Solved: Re: How to properly provide access to New UI based on Management Zones permissions

dannemca · ‎11 Jul 2023

The new UI is there and we can use polices to provide users access to, based on this blog post.

But, my current env access is totally based on Management Zones. We have many teams which can access specific Management Zones, with no special permissions, other than access env and change monitoring permissions. We are not using polices yet, since not required. Until now.

The appengine and grail access is not scoped at Management Zone levels, but entire environment, so I am struggling to proper set the polices rules for it.

Has anyone face the same challenge?

Any tip for the friend here?

Thanks.

Site Reliability Engineer @ Kyndryl

DanielS · ‎11 Jul 2023

Facing exactly same challenge as you @dannemca currently under investigation by my side.

The true delight is in the finding out rather than in the knowing.

DanielS · ‎11 Jul 2023

I also let you know that I have a case with a detected bug if you have a policy with more than 100 lines you cannot edit it, they will notify me of a possible ETA for the solution. I found this when I was doing tests related to this topic.

The true delight is in the finding out rather than in the knowing.

Kenny_Gillette · ‎11 Jul 2023

Well, I heard on a call last week that Management Zones are going away in roughly 18-24 months. I am trying to get more info on this from my account team and from the Western group that I was in and it was brought up on a call with IAM Policies. Will let you know when I hear more and find out more details. Very early stages from what I hear.

Dynatrace Certified Professional

GerardJ · ‎30 Nov 2023

Hi @Kenny_Gillette
have you managed to get more information on the possible removal of management zones? this is also a key point for us, and we've heard absolutely nothing about it.

Kenny_Gillette · ‎30 Nov 2023

no information yet. Just reached out to my contacts at Dynatrace and they are researching.

Dynatrace Certified Professional

soukainaB · ‎25 Jan 2024

Hi @dannemca , Have you by any chance found an answer to your question , I am running into the same issue here..

PacoPorro · ‎26 Jan 2024

Did you test the script mentioned in this blog entry?
https://www.dynatrace.com/news/blog/tailored-access-management-part-2-onboard-users-to-grail-and-app...

dannemca · ‎08 Feb 2024

I believe the access issue can be managed using custom buckets and polices, as per this blog: https://www.dynatrace.com/news/blog/enhance-data-management-with-grail-ultimate-guide-to-custom-buck... and this video: https://info.dynatrace.com/global-rm-enhanced-access-controls-with-record-level-permissions-23267-fu...

It does mention logs, but I believe it can be also applied to metrics buckets too.

I will do some tests and see if that works.

Site Reliability Engineer @ Kyndryl

dannemca · ‎08 Feb 2024

Yep, just tested and worked as expected.

I have still used the Management Zones to limit the entity access in general UI views (host classic page, dashboard classic, data explorer, etc.) And for Grail access with DQL, I had to use the polices limiting the access by hostgroup (but I do assume it can be any metadata)

Example:

ALLOW storage:buckets:read;
ALLOW storage:entities:read;
ALLOW storage:system:read;
ALLOW storage:metrics:read
WHERE storage:dt.host_group.id STARTSWITH "my_host_group";

It is not easy, but doable.

Site Reliability Engineer @ Kyndryl

Properly provide access to New UI based on Management Zones permissions