Solved: Re: restrict access to process group using IAM

oscarata · ‎15 Jun 2022

is possible to restrict access to show just host data throw IAM? i am looking into iam and i cant assign a policy to just process group, it must be done to full management zone, can it be done more restricted? without using management zones? wanted to apply different permissions to different users in same management zone, else we would need to make at least 6 management zones per app, as each app is deployed in three different sites, and each one could have bind values on and off ...

how would you do this?

techean · ‎21 Jun 2022

did you tired using user groups using the cluster management console?

KG

Julius_Loman · ‎22 Jun 2022

I don't think this is doable without using management zones. As the docs explicitly tell you, IAM is used to manage user access to Dynatrace features. It cannot be used to set the "scope". So basically you define new roles in Dynatrace which have a certain set of permissions. The scope of these permissions is defined by a management zone or environment level.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

oscarata · ‎22 Jun 2022

according to doc

IAM policies

User permissions can be also managed with IAM policies, which allow more fine-grained access control. With policies, you can craft your own access permissions and assign them to user groups on either the cluster or environment level just like with the permission mechanism.

i was expecting to be more grained with permissions settings each user its own permission.

how would you manage then multiple instances domains with each instance having its own permissions (at least normal and bind values) having each instance difference from the others. Will we need to create at least 2 Management zone for each instance?????

Julius_Loman · ‎22 Jun 2022

No, you don't need to create separate zones. On the MZ level you define the scope of your environment (entities), not the permissions.

With RBAC you you have a fixed set permissions such as "Change monitoring settings" which you apply environment wide or for a MZ.

IAM allows you to make these more granular - for example you can define a policy allowing users to define and modify key requests. Still a scope needs to be assigned and the scope is either MZ or environment. IAM is still Early Adopter and not every kind of permission can be applied.

Basically in your case you have two groups. In one group you assign the "View sensitive data" for the management zone in question, for other group you have only "Access environment" permission. IAM is not involved.

The Users in first group will be allowed to see bind variables, users in the second not. You cannot set permissions on a user-level, only on group level and then assign users to groups. IAM policies are not involved here.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

oscarata · ‎22 Jun 2022

so, there is no other form to asign diferent permissions to view data within a service than a mz. so if i see a mz i see all services that apply to that mz. and i cant separate servers within a mz

Julius_Loman · ‎22 Jun 2022

No, it's not, unfortunately. If you need to have different permissions for services within a management zone, then this is not something IAM will help to solve for you.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

oscarata · ‎23 Jun 2022

what will solve my requirements? any option?

Julius_Loman · ‎23 Jun 2022

It depends on how your MZ are structured along with your requirements. IAM is about more granular permissions what a user can do and MZ is about where.

So if you need a specific scope of permissions for just few process groups - you need to create a MZ including just those process groups.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner