IAM Policy to allow non-DynatraceAdmins to maintain their own custom service detection rules

tibebe_m_digafe · ‎04 Oct 2023

Hello,

In our environment (single environment, multi-tenant), user access is "governed" by Management Zone/rules.

One of the challenges in administering Dynatrace in the single environment/multi-tenant setup is the inability to enable developers/application teams to maintain their own monitoring settings in a secure/safe manner.

A few changes/features have been added since we started our journey with Dynatrace almost 3 years ago.

Does anyone know any trick/insight to allow read/write of custom service detection rules by Management Zone (MZ). The specific object is not configurable by MZ. I'm asking if anything could be done. Trying to do the same via API runs into the same issue since token access can't be scoped to MZ (RFE has been out there from 2+ years ago).

Thanks.

ChadTurner · ‎13 Feb 2024

Have you tried to leverage the Policy Schemas for this? You can grant granular access even at the Management Zone level to allow or deny permissions to read or write certain constructs.

-Chad

Julius_Loman · ‎13 Feb 2024

@ChadTurner this is not possible. Schemas such as builtin:service-detection.full-web-request have only environment scope and are global.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

ChadTurner · ‎13 Feb 2024

@Julius_Loman it is, but it isn't. Access can be granted by the user being a user with access to your given MZ in which has a Schema applied that allows the ability to create service detection at the global level.

-Chad