Tailored access management, Part 3: Simplified setup for enterprise-scale access management

We recently introduced several new Identity and Access Management (IAM) capabilities to simplify the setup and assignment of user permissions while providing unmatched enterprise-scale flexibility. Combined with new policy boundaries, rethought default policies make it easier to manage which records and resources users can access.

Manage the complexity of authorization systems

Most modern authorization systems provide access management using Attribute-Based Access Control (ABAC). ABAC has several advantages:

• Enhanced security, providing granular control over access permissions, significantly reducing the risk of data breaches and unauthorized activities.
• High flexibility, adapting to dynamic environments and diverse user needs. It also supports scalability, making it suitable for organizations of all sizes.
• Meeting regulatory requirements by providing detailed access control policies.
• High granularity by segmenting resource and record-level data, ensuring that access decisions are precise and context-aware.
• Up-to-date security through dynamic authorization; access can be granted or revoked in real time based on changing attributes.

This level of flexibility does, however, bring increased complexity, meaning that implementing and managing ABAC can be time-consuming and resource-intensive. The system demands significant effort to design, manage, and maintain, especially as an organization's needs evolve. Authorization must be continuously managed and adapted to the changing requirements of applications and enterprises.

To counteract this, Dynatrace introduced features to make it easy for admins to adopt and apply our security policies while enjoying the benefits of a highly customizable ABAC system.

Dynatrace introduces new default policies for reduced complexity

With the introduction of security policies, we provided the capability of default policies, which are managed by Dynatrace and work out of the box.

Default policies eliminate much of the hassle of configuring permissions and can easily be deployed. Default policies also ensure a consistent security baseline across all your users, minimizing the chance of security gaps.

Our original concept of default policies, which was launched back in 2022, was focused on service level. While this concept gave admins much control, it also required knowledge of our service model. Striving for greater simplicity, we took another approach to default policies, focusing only on the two most important access control use cases:

• Dynatrace platform access (Dynatrace access): Managing access to Dynatrace features
• Data monitoring access (Data access): Managing access to monitored data stored in Dynatrace

Dynatrace accesspolicies cover classic and new features, providing a single entry point to manage access to the entire feature set of the Dynatrace platform. With the new release, there are three default access policies available:

• Standard User policy: Provides baseline access to Dynatrace (corresponds to the former, "AppEngine - User")
• Pro User policy: Provides access to advanced features
• Admin User policy: Grants admin privileges and provides access to all features (corresponds to the former, "AppEngine - Admin")

Data accesspolicies manage access to the monitored data stored in your environment. Access policies for Dynatrace Grail™ data lakehouse are still available as service-related policies; they allow you to control access to the monitoring data on a per-data-source level, for example, logs and metrics.

All other default policies on the service level, for example, "AutomationEngine - User" access, are now marked as Legacy. This means that existing assignments for these policies remain valid, but they can't be changed except for deletion. Also, no new policy assignments with Legacy policies are allowed.

Simple partition management through policy boundaries

In addition to security policies, admins can now apply policy boundaries, simplifying the management of partitions on the data level and enabling further re-usability. While policies define which features and data users can access, policy boundaries define where users can access those features and data.

Policy boundaries allow you to manage your business-specific access control conditions separately from your policies and apply your policies selectively to one or many policy-to-group mappings.

Figure 1. Create a new policy boundary in the new user group management web UI.

For more information, go to our IAM policy boundaries documentation.

Get started with our new security policies

1. Utilize the default groups: If you're a new Dynatrace customer, we recommend that you utilize the default groups provisioned during account creation. This significantly reduces the effort required to manage user groups and permissions.
2. Utilize the default policies for new user groups: When creating new groups, utilize the Dynatrace default policies for baselining.
   • Dynatrace access policies: Decide which functionality your users require and apply the right Dynatrace access policy. Regular users can work with the Standard or Pro User policy; the Admin User policy should be reserved for admins only.
   • Data access policies: To manage data access, select the data sources your users should be able to see, such as logs, spans, metrics, and so on. Use the respective data access policies for these assignments.
3. Assign policy boundaries: When you need to restrict monitoring data access on a per-record basis or if you need to restrict the resources offered by Dynatrace platform services, define these conditions in your boundaries and apply them as part of your policy configuration. You can assign multiple boundaries to a single policy. The boundaries are automatically matched to the respective policy statements and restricted further.
4. Refine assigned policies with boundaries reflecting your record/resource partitions.
5. Create custom policies for advanced access scenarios not covered by the Dynatrace defaults. Be aware that creating custom policies requires additional maintenance effort to keep them current.

   Here is a list of use cases where custom policies can help you fulfill advanced access scenarios:

1. • Extend or restrict access defined by default policies by creating custom policies with ALLOW/DENY statements that tailor user access.
   • Template reusable policies to assign privileges at scale.
   • Create custom policies andassign them to the All-users group to establish a baseline of permissions for all users in your account.

Adopt the new Dynatrace security policies today

Go to Dynatrace Documentation for complete information about these enhancements to Dynatrace access management and how you can benefit from them. If you're an existing customer and want to upgrade to the attribute-based access control system, check out our new guide, which will walk you through the process.

This blog post is part of our series on Tailored access management. If you're interested in learning more about the Dynatrace approach to IAM, have a look at Part 1 and Part 2 of this blog series.

Public link

Please use the above public link if you want to share this noodl on another website.