Homeโ€บ๐Ÿ” Access Control & Configโ€บModule 171 min read ยท 18/21

Classic IAM โ†’ Account IAM + ABAC

Hands-on2 exercises

Classic IAM โ†’ Account IAM + ABAC

Gen2 IAM was simple: users got roles (Viewer/Operator/Admin) per environment, optionally scoped by management zones. Gen3 introduces account-level IAM with fine-grained ABAC policies.

Architecture Change

GEN2                                    GEN3
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Users managed per environment           Users managed at account level
3 roles: Viewer, Operator, Admin        Custom policies with specific permissions
Management zone scoping                 ABAC with dt.security_context
API tokens per environment              OAuth clients at account level
No cross-env access control             Unified across all environments

IAM Components

Component       Purpose                         API
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Users           Human identities                /iam/v1/accounts/{id}/users
Groups          Collections of users            /iam/v1/accounts/{id}/groups
Service Users   Non-human identities            /iam/v1/accounts/{id}/service-users
Policies        Permission definitions          /iam/v1/repo/account/{id}/policies
Bindings        Attach policies to groups       /iam/v1/repo/account/{id}/bindings
Boundaries      Limit policy scope              (per-binding)

Policy Statement Syntax

// Allow read access to all storage
ALLOW storage:metrics:read, storage:logs:read, storage:events:read;

// Allow with ABAC condition
ALLOW storage:logs:read
WHERE storage:dt.security_context == "team-payments";

// Allow workflow management
ALLOW automation:workflows:read, automation:workflows:write, automation:workflows:run;

OAuth Client Setup

# Get OAuth token
curl -X POST "https://sso.dynatrace.com/sso/oauth2/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=dt0s02.XXXXXXXX" \
  -d "client_secret=YYYYYYYY" \
  -d "scope=storage:metrics:read storage:logs:read" \
  -d "resource=urn:dtaccount:ACCOUNT-UUID"

Token expires in 300 seconds. Scopes are space-separated. Client ID format: dt0s02.XXXXXXXX.

Migration Checklist

  1. Inventory all Gen2 users and their roles
  2. Map management zones to ABAC conditions
  3. Create account-level groups matching team structure
  4. Write policies for each role (viewer, operator, admin)
  5. Create OAuth clients for automation (replace API tokens)
  6. Test access with each group before cutover
โ† PreviousManagement Zones โ†’ SegmentsNext โ†’Settings v1 โ†’ Settings 2.0