21 Dec 2022 01:52 PM - last edited on 22 Dec 2022 11:12 AM by MaciejNeumann
Hello,
we would like to give permission for making and editing synthetic monitors to a specific user group for the whole environment.
As far as I'm concerned there is no way to give permission for creating/editing synthetic monitorings without checking "change monitoring settings" for the whole environment or management-zone.
Am I overlooking something? If not will there be a way (i.e. through a schemaId) to give editing permissions for synthetics in the future?
Best regards,
Ilya
Solved! Go to Solution.
21 Dec 2022 02:07 PM
Hello @Ilya7 ,
IAM policies is what you need ! You can configure custom IAM through the Dynatrace web UI or REST API :
https://www.dynatrace.com/support/help/shortlink/iam#how-to-configure-iam
Some examples of IAM policies here :
https://www.dynatrace.com/support/help/shortlink/iam-policystatement-syntax
And the list of REST API calls is available here :
https://api.dynatrace.com/spec/#/Policy%20management
Regards Aurélien.
21 Dec 2022 02:28 PM
Hello @AurelienGravier,
thanks for your response.
I was looking into IAM policies but couldn't find a fitting policy. At first I thought I can go with https://www.dynatrace.com/support/help/shortlink/iam-policystatements#settings-objects-write but the synthetic tab doesn't seem to have a schemaId.
This one might be fitting, I'm not sure though: https://www.dynatrace.com/support/help/shortlink/iam-policystatements#environment-roles-configure-re....
Please let me know if you know the right way of doing this.
Best regards,
Ilya
21 Dec 2022 03:15 PM - edited 21 Dec 2022 03:19 PM
First of all, I have extracted the list of available schemas through the Environment API V2 :
And I select on the response a schemaID related to the synthetic feature:
{
"schemaId": "builtin:synthetic.browser.name",
"displayName": "Monitor name",
"latestSchemaVersion": "1.0.1"
},
Afterwards, I use this schemaId as parameter in the following endpoint : /settings/schemas/{schemaId}
{
"dynatrace": "1",
"schemaId": "builtin:synthetic.browser.name",
"displayName": "Monitor name",
"description": "Define the display name of your browser monitor",
"documentation": "",
"schemaGroups": [
"group:synthetic.browser"
],
And a schemaGroups exists "group:synthetic.browser" on the response.
So I suppose that you can use it in your custom IAM :
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroups = "group:synthetic.browser"
Let me know if it works.
26 Dec 2022 10:30 AM - edited 28 Dec 2022 08:38 AM
Hello @Ilya7
The synthetic monitors configuration is only partially migrated to settings 2.0, so the permissions regarding creation of the monitors (browser and HTTP) are still not available. I have created the following RFE : https://community.dynatrace.com/t5/Dynatrace-product-ideas/IAM-policy-gt-the-settings-schemaId-relat... I suggest you voting on it to help.
Instead, I have found the way to give permissions on existing synthetic monitors and on settings related to synthetic monitoring :
1st, create your custom policy with the statements below :
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name","builtin:synthetic.browser.scheduling","builtin:synthetic.http.name","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.browser.outage-handling","builtin:synthetic.http.scheduling","builtin:synthetic.browser.assigned-applications","builtin:synthetic.http.performance-thresholds","builtin:synthetic.browser.kpms","builtin:synthetic.http.assigned-applications","builtin:synthetic.http.outage-handling","builtin:synthetic.http.cookies","builtin:synthetic.browser.performance-thresholds");
2nd, create a new group and bind it the previous policy :
3rd add a use as member of this group.
The user will have the rights to edit each monitors and a limited acces on settings menu :
Regards Aurélien.
28 Dec 2022 09:51 AM
Hello Aurélien,
thanks for your effort!
It's really unfortunate that we can't set permissions to create synthetics. With the current options we can't even allow to edit the recorded clickpath for existing browser monitors.
Thanks for creating the RFE. It's a really important feature in my opinion.
Best regards,
Ilya