Dynatrace Training Platform

Access Control

Dynatrace uses account-level IAM with Attribute-Based Access Control (ABAC) — more powerful than traditional role-based access.

Key Concepts

Concept         What It Does                              Example
──────────────  ──────────────────────────────────────    ──────────────────────────
Users           People who access Dynatrace               john@company.com
Groups          Collections of users                      SRE-Team, Dev-Team
Policies        Define what actions are allowed            ALLOW storage:logs:read
Boundaries      Restrict policy scope to specific data     Only production environment
Segments        Reusable data filters                      "Production hosts" filter
Service Users   Non-human accounts for automation          Workflow actors

ABAC: Attribute-Based Access Control

ABAC policies filter data based on attributes — much more powerful than role-based access:

// Allow reading logs only for the payments team
ALLOW storage:logs:read
WHERE storage:dt.security_context MATCH ("team-payments")

// Allow reading all metrics but only for production
ALLOW storage:metrics:read
WHERE storage:dt.security_context MATCH ("env-production")

Segments

Segments are reusable data filters that replace management zones:

Management Zones (old)                  Segments (new)
──────────────────────────────────────  ──────────────────────────────────────
Pre-computed, environment-level         Query-time, account-level
Limited to ~500                         Unlimited
Entity-based filtering                  Attribute-based filtering

Host Tags for Segmentation

Three special tag keys propagate to all derived data:

Tag Key                  Purpose                           Example
───────────────────────  ──────────────────────────────    ──────────────────
dt.security_context      ABAC data access filtering        team-payments
dt.cost.costcenter       Cost allocation                   CC-12345
dt.cost.product          Product-level cost tracking       checkout-service

Authentication Methods

Method              Scope           Lifetime        Use Case
──────────────────  ──────────────  ──────────────  ──────────────────────────
API Token           Environment     No expiry       Settings, extensions
OAuth Client        Account         300s bearer     Automation, Terraform
Platform Token      User-scoped     Configurable    Scripts, integrations

💡 Platform tokens are the newest auth method — long-lived, user-scoped, no OAuth dance. Create them at myaccount.dynatrace.com/platformTokens.

🛠 Try it: Open Ctrl+K → "Account Management" → IAM → Groups. See how groups map to policies and environments. Try creating a test group with a read-only policy to understand the permission model.

Default Policies

Dynatrace provides 3 access tiers that auto-update with platform changes:

Admin User       Administrative access across all Platform Services
Pro User         Build, deploy, run Apps + Workflows + key services
Standard User    Access environment + run Dynatrace Apps

Plus data policies: Read Logs, Read Metrics, Read Spans, Read Events, Read Entities, Read Security Events. Bind these with policy boundaries for scoped access.

Platform Tokens

Long-lived tokens for programmatic API access — simpler than OAuth. Created per-user or per-service-user, scoped to the user's permissions. Use: Authorization: Bearer <platformtoken>.