Actions are exclusively run inside the Dynatrace platform and not directly inside a customer's environment. Furthermore, all actions are added via apps which both need to be installed by the customer first to make the actions available and are either directly developed by Dynatrace, partners, or the customer themselves.  

Any action or customer (ad-hoc) script is run with a user context and is limited to data the user can access. Any action or script (aka function) can only communicate with the outside via HTTP calls. The platform supports an allow list, which blocks any and all calls to unauthorized domains. In order to give access to on-premise systems (e.g. Jira), Dynatrace EdgeConnect can be deployed in order to work as an HTTP proxy with similar whitelisting and mapping rules for domains, both centrally in the platform and can be further limited on the local Dynatrace EdgeConnect config.