Query user permissions
Every app configuration file must declare the IAM scopes needed to access the used Dynatrace APIs. For more information, visit Add permission scopes to use Dynatrace APIs. In addition, a user must be granted the respective scopes by an IAM policy so that the app can execute any Dynatrace API request on a user's behalf. You can find out which scope a function of a Dyntrace SDK needs on the reference page.
If a user lacks the IAM scope necessary for accessing a Dynatrace SDK function the app calls, that request will fail with a 403
error code. To avoid this, you can ensure that the app determines if a user has the necessary IAM scopes before it calls an SDK function. The client-platform-management-service SDK provides the effectivePermissionsClient
for that purpose.
Install the SDK
First, in your app's folder, you need to install the required SDK via the terminal as follows:
npm i @dynatrace-sdk/client-platform-management-service
Resolve a user's permissions
You can issue one or many permission requests with a call to resolveEffectivePermissions
provided by the package's
effectivePermissionsClient. Optionally, you can provide a context
object where you give the values for any conditions for the respective permission. The response object has a corresponding array of objects that have a field granted
with the following possible values:
- "true": The user generally has permission independent of any conditions.
- "false": The user doesn't have the permission.
- "condition": The user has permission, only given certain conditions, and the provided
context
hasn't been enough to resolve them.
Based on the result, an app could decide to show or hide a UI element like a button, which would trigger an SDK call, for example, hiding a "Create" button if it's known that the user doesn't have permission.
As an example, a user has the following permissions using a group membership where the following IAM policy is assigned:
ALLOW storage:logs:read; ALLOW storage:metrics:read where storage:metric.key startsWith "builtin:synthetic";
import { effectivePermissionsClient } from '@dynatrace-sdk/client-platform-management-service';
const result = await effectivePermissionsClient.resolveEffectivePermissions({
body: {
permissions: [
{
permission: 'storage:logs:read',
context: [
{
key: 'storage:k8s.cluster.name',
value: 'mycluster',
},
],
},
{
permission: 'app-engine:edge-connects:write',
},
{
permission: 'storage:metrics:read',
},
{
permission: 'storage:metrics:read',
context: [
{
key: 'storage:metric.key',
value: 'builtin:synthetic.http.availability.location.total',
},
],
},
],
},
});
// result[0].granted === "true"
// result[1].granted === "false"
// result[2].granted === "condition"
// result[3].granted === "true"
The example shows that the first result returned "true" because the policy even allows storage:logs:read
without any conditions.
The second result is "false" because the user's policy doesn't allow app-engine:edge-connects:write
. The third is "condition" because the user only has storage:metrics:read
under conditions but provides no context. The fourth example provides explicitly that condition so that a definite "true" can be returned.