dynaTrace 6.0.x permissions problem - two roles and one groups
I have a problem with giving users additional permissions in one group by two roles.
Example:
I created two roles - Developer and Guest.
Guest is almost original role form default configuration. Developer is role that has additional permissions e.g. Analyse System and Read confidential strings. Sadly I noticed that this permissions are not summing up and user test sees only Guest role permissions.
How overcome this problem? - I don't want multiply groups when role mechanism is available.
Lukasz,
The problem is that the group has "no permissions" for Server Management. You need to assign "Developer" to the Dynatrace Server Management pull-down. That set of permissions – for server operations including the Agent Overview – is separate from the system profile permissions given in the second half of the screenshot.
Also, I don't think the system profile permissions "add". I think Dynatrace probably just takes the first matching rule when looking at what a given group can do to a given profile, so the second "default" rule is ignored.
This is explained here: User Permissions and Authentication
of which this is the pertinent part:
Management Role
A user group specifies exactly one role to manage Dynatrace Servers. Roles that are applied for management only grant access to Dynatrace Server. Dynatrace ignores other permissions (e.g. for a specific System Profile) contained in this role. To completely deny access to Dynatrace Server management, select No Permission.
System Profiles
To protect System Profiles, Dynatrace defines roles for them. Unlike management roles, System Profile roles only use permissions that apply to System Profile functionality (e.g. run analyses and create memory dumps). A role's permissions for Dynatrace Server management are ignored.
-- Graeme
