How do I set up user groups and permissions?

The Dynatrace permission management system makes it easy to manage permissions for groups. The permissions system isn’t based on hierarchical roles, but rather on groups, reflecting Unix- and Windows-based permissions. It enables you to create groups that have pre-defined (fully customizable) permissions sets&users added to a group inherit the permissions of that group.

Permissions are granted based on group assignment. Permissions are granted to groups and users are assigned to groups, as illustrated below:

Dynatrace provides separate permissions for account and environment users:

Environment users

These are users who work with Dynatrace to monitor the health of the hosts, services, and infrastructure in their application environments.

Account users

These are users who are involved in managing account details such as company addresses, billing, payment information, and user management.

To get you started, Dynatrace provides a default set of editable groups. You can edit and adapt these default groups to fit your needs or you can create new groups.

Default groups for account users

Dynatrace offers three user groups with account permissions:

  • Account manager has full account access. Can view and edit company data, enter credit card data, review invoices, create and edit groups, and add users to groups. Also has access to environment consumption data, Help, and Support.
  • Finance admin can enter credit card data and review invoices. Has access to environment consumption data, Help, and Support. Can’t edit groups or assign users to groups. No access to company/billing address info.
  • Account viewer has access to environment consumption data, Help, and Support. No access to credit card data, invoices, or company/billing address info. Can’t edit groups or assign users to groups.

Default groups for environment users

Dynatrace offers four user groups with environment permissions:

  • Monitoring admin has full environment access. Can change monitoring settings. Can download and install OneAgent.
  • Deployment admin can download and install OneAgent. Has read-only access to the environment. Can’t change settings.
  • Confidential data admin can view sensitive data (for example, method arguments) and configure request-data capture rules.
  • Monitoring viewer can access the environment in read-only mode. Can’t change settings. Can’t download or install OneAgent.
  • Log viewer can access and view the contents of log files. Reserved for users who need access to sensitive log file data. No other access rights.

Permissions

You can assign a pre-defined set of permissions to a group. Once a group is defined, you can add users to the group. Added users inherit the permissions of the groups they are assigned to. Any group can be modified to fit your needs. You can even create new groups and assign permissions to them.

Account permissions

Dynatrace provides the following account-based permissions:

  • Access account. Allows access to the account to view environment data (host hours, sessions, web checks) and view links to Help and Support (create tickets, view documentation, and visit forums). No access to billing or user/group management.
  • Edit billing & account info. Allows access to payment data (credit card details), billing data (invoices), and contact information (company contact data).
  • Manage users. Allows access to user management (add/remove users to groups) and group management (create, edit, delete groups).

Environment permissions

Dynatrace provides following environment-based permissions:

  • Access environment. Allows read-only access to the environment. Can’t change settings or install OneAgent.
  • Change monitoring settings. Allows changing of all environment settings. Can’t install OneAgent.
  • Download & install OneAgent. Allows download of OneAgent and installation on hosts. Can’t change settings.
  • View logs. Allows access to sensitive log file data.
  • View sensitive request data. Allows viewing of potentionally sensitive data, such as previously captured HTTP headers, method arguments, or literals in database statement parameters.
  • Configure request capture data (upcoming feature). Allows configuration of request-data capture rules. These can be used to capture elements such as HTTP headers or Post parameters for storage, filtering, and search.

Manage groups and users

User and group permission controls are available when you sign into your account. Just select User management or Group management from the menu on the left-hand side.

View list of groups

To view the list of groups associated with your account, Select Group management from the menu. Note: This feature is only available to users who have the Manage users permission.

Create a new group

  1. Select Group management from the menu. Note: This feature is only available to users who have the Manage users permission.
  2. Click Create new group.
  3. Type a Group name.
  4. Select relevant permissions (account and/or environment permissions). At least one permission must be selected.
  5. Click Add group.

Edit a group

  1. Select Group management from the menu. Note: This feature is only available to users who have the Manage users permission.
  2. Click the Edit (V) button on the right-hand side.
  3. Select/Deselect permissions as required.
  4. (Optional) Type a new Group name.
  5. Click Save.

Delete a group

  1. Select Group management from the menu. Note: This feature is only available to users who have the Manage users permission.
  2. Click the corresponding Delete (x) button on the right-hand side of the group list.
  3. Click Yes to confirm the deletion. You can’t delete groups that have one or more users assigned to them. You need to remove all users from a group before you can delete the group.

View a list of all users

To view the list of users and their permissions associated with your account, Select User management from the menu. Note: This feature is only available to users who have the Manage users permission.

Invite a user to your account

  1. Select User management from the menu. Note: This feature is only available to users who have the Manage users permission. Other users must use the Invite a co-worker option (available on your account’s Environment page).
  2. Click Invite user.
  3. Type the new user’s Email address.
  4. Click a group name to add or remove the user from that group. You need to select at least one group.
  5. To see which permissions the user inherits from all the groups they are members of, click Permission preview.
  6. Click Invite.
    If the user isn’t already a Dynatrace user, they will receive a link they can use to complete the signup process. If they are already a Dynatrace user, they will receive a link to the specified environment.

Edit a user’s group assignments

  1. Select User management from the menu. Note: This feature is only available to users who have the Manage users permission.
  2. Locate the relevant user in the list and click the corresponding Edit (V) button on the right-hand side.
  3. Click a group name to add or remove the user from that group.
  4. Review the permissions by clicking Permission preview. This is an aggregated view of all permissions of all groups the user is assigned to.
  5. Click Save.

Delete a user

  1. Select User management from the menu. Note: This feature is only available to users who have the Manage users permission.
  2. Locate the relevant user in the list and click Delete (X) on the right-hand side.
  3. Click Yes to confirm the deletion.