Header background

Gain enterprise-level security with easy LDAP authentication in Dynatrace Managed

With role-based access control for large global teams, automatic enterprise-wide deployment and full-stack coverage across infrastructure, cloud platforms, and applications, Dynatrace is built for the most demanding enterprise environments. Our largest customers have hundreds of Dynatrace users working together from around the world. In order to scale, such enterprises need the ability to quickly and safely manage users while maintaining granular control over user permissions.

Currently, a significant number of our customers leverage the Dynatrace internal user repository to authenticate access to the Dynatrace Software Intelligence Platform. However, the internal user repository is often disconnected from enterprise access directories. Therefore we’ve simplified LDAP configuration for Dynatrace Managed, thus allowing large enterprises to manage user permissions on the fly and to centrally manage their company-wide security policies. This means that you can spend more of your time innovating and less time configuring!

Frictionless enterprise level authentication using LDAP

Today we’re happy to announce that Dynatrace Managed now allows you to leverage LDAP for enterprise level authentication, starting at day 0—meaning, zero action is required on the LDAP side to get started.

The simplified approach to leveraging LDAP authentication for enterprise Dynatrace Managed customers means that you can independently assign groups to users and you no longer need to rely on user membership attribute values that are received via LDAP. The new approach brings you more autonomy in user management and provides you with much needed granular control over user permissions.

Let’s take a look at two user stories below to see why this is a game-changer.

Single authentication experience across the whole enterprise

The first user story illustrates the need for autonomy in regards to application-specific permissions management at large enterprises. Until now, such autonomy could only be achieved using the internal user repository in Dynatrace, rather than LDAP. This meant sacrificing all the benefits of your enterprise LDAP server (for example, a single authentication point or central point for password management that provides additional services, such as password policies and expiration). With the new LDAP enhancement, Dynatrace Managed customers can have both high security and autonomy in permissions management.

This feature is absolutely necessary! We are a subsidiary that can access LDAP for remote authentication and have no possibility to modify anything there. Our users are in a specific organizational unit corresponding to our company. With simplified LDAP integration, we have received from Dynatrace Managed long-awaited autonomy by in-application authentication.
– Philippe Sargnon, APM Manager at RCI BANQUE, RENAULT Financial and Credit Subsidiary

Granular management of user permissions using LDAP authentication

The other interesting customer request that we’ve heard repeatedly relates to the need for more granular permissions management. Quite often, only high-level LDAP enterprise groups are created (for example, employees, operations, sales, orIT). However, with Dynatrace, you may need to organize data access per application, which is especially important at web-scale.

This is very much necessary! My users usually don’t even know their LDAP group. In that case I wasn’t able to assign them permissions. Moreover, in some cases user in the same LDAP group manage different applications that are not related to each other. With that feature I’m finally able to use LDAP!
– Tech Lead, semiconductor technology company

To sum up, the new solution allows you to granularly manage user permissions in Dynatrace while keeping LDAP authentication. By turning on authentication-only mode for LDAP configuration, you can assign groups to users manually instead of relying on automatic assignment from LDAP group membership.

How to get started

We’ve added a checkbox to the Groups query section of the LDAP configuration page in the CMC (Settings > Repository > Choose a user repository) that allows you to specify if Dynatrace should automatically assign users to groups based on LDAP queries (note that, if this checkbox becomes disabled, the rest of the group’s configuration will become obsolete and disabled!). Then proceed to Users query configuration; test and save your query and you’re good to go. All existing group assignments for your users will remain unchanged.

LDAP configuration

Previously, when automatic assignment of groups was the only option, group assignment was disabled and handled entirely via LDAP integration. Now, the configuration enables you to manage each user’s permissions and group assignment autonomously in Dynatrace. As you can see below, you can now assign additional groups to any user.

Also, for those of you who maintain configuration-as-code, we’ve extended the User repository configuration payload in the Cluster API v1 (see example below). With this approach, you can easily adjust your code to apply new possibilities.

Summary

We’re certain that this improvement will make it much easier for you to take advantage of the LDAP server at your company. As a result, you’ll be able to provide your users with a single authentication experience and confidently manage user permissions in Dynatrace. What’s more, this solution was inspired by you, our customers! We received nearly 100 votes for this enhancement in the Dynatrace Community forum.

What’s next

We’ll continue to bring you increased autonomy and assistance with your enterprise level identity and access management. We also plan to enable cluster administrators to configure password complexity requirements for locally-managed user accounts, so please stay tuned.