FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clarification on required scope and required permission for Dynatrace SDK for Dynatrace App

Go to solution
StephenLHChan
Guide

‎26 Jul 2023 09:04 PM - edited ‎26 Jul 2023 09:13 PM

Hey,

I would like to confirm if my understanding to the access right control of Dynatrace App is correct or not.

Required scope:  the app setting so that this app can run certain SDK.

Required permission: if the user having the user permission so that he/she can run the app.

StephenLHChan_0-1690401293804.png

For this case, user needs to have 'environment:roles:viewer' permission and the app needs to specify "environment-api:credentials:read" in the appConfig.ts file so that this app can be run.

 

I found some SDK do not specify required permission. Does it mean that users do not need special permission to execute the SDK?

 

And, what if the user only have part of the permissions that the app required?

For example, if an app need users to have 6 different permissions, but the user only has 4 out of 6 permissions.  Will the error show when he/she click on the app (when he/she tried to open the app) or when he/she triggered the SDK that he/she does not have permission to do it?

 

Thanks.

0 Kudos
Reply
3 REPLIES 3

Go to solution
stefan_eggersto
Dynatrace Mentor
Dynatrace Mentor

‎27 Jul 2023 09:08 AM

Hi @StephenLHChan,

let me try to answer your questions:

For this case, user needs to have 'environment:roles:viewer' permission and the app needs to specify "environment-api:credentials:read" in the appConfig.ts file so that this app can be run.

This is correct. You can find this information also on https://developer.dynatrace.com/platform-services/services/classic-environment/#accessing-classic-en...

 

I found some SDK do not specify required permission. Does it mean that users do not need special permission to execute the SDK?

The "required permission" is only defined for the 2 Classic Environment API SDKs. All other SDKs, e.g. for the Document Service, require the user to have IAM policies assigned (see https://www.dynatrace.com/support/help/shortlink/iam-policystatements#document).

And, what if the user only have part of the permissions that the app required?

For example, if an app need users to have 6 different permissions, but the user only has 4 out of 6 permissions.  Will the error show when he/she click on the app (when he/she tried to open the app) or when he/she triggered the SDK that he/she does not have permission to do it?

They can still use the app, but certain functionality, e.g. storing a document, will result in a permission error whenever the SDK is used.

 

Let me know if that helps!

-Stefan

Reply

Go to solution
StephenLHChan
Guide
In response to stefan_eggersto

‎27 Jul 2023 02:06 PM

Hi @stefan_eggersto ,

Thanks for the reply.

It really helps.

I found one of the Classic Environment API SDK like the screenshot below does not specify the required permission. Does it mean that the users do not need any permission to execute this SDK?

Classic Environment V2 | Dynatrace Developer

StephenLHChan_0-1690462906157.png

 

0 Kudos
Reply

Go to solution
stefan_eggersto
Dynatrace Mentor
Dynatrace Mentor
In response to StephenLHChan

‎28 Jul 2023 08:50 AM

Good catch! This is a method which was specifically added to be accessed from apps.

The absence of required permission means that users can only access it when they have the environment-api:credentials:read IAM permission assigned. Their assigned roles (e.g. View environment or Manage monitoring settings) are not taken into account.

Reply
Ask a question

Featured Posts