cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Permissions for creating and editing synthetic monitoring

Ilya7
Frequent Guest

Hello,

we would like to give permission for making and editing synthetic monitors to a specific user group for the whole environment.

As far as I'm concerned there is no way to give permission for creating/editing synthetic monitorings without checking "change monitoring settings" for the whole environment or management-zone.

Am I overlooking something? If not will there be a way (i.e. through a schemaId) to give editing permissions for synthetics in the future?

Best regards,
Ilya

5 REPLIES 5

AurelienGravier
Advisor

Hello @Ilya7 ,

IAM policies is what you need ! You can configure custom IAM through the Dynatrace web UI or REST API :

https://www.dynatrace.com/support/help/shortlink/iam#how-to-configure-iam

 

Some examples of IAM policies here :

https://www.dynatrace.com/support/help/shortlink/iam-policystatement-syntax

And the list of REST API calls is available here :

https://api.dynatrace.com/spec/#/Policy%20management

AurelienGravier_0-1671631416729.png

Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified

Hello @AurelienGravier,

thanks for your response.

I was looking into IAM policies but couldn't find a fitting policy. At first I thought I can go with https://www.dynatrace.com/support/help/shortlink/iam-policystatements#settings-objects-write but the synthetic tab doesn't seem to have a schemaId.

This one might be fitting, I'm not sure though: https://www.dynatrace.com/support/help/shortlink/iam-policystatements#environment-roles-configure-re....

Please let me know if you know the right way of doing this.

Best regards,
Ilya

AurelienGravier
Advisor

First of all, I have extracted the list of available schemas through the Environment API V2 :

https://{environmentid}.live.dynatrace.com/rest-api-doc/index.jsp#/Settings%20-%20Schemas/getAvailab...

And I select on the response a schemaID related to the synthetic feature:

{
"schemaId": "builtin:synthetic.browser.name",
"displayName": "Monitor name",
"latestSchemaVersion": "1.0.1"
},

Afterwards, I use this schemaId as parameter in the following endpoint : /settings/schemas/{schemaId}

https://{environmentid}.live.dynatrace.com/rest-api-doc/index.jsp#/Settings%20-%20Schemas/getSchemaD...

{
"dynatrace": "1",
"schemaId": "builtin:synthetic.browser.name",
"displayName": "Monitor name",
"description": "Define the display name of your browser monitor",
"documentation": "",
"schemaGroups": [
"group:synthetic.browser"
],

And a schemaGroups exists "group:synthetic.browser" on the response.

 

So I suppose that you can use it in your custom IAM :

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaGroups = "group:synthetic.browser"

 

Let me know if it works.

 

 

 

 

 

 

 

Observability consultant - Dynatrace Associate/Pro/Services certified

AurelienGravier
Advisor

Hello @Ilya7 

 

The synthetic monitors configuration is only partially migrated to settings 2.0, so the permissions regarding creation of the monitors (browser and HTTP) are still not available.  I have created the following RFE : https://community.dynatrace.com/t5/Dynatrace-product-ideas/IAM-policy-gt-the-settings-schemaId-relat... I suggest you voting on it to help.

 

Instead, I have found the way to give permissions on existing synthetic monitors and on settings related to synthetic monitoring :


1st, create your custom policy with the statements below  :

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:synthetic.browser.name","builtin:synthetic.browser.scheduling","builtin:synthetic.http.name","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.synthetic-availability-settings","builtin:synthetic.browser.outage-handling","builtin:synthetic.http.scheduling","builtin:synthetic.browser.assigned-applications","builtin:synthetic.http.performance-thresholds","builtin:synthetic.browser.kpms","builtin:synthetic.http.assigned-applications","builtin:synthetic.http.outage-handling","builtin:synthetic.http.cookies","builtin:synthetic.browser.performance-thresholds");

 

2nd, create a new group and bind it the previous policy : 

AurelienGravier_0-1672048534298.png

 

3rd add a use as member of this group.

The user will have the rights to edit each monitors and a limited acces on settings menu :

AurelienGravier_1-1672048684454.png

 

Regards Aurélien.

 

 

 

Observability consultant - Dynatrace Associate/Pro/Services certified

Hello Aurélien,

thanks for your effort!

It's really unfortunate that we can't set permissions to create synthetics. With the current options we can't even allow to edit the recorded clickpath for existing browser monitors. 

Thanks for creating the RFE. It's a really important feature in my opinion.

Best regards,
Ilya