem.notifications";
RESULTS:
Working on the monitored entity settings now
30 Mar 2023 08:21 PM - edited 30 Mar 2023 10:04 PM
I created an admin NOT admin policy for people who need to close problems but need to restrict their role to the highest level. You must create two policies because only 100 lines per policy are allowed.
Admin NO Admin 1
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:metric.metadata";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.assigned-applications";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.custom-errors";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:activegate-token";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.rum-javascript-updates";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:service-detection.full-web-request";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:user-action-custom-metrics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.simple-detection-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.rum-mobile";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.connectivity-alerts";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.rum-custom-crash-rate-increase";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.php";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.kubernetes.workload";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:service-detection.external-web-service";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:user-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:failure-detection.environment.parameters";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.host-headers";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.request-errors";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:bizevents-processing-buckets.rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.enablement";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.custom.name";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.name";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:resource-attribute";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.databases";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.kubernetes.pvc";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:tags.auto-tagging";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:deployment.activegate.updates";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.outage-handling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:container.built-in-monitoring-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.request-errors";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:bizevents-processing-pipelines.rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.metric-events";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:tokens.token-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.log-events";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.log-custom-attributes";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:span-entry-points";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitoredentities.generic.relation";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.kubernetes.node";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:metric.query";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.key-performance-metrics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.processgroup";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:networkzones";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:deployment.oneagent.updates";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:mainframe.txstartfilters";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dashboards.presets";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:span-attribute";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:appsec.notification-alerting-profile-with-trigger-event";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:service-detection.full-web-service";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.user-experience-score";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:management-zones";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dashboards.image.allowlist";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.nginx";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:custom-metrics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:bizevents-processing-metrics.rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:apis.detection-rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:exclude.network.traffic";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.maintenance-window";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:os-services-monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.ip-mappings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:container.technology";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:eec.local";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:deployment.management.update-windows";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dashboards.general";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:eula-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.name";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:problem.notifications";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-visibility";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.services";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.iis";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.kubernetes.namespace";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.nodejs";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.log-buckets-rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.name";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.beacon-endpoint";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.open-tracing-native";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:oneagent.features";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.ipaddress-exclusion";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.name";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.resource-cleanup-rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:deployment.oneagent.default-version";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.privacy";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.detection-flags";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:ibmmq.queue-sharing-group";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.process-groups.monitoring-state";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:span-capturing";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitoredentities.generic.type";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.synthetic-availability-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process.process-monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.advanced-detection-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.provider-breakdown";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.schemaless-log-metric";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.java";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.xhr-exclusion";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.enablement";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:processavailability";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.monitoring.state";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process.built-in-process-monitoring-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.dotnet";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.frequent-issues";
Admin NO Admin 2
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.scheduling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.log-dpp-rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:settings.subscriptions.service";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:sessionreplay.web.resource-capturing";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.custom-rum-javascript-version";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.infrastructure-disks";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.kubernetes.cluster";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.performance-thresholds";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:span-event-attribute";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:ibmmq.queue-managers";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.kpms";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:failure-detection.service.http-parameters";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:failure-detection.environment.rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:ibmmq.ims-bridges";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:failure-detection.service.general-parameters";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:usability-analytics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.scheduling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.overload-prevention";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:mainframe.txmonitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:disk.analytics.extension";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.go";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:service-detection.external-web-request";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:mainframe.mqfilters";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.rum-custom";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.varnish";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:nettracer.traffic";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.rum-mobile-crash-rate-increase";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:cloud.cloudfoundry";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.infrastructure-disks.per-disk-override";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitoring.slo";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:issue-tracking.integration";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:geo-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.timestamp-configuration";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.custom.enablement";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.infrastructure-hosts";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.beacon-domain-origins";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:custom-unit";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:preferences.privacy";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.monitoring.aix-kernel-extension";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.infrastructure-vmware";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.resource-timing-origins";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:declarativegrouping";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:span-context-propagation";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:bizevents.http.incoming";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.ip-determination";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:audit-log";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.cloud-application-workload-detection";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.wsmb";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:eec.remote";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.assigned-applications";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:sessionreplay.web.privacy-preferences";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.disk-rules";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:availability.process-group-alerting";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.log-agent-configuration";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:opentelemetry-metrics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.cookies";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:ownership.teams";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.rum-web";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:elasticsearch.user-session-export-settings-v2";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:user-appfw-preferences";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:accounting.ddu.limit";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.resource-types";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.apache";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:cloud.kubernetes";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitoring.slo.normalization";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.browser-exclusion";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.profile";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:anomaly-detection.infrastructure-aws";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process.custom-process-monitoring-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.outage-handling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:remote.environment";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:container.monitoring-rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:logmonitoring.logs-on-grail-activate";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.performance-thresholds";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:disk.options";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:settings.mutedrequests";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.web.app-detection";
31 Mar 2023 12:50 PM
I did the same but as you mentioned we are limited to 100 rules. So i went to the group level for schemas that are included in a group. i got a total of 59 Rules to lock it down.
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.connectivity-alerts";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:availability.process-group-alerting";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:cloud.kubernetes";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:eec.remote";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:event-trigger.rule";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:geo-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.monitoring.aix-kernel-extension";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:host.process-groups.monitoring-state";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.apache";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.dotnet";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.go";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.iis";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.java";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.nginx";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.nodejs";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.open-tracing-native";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.php";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.varnish";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:monitored-technologies.wsmb";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:process-group.monitoring.state";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:rum.mobile.request-errors";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:settings.mutedrequests";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:settings.subscriptions.service";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.performance-thresholds";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.browser.scheduling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.performance-thresholds";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:synthetic.http.scheduling";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:user-appfw-preferences";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:user-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:accounting";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:preferences";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:maintenance";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:alerting";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:anomaly-detection";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:service-monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:business-analytics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:cloud-and-virtualization";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:processes-and-containers";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:web-and-mobile-monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:metrics";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:dashboards";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:updates";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:integration";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:failure-detection";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:mainframe";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:cloud-automation";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:log-monitoring";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:topology-model";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:ownership";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:rum-general";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:capturing";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:rum-errors";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:rum-settings";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:service-detection";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:synthetic.browser";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:synthetic.http";
DENY settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroup = "group:tags";
Just Note the User is still able to do these admin function and maybe more:
- Rename Hosts
- Edit Monitored Technologies
- See deployment status page (OneAgents, Active Gates, Network Zones)
- See Credential Vault
- See Dynatrace Hub
31 Mar 2023 07:33 AM - edited 31 Mar 2023 07:47 AM
Sorry for that inconvenience, but we had to change the policy here as all large enterprice customers were telling us that closing problems with environment viewer permissions is a no-go for them and that they see it as a critical blocker.
The change in policy was announced in release notes as it was mentioned by Chad.
I agree that showing the button to users with viewer rights does not make sense at all, I have to admit that slipped through without me noticing it. We will fix that as soon as possible.
And you also asked about related community requests:
Best greetings,
Wolfgang
31 Mar 2023 01:04 PM
@wolfgang_beer thanks for addressing this. While I agree with the removal of problem closure for the basic read user, as the comments mentioned on those RFE's, having the option to turn on/off the closure restriction is needed. Not to just remove it and give it to admins only.
I cant stress enough how Dynatrace Updates should not remove functionality, in this case, users have always had the option to close a problem. The true solution to this would have been to add in a flag/method to allow/deny users/user types the ability to close problems. Very similar to dashboard anonymous access. I'm sure customers have asked to lock that feature down, which Dynatrace did in a future release but that solution was provided as an enhancement rather then removing the ability to share dashboards anonymously.
These changes impact all the customers. I just wish Dynatrace would ask the customers and maybe pilot features with us. I could think of a bunch of ways this could have been handled better, like even adding the functionality at the permissions page:
31 Mar 2023 02:21 PM
Well that would be an option yes, but it also cloags a software solution over time with large amounts of tiny settings that nobody uses anyway after a change was made. So change in a product is really really hard I agree and we try to do it as sensible as possible. But sometimes change is necessary to remove critical issues or to adress bugs.
But I will try to do better next time we introduce something breaking.
31 Mar 2023 02:53 PM - edited 31 Mar 2023 02:54 PM
Thanks@wolfgang_beer I understand the point and the criteria used, but as many other options in the product if you could add a schema to allow the close of problems would allow us to Allow or Deny that actions with more flexibility and avoid to add tiny settings as you mention. I think granular permissions that Dynatrace introduced to allow us to configure the product are great. I have several groups were viewer only have other roles as maintain synthetics, or tags, or the ability to set a Maintenance Window. In the current state I need to elevate a lot of users to the admin non admin state, in my case this poses a risk much higher than a problem closure.
Personal opinion, for me things like "We had situations that problem was closed by customer and application administrators missed important application failure because they didn't see the problem" are more process problems than tools problems but stand aside, please let me know if you need an RFE to add a schema for that action.
Thanks a lot for your answer.
31 Mar 2023 05:55 PM
Question, how do you define large enterprise customers? We are a large enterprise customer and don't recall requesting this.
Please let us know.
03 Apr 2023 06:50 AM
Dear @Kenny_Gillette ,
I understand that you represent a large enterprise customer that did not request this permission change and that did not experienced as a critical blocker.
We will mitigate this change as good as possible by fixing and backporting the UI issue and maybe we can also come up with further possibilities.
Best greetings,
Wolfgang
06 Apr 2023 06:48 AM
@ChadTurner UPDATE: After consulting with Development we agreed to roll back the permission change and introduce a config option one or two releases later. We will try to backport the rollback.
Best greetings,
Wolfgang
06 Apr 2023 09:35 PM
Thank you @wolfgang_beer. When will customers be notified about the backport rollback being successful or not?
07 Apr 2023 07:17 AM
We backported the rollback to version 264, so all DT Managed customers will not have the issue in the first place and all SaaS customers will be back at the old logic within the next 2 weeks.