cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Properly provide access to New UI based on Management Zones permissions

dannemca
DynaMight Guru
DynaMight Guru

The new UI is there and we can use polices to provide users access to, based on this blog post.

But, my current env access is totally based on Management Zones. We have many teams which can access specific Management Zones, with no special permissions, other than access env and change monitoring permissions. We are not using polices yet, since not required. Until now.

The appengine and grail access is not scoped at Management Zone levels, but entire environment, so I am struggling to proper set the polices rules for it.

Has anyone face the same challenge?

Any tip for the friend here?

Thanks.

Site Reliability Engineer @ Kyndryl
9 REPLIES 9

DanielS
DynaMight Guru
DynaMight Guru

Facing exactly same challenge as you @dannemca currently under investigation by my side.

The true delight is in the finding out rather than in the knowing.

DanielS
DynaMight Guru
DynaMight Guru

I also let you know that I have a case with a detected bug if you have a policy with more than 100 lines you cannot edit it, they will notify me of a possible ETA for the solution. I found this when I was doing tests related to this topic.

The true delight is in the finding out rather than in the knowing.

Kenny_Gillette
DynaMight Leader
DynaMight Leader

Well, I heard on a call last week that Management Zones are going away in roughly 18-24 months.  I am trying to get more info on this from my account team and from the Western group that I was in and it was brought up on a call with IAM Policies.  Will let you know when I hear more and find out more details.  Very early stages from what I hear.

Dynatrace Certified Professional

Hi @Kenny_Gillette 
have you managed to get more information on the possible removal of management zones? this is also a key point for us, and we've heard absolutely nothing about it.

no information yet.  Just reached out to my contacts at Dynatrace and they are researching.

Dynatrace Certified Professional

soukainaB
Dynatrace Advocate
Dynatrace Advocate

Hi @dannemca , Have you by any chance found an answer to your question , I am running into the same issue here..

PacoPorro
Dynatrace Champion
Dynatrace Champion

dannemca
DynaMight Guru
DynaMight Guru

I believe the access issue can be managed using custom buckets and polices, as per this blog: https://www.dynatrace.com/news/blog/enhance-data-management-with-grail-ultimate-guide-to-custom-buck... and this video: https://info.dynatrace.com/global-rm-enhanced-access-controls-with-record-level-permissions-23267-fu...

It does mention logs, but I believe it can be also applied to metrics buckets too.

I will do some tests and see if that works.

Site Reliability Engineer @ Kyndryl

Yep, just tested and worked as expected.

I have still used the Management Zones to limit the entity access in general UI views (host classic page, dashboard classic, data explorer, etc.) And for Grail access with DQL, I had to use the polices limiting the access by hostgroup (but I do assume it can be any metadata)

Example:

 

 

ALLOW storage:buckets:read;
ALLOW storage:entities:read;
ALLOW storage:system:read;
ALLOW storage:metrics:read
WHERE storage:dt.host_group.id STARTSWITH "my_host_group";

 

 

It is not easy, but doable.

Site Reliability Engineer @ Kyndryl

Featured Posts