Skip to main content

Query user permissions

Every app configuration file must declare the IAM scopes needed to access the used Dynatrace APIs. For more information, visit Add permission scopes to use Dynatrace APIs. In addition, a user must be granted the respective scopes by an IAM policy so that the app can execute any Dynatrace API request on a user's behalf. You can find out which scope a function of a Dyntrace SDK needs on the reference page.

If a user lacks the IAM scope necessary for accessing a Dynatrace SDK function the app calls, that request will fail with a 403 error code. To avoid this, you can ensure that the app determines if a user has the necessary IAM scopes before it calls an SDK function. The client-platform-management-service SDK provides the effectivePermissionsClient for that purpose.

Install the SDK

First, in your app's folder, you need to install the required SDK via the terminal as follows:

npm i @dynatrace-sdk/client-platform-management-service

Resolve a user's permissions

You can issue one or many permission requests with a call to resolveEffectivePermissions provided by the package's effectivePermissionsClient. Optionally, you can provide a context object where you give the values for any conditions for the respective permission. The response object has a corresponding array of objects that have a field granted with the following possible values:

  • "true": The user generally has permission independent of any conditions.
  • "false": The user doesn't have the permission.
  • "condition": The user has permission, only given certain conditions, and the provided context hasn't been enough to resolve them.
Tip

Based on the result, an app could decide to show or hide a UI element like a button, which would trigger an SDK call, for example, hiding a "Create" button if it's known that the user doesn't have permission.

As an example, a user has the following permissions using a group membership where the following IAM policy is assigned:

ALLOW storage:logs:read; ALLOW storage:metrics:read where storage:metric.key startsWith "builtin:synthetic";
import { effectivePermissionsClient } from '@dynatrace-sdk/client-platform-management-service';

const result = await effectivePermissionsClient.resolveEffectivePermissions({
  body: {
    permissions: [
      {
        permission: 'storage:logs:read',
        context: [
          {
            key: 'storage:k8s.cluster.name',
            value: 'mycluster',
          },
        ],
      },
      {
        permission: 'app-engine:edge-connects:write',
      },
      {
        permission: 'storage:metrics:read',
      },
      {
        permission: 'storage:metrics:read',
        context: [
          {
            key: 'storage:metric.key',
            value: 'builtin:synthetic.http.availability.location.total',
          },
        ],
      },
    ],
  },
});

// result[0].granted === "true"
// result[1].granted === "false"
// result[2].granted === "condition"
// result[3].granted === "true"

The example shows that the first result returned "true" because the policy even allows storage:logs:read without any conditions. The second result is "false" because the user's policy doesn't allow app-engine:edge-connects:write. The third is "condition" because the user only has storage:metrics:read under conditions but provides no context. The fourth example provides explicitly that condition so that a definite "true" can be returned.

Still have questions?
Find answers in the Dynatrace Community