{"id":75231,"date":"2026-04-24T12:28:24","date_gmt":"2026-04-24T12:28:24","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=75231"},"modified":"2026-04-24T12:28:24","modified_gmt":"2026-04-24T12:28:24","slug":"dynatrace-administration-professional-certification-master-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/dynatrace-administration-professional-certification-master-guide\/","title":{"rendered":"Dynatrace Administration Professional Certification Master Guide"},"content":{"rendered":"\n<p><strong>Last verified:<\/strong> April 24, 2026<br><strong>Audience:<\/strong> Dynatrace administrators, platform owners, observability platform teams, SRE leads, operations teams, and anyone preparing for Dynatrace Administration Professional Certification.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">0. What this guide is<\/h2>\n\n\n\n<p>This is a one-stop master guide for Dynatrace Administration Professional Certification preparation.<\/p>\n\n\n\n<p>It focuses on the skills an administrator needs to manage the Dynatrace SaaS platform for an organization: access, governance, settings, monitoring configuration, data ingestion, cost\/retention, alerting, automation, privacy, platform operations, and configuration at scale.<\/p>\n\n\n\n<p>This is not an exam dump. It is a structured study and operations guide that prepares you for scenario-based certification questions and real administration work.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">1. Current certification snapshot<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">1.1 What the certification validates<\/h2>\n\n\n\n<p>The Dynatrace Administration Professional Certification focuses on practitioners who manage the Dynatrace SaaS platform at their organization. The certification validates that a person can maintain Dynatrace environments so daily users have correct access and the platform functions properly.<\/p>\n\n\n\n<p>In practical terms, this means you should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manage users, groups, permissions, IAM policies, and access scopes.<\/li>\n\n\n\n<li>Understand account-level vs environment-level administration.<\/li>\n\n\n\n<li>Configure SAML\/SCIM identity integration concepts.<\/li>\n\n\n\n<li>Manage platform settings and understand settings hierarchy.<\/li>\n\n\n\n<li>Use tags, management zones, segments, and security context appropriately.<\/li>\n\n\n\n<li>Understand ActiveGate, network zones, OneAgent connectivity, and data routing concepts.<\/li>\n\n\n\n<li>Configure alerting profiles, notifications, anomaly detection, and maintenance windows.<\/li>\n\n\n\n<li>Understand Grail, buckets, data retention, logs, OpenPipeline, and cost control.<\/li>\n\n\n\n<li>Understand DPS\/classic licensing concepts and consumption monitoring.<\/li>\n\n\n\n<li>Understand API tokens, platform tokens, OAuth clients, and secure automation access.<\/li>\n\n\n\n<li>Understand configuration as code using Monaco and related permission requirements.<\/li>\n\n\n\n<li>Apply privacy, masking, credential vault, and audit concepts.<\/li>\n\n\n\n<li>Support Dynatrace users by keeping the environment organized, secure, cost-aware, and reliable.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">1.2 Publicly visible learning path status<\/h2>\n\n\n\n<p>The current public Dynatrace University catalog lists:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dynatrace Administration Professional Certification Learning Path<\/strong><\/li>\n\n\n\n<li><strong>2 courses<\/strong><\/li>\n\n\n\n<li><strong>3h 15m<\/strong> total duration<\/li>\n\n\n\n<li>Free learning path<\/li>\n<\/ul>\n\n\n\n<p>The detailed certification registration, exam scheduling, pass mark, retake rules, and exact exam format may require Dynatrace University login.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1.3 What to verify before booking<\/h2>\n\n\n\n<p>Before booking the exam, verify these inside Dynatrace University:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Current question count<\/li>\n\n\n\n<li>Exam duration<\/li>\n\n\n\n<li>Whether the exam includes practical tasks<\/li>\n\n\n\n<li>Whether practical tasks are open book<\/li>\n\n\n\n<li>Passing score<\/li>\n\n\n\n<li>Retake waiting period<\/li>\n\n\n\n<li>Retake cost or voucher rules<\/li>\n\n\n\n<li>Whether ProctorU or another provider is used<\/li>\n\n\n\n<li>Whether online proctoring language is English only<\/li>\n\n\n\n<li>Whether partner and customer tracks differ<\/li>\n\n\n\n<li>Required or recommended prerequisite certifications<\/li>\n\n\n\n<li>Whether Associate certification is required or only recommended<\/li>\n\n\n\n<li>Whether the exam uses latest Dynatrace, Dynatrace Classic, or both<\/li>\n\n\n\n<li>Whether hands-on tasks require screenshots, tenant access, or answers entered directly into an exam form<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">1.4 Recommended prerequisite knowledge<\/h2>\n\n\n\n<p>Before studying Administration Professional, you should already understand Associate-level concepts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneAgent<\/li>\n\n\n\n<li>ActiveGate<\/li>\n\n\n\n<li>Dynatrace Platform \/ Tenant<\/li>\n\n\n\n<li>Grail<\/li>\n\n\n\n<li>OpenPipeline<\/li>\n\n\n\n<li>Smartscape<\/li>\n\n\n\n<li>PurePath \/ distributed traces<\/li>\n\n\n\n<li>Davis \/ Dynatrace Intelligence<\/li>\n\n\n\n<li>Infrastructure Observability<\/li>\n\n\n\n<li>Application Observability<\/li>\n\n\n\n<li>Log Management and Analytics<\/li>\n\n\n\n<li>Digital Experience Monitoring<\/li>\n\n\n\n<li>Dashboards and notebooks<\/li>\n\n\n\n<li>Problems, events, alerts, and workflows<\/li>\n<\/ul>\n\n\n\n<p>If these are weak, revise the Associate guide first.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">2. Administrator mental model<\/h1>\n\n\n\n<p>A Dynatrace administrator is not only a user who can click settings. A good administrator owns the operating model of the platform.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2.1 The administrator\u2019s responsibility map<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Identity and access:\n  Users, groups, policies, SAML, SCIM, OAuth, tokens\n\nEnvironment organization:\n  Accounts, environments, management zones, segments, tags, ownership model\n\nMonitoring governance:\n  OneAgent modes, ActiveGate, network zones, host groups, updates, cloud\/Kubernetes integrations\n\nData governance:\n  Grail buckets, retention, OpenPipeline, logs, masking, ingestion rules, storage access\n\nAlert governance:\n  Anomaly detection, metric events, alerting profiles, notifications, maintenance windows\n\nAutomation governance:\n  Workflows, integrations, Monaco, APIs, platform tokens, OAuth clients\n\nSecurity and privacy:\n  Credential vault, data masking, audit logs, access controls, sensitive data handling\n\nCost and license control:\n  DPS\/classic consumption, usage reporting, budgets, cost allocation, high-volume data sources\n\nUser enablement:\n  Dashboards, notebooks, documentation, training, support, troubleshooting\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">2.2 The admin operating principle<\/h2>\n\n\n\n<p>Every administration decision should answer four questions:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Who should have access?<\/strong><br>Use groups, policies, management zones, segments, security context, bucket permissions, and least privilege.<\/li>\n\n\n\n<li><strong>What data should be collected and stored?<\/strong><br>Use OneAgent settings, log ingest rules, OpenPipeline, buckets, retention, and masking.<\/li>\n\n\n\n<li><strong>Who should be notified and when?<\/strong><br>Use anomaly detection, alerting profiles, problem notifications, workflows, and maintenance windows.<\/li>\n\n\n\n<li><strong>How will this scale safely?<\/strong><br>Use naming standards, tags, automation, Monaco, API governance, and cost controls.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">3. Dynatrace account and environment model<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">3.1 Account<\/h2>\n\n\n\n<p>A Dynatrace account is the account-level administrative container for users, groups, environments, policies, licenses\/subscriptions, OAuth clients, SAML\/SCIM, and account-level access.<\/p>\n\n\n\n<p>An account can contain one or more environments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3.2 Environment \/ tenant<\/h2>\n\n\n\n<p>An environment or tenant is where users monitor, analyze, configure, and operate Dynatrace for a specific scope.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production environment<\/li>\n\n\n\n<li>Non-production environment<\/li>\n\n\n\n<li>Region-specific environment<\/li>\n\n\n\n<li>Business-unit environment<\/li>\n\n\n\n<li>Sandbox\/training environment<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3.3 Account Management<\/h2>\n\n\n\n<p>Account Management is where administrators commonly handle:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>People \/ users<\/li>\n\n\n\n<li>Groups<\/li>\n\n\n\n<li>Policies<\/li>\n\n\n\n<li>Domain verification<\/li>\n\n\n\n<li>SAML configuration<\/li>\n\n\n\n<li>SCIM configuration<\/li>\n\n\n\n<li>OAuth clients<\/li>\n\n\n\n<li>Subscription\/license views<\/li>\n\n\n\n<li>Cost and usage views<\/li>\n\n\n\n<li>Environment access<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3.4 Latest Dynatrace vs Dynatrace Classic<\/h2>\n\n\n\n<p>Administrators should understand that Dynatrace documentation and UI often distinguish between:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Latest Dynatrace<\/strong>: the modern platform experience with Grail, Apps, IAM policies, platform tokens, OpenPipeline, Workflows, and new platform services.<\/li>\n\n\n\n<li><strong>Dynatrace Classic<\/strong>: older environment settings, classic permissions, classic dashboards, classic problem notifications, and classic APIs.<\/li>\n<\/ul>\n\n\n\n<p>Certification questions may use both concepts, especially when asking about migration, legacy vs current access models, or classic features still widely used.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3.5 Admin exam focus<\/h2>\n\n\n\n<p>Expect scenario questions such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A new team needs access only to a specific application. What should you configure?<\/li>\n\n\n\n<li>A group needs to manage settings but not users. Which access mechanism is appropriate?<\/li>\n\n\n\n<li>You need SSO with corporate identity. What must be verified first?<\/li>\n\n\n\n<li>You need automation access for Monaco. What credential type and permissions are needed?<\/li>\n\n\n\n<li>Users are querying too much log data. Which cost-control or retention options help?<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">4. Identity and Access Management overview<\/h1>\n\n\n\n<p>IAM is one of the most important Administration Professional topics.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4.1 IAM purpose<\/h2>\n\n\n\n<p>Dynatrace IAM controls:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can sign in<\/li>\n\n\n\n<li>Which account they belong to<\/li>\n\n\n\n<li>Which groups they are in<\/li>\n\n\n\n<li>Which environments they can access<\/li>\n\n\n\n<li>Which platform resources they can use<\/li>\n\n\n\n<li>Which data they can query<\/li>\n\n\n\n<li>Which settings they can view or modify<\/li>\n\n\n\n<li>Which APIs or automations can act on their behalf<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4.2 IAM components<\/h2>\n\n\n\n<p>Key IAM components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users<\/li>\n\n\n\n<li>Groups<\/li>\n\n\n\n<li>Policies<\/li>\n\n\n\n<li>Policy boundaries<\/li>\n\n\n\n<li>Default policies<\/li>\n\n\n\n<li>Role-based permissions \/ classic permissions<\/li>\n\n\n\n<li>SAML federation<\/li>\n\n\n\n<li>SCIM provisioning<\/li>\n\n\n\n<li>Domain verification<\/li>\n\n\n\n<li>Platform tokens<\/li>\n\n\n\n<li>OAuth clients<\/li>\n\n\n\n<li>Access tokens classic<\/li>\n\n\n\n<li>Service users<\/li>\n\n\n\n<li>Effective policies<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4.3 Authentication vs authorization<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Authentication<\/h3>\n\n\n\n<p>Authentication proves who the user or system is.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dynatrace local login<\/li>\n\n\n\n<li>SAML SSO through a corporate identity provider<\/li>\n\n\n\n<li>OAuth client credentials for automation<\/li>\n\n\n\n<li>Platform token used by a script<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Authorization<\/h3>\n\n\n\n<p>Authorization decides what the authenticated user or system can do.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>View dashboards<\/li>\n\n\n\n<li>Manage settings<\/li>\n\n\n\n<li>Manage users<\/li>\n\n\n\n<li>Query Grail data<\/li>\n\n\n\n<li>Manage buckets<\/li>\n\n\n\n<li>Create workflows<\/li>\n\n\n\n<li>Access only one management zone<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4.4 Least privilege principle<\/h2>\n\n\n\n<p>Administrators should assign the minimum permissions needed.<\/p>\n\n\n\n<p>Bad example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Everyone gets admin access because it is easier.<\/li>\n<\/ul>\n\n\n\n<p>Good example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developers can view their application, logs, traces, dashboards, and problems.<\/li>\n\n\n\n<li>SREs can manage alerting and workflows for owned services.<\/li>\n\n\n\n<li>Platform admins manage IAM, policies, buckets, OpenPipeline, and global settings.<\/li>\n\n\n\n<li>Finance\/license admins can view subscription and usage information.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">5. Users<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">5.1 What users are<\/h2>\n\n\n\n<p>Users are people who access Dynatrace. They can be managed directly in Dynatrace or federated through an external identity provider.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5.2 User administration tasks<\/h2>\n\n\n\n<p>You should know how to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Invite users<\/li>\n\n\n\n<li>Assign users to groups<\/li>\n\n\n\n<li>Remove users from groups<\/li>\n\n\n\n<li>Deactivate or remove users<\/li>\n\n\n\n<li>Export user lists<\/li>\n\n\n\n<li>Identify user group memberships<\/li>\n\n\n\n<li>Manage emergency contacts<\/li>\n\n\n\n<li>Understand non-federated vs federated users<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5.3 User lifecycle<\/h2>\n\n\n\n<p>A recommended lifecycle:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Request access\n  \u2193\nDetermine role\/team\/application\/environment\n  \u2193\nAdd to correct IdP group or Dynatrace group\n  \u2193\nValidate effective permissions\n  \u2193\nUser performs required task\n  \u2193\nPeriodic access review\n  \u2193\nRemove access when no longer needed\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">5.4 Common mistakes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Giving direct access without group-based governance.<\/li>\n\n\n\n<li>Forgetting to remove users when they leave a team.<\/li>\n\n\n\n<li>Mixing local and federated access without clear ownership.<\/li>\n\n\n\n<li>Not maintaining emergency\/fallback admin users for SAML outage scenarios.<\/li>\n\n\n\n<li>Assigning users to too many overlapping groups without reviewing effective permissions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">6. Groups<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">6.1 What groups are<\/h2>\n\n\n\n<p>Groups are collections of users. In Dynatrace, users inherit access permissions through group membership.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6.2 Why groups matter<\/h2>\n\n\n\n<p>Groups allow administrators to manage access at scale.<\/p>\n\n\n\n<p>Example group model:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>dt-admins-global<\/code><\/li>\n\n\n\n<li><code>dt-platform-admins<\/code><\/li>\n\n\n\n<li><code>dt-sre-prod-viewers<\/code><\/li>\n\n\n\n<li><code>dt-sre-prod-operators<\/code><\/li>\n\n\n\n<li><code>dt-dev-payments-readonly<\/code><\/li>\n\n\n\n<li><code>dt-dev-checkout-operators<\/code><\/li>\n\n\n\n<li><code>dt-finops-license-viewers<\/code><\/li>\n\n\n\n<li><code>dt-security-appsec-admins<\/code><\/li>\n\n\n\n<li><code>dt-automation-service-users<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6.3 Group design patterns<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Role-based group pattern<\/h3>\n\n\n\n<p>Groups are based on job function:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Observability admins<\/li>\n\n\n\n<li>Developers<\/li>\n\n\n\n<li>SREs<\/li>\n\n\n\n<li>Executives<\/li>\n\n\n\n<li>Security analysts<\/li>\n\n\n\n<li>Finance\/license viewers<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Application-based group pattern<\/h3>\n\n\n\n<p>Groups are based on ownership:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Payments team<\/li>\n\n\n\n<li>Checkout team<\/li>\n\n\n\n<li>Search team<\/li>\n\n\n\n<li>Mobile team<\/li>\n\n\n\n<li>Platform team<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Environment-based group pattern<\/h3>\n\n\n\n<p>Groups are based on environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production viewers<\/li>\n\n\n\n<li>Production operators<\/li>\n\n\n\n<li>Non-production admins<\/li>\n\n\n\n<li>Sandbox users<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Combined pattern<\/h3>\n\n\n\n<p>Best for large organizations:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Role + Scope + Environment\n\nExamples:\n  dt-payments-prod-viewer\n  dt-payments-prod-operator\n  dt-payments-nonprod-admin\n  dt-platform-<span class=\"hljs-keyword\">global<\/span>-admin\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">6.4 Exam focus<\/h2>\n\n\n\n<p>Know that users inherit access from groups, and groups are bound to permissions or policies.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">7. Policies and permissions<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">7.1 What policies do<\/h2>\n\n\n\n<p>Policies define whether actions in Dynatrace are allowed. When policies are bound to user groups, they describe an access pattern that is enforced at runtime.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7.2 Policy-based access<\/h2>\n\n\n\n<p>Modern Dynatrace uses fine-grained IAM policies to control platform access.<\/p>\n\n\n\n<p>Policies can define access to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apps<\/li>\n\n\n\n<li>Settings<\/li>\n\n\n\n<li>Dashboards<\/li>\n\n\n\n<li>Documents<\/li>\n\n\n\n<li>Notebooks<\/li>\n\n\n\n<li>Workflows<\/li>\n\n\n\n<li>Buckets<\/li>\n\n\n\n<li>DQL query execution<\/li>\n\n\n\n<li>OpenPipeline<\/li>\n\n\n\n<li>Segments<\/li>\n\n\n\n<li>SLOs<\/li>\n\n\n\n<li>Account-level operations<\/li>\n\n\n\n<li>Platform services<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7.3 Default policies<\/h2>\n\n\n\n<p>Dynatrace provides default policies such as standard user and pro user patterns. These are useful starting points, but enterprise administrators often need custom policies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7.4 Classic role-based permissions<\/h2>\n\n\n\n<p>Classic permissions are older permissions used by Dynatrace Classic functionality. Administrators may need to understand both modern policies and classic role-based permissions because many environments still use a mix.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7.5 Policy boundaries<\/h2>\n\n\n\n<p>Policy boundaries further restrict what a policy can do. They are useful when users need broad function access but limited scope.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user may be allowed to view logs only in selected storage buckets.<\/li>\n\n\n\n<li>A team may manage settings only for entities with a specific security context.<\/li>\n\n\n\n<li>A group may query data only for allowed segments.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7.6 Effective permissions<\/h2>\n\n\n\n<p>Effective permissions are the actual permissions a user receives after all group memberships, policies, classic permissions, and boundaries are evaluated.<\/p>\n\n\n\n<p>Always validate effective permissions when troubleshooting access.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7.7 Policy design best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege.<\/li>\n\n\n\n<li>Use groups, not one-off user assignments.<\/li>\n\n\n\n<li>Separate read, operate, and admin roles.<\/li>\n\n\n\n<li>Separate production and non-production access.<\/li>\n\n\n\n<li>Name policies clearly.<\/li>\n\n\n\n<li>Document why each policy exists.<\/li>\n\n\n\n<li>Review effective permissions after changes.<\/li>\n\n\n\n<li>Avoid broad admin rights except for platform administrators.<\/li>\n\n\n\n<li>Use service users and scoped tokens for automation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7.8 Exam focus<\/h2>\n\n\n\n<p>Expect questions like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which mechanism grants permissions to users? Groups and policies.<\/li>\n\n\n\n<li>How do you create fine-grained access? IAM policies and boundaries.<\/li>\n\n\n\n<li>How do you troubleshoot unexpected access? Check group membership and effective policies.<\/li>\n\n\n\n<li>How do you support automation? OAuth clients, platform tokens, service users, and correct scopes\/policies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">8. SAML, SCIM, and domain verification<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">8.1 Why SAML matters<\/h2>\n\n\n\n<p>SAML allows Dynatrace SaaS users to authenticate through a corporate identity provider.<\/p>\n\n\n\n<p>Examples of IdPs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Entra ID \/ Azure AD<\/li>\n\n\n\n<li>Okta<\/li>\n\n\n\n<li>Google Workspace<\/li>\n\n\n\n<li>Ping Identity<\/li>\n\n\n\n<li>ADFS<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.2 Why SCIM matters<\/h2>\n\n\n\n<p>SCIM automates user and group provisioning from an identity provider into Dynatrace.<\/p>\n\n\n\n<p>SCIM helps with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User provisioning<\/li>\n\n\n\n<li>User deprovisioning<\/li>\n\n\n\n<li>Group synchronization<\/li>\n\n\n\n<li>Reduced manual user management<\/li>\n\n\n\n<li>Better access governance<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.3 Domain verification<\/h2>\n\n\n\n<p>Before configuring SAML or SCIM for an email domain, administrators must prove ownership of the domain, usually by adding a DNS TXT record.<\/p>\n\n\n\n<p>Important concept:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Domain verification is required to prove the organization owns the email domain used for federated identity.<\/li>\n\n\n\n<li>A domain verified for SAML may also be valid for SCIM.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.4 SAML configuration flow<\/h2>\n\n\n\n<p>Typical flow:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Create fallback admin account\n  \u2193\nVerify domain ownership\n  \u2193\nCreate SAML configuration <span class=\"hljs-keyword\">in<\/span> Account Management\n  \u2193\nConfigure IdP <span class=\"hljs-keyword\">with<\/span> Dynatrace metadata\n  \u2193\nConfigure Dynatrace <span class=\"hljs-keyword\">with<\/span> IdP metadata\n  \u2193\n<span class=\"hljs-built_in\">Map<\/span> attributes and groups <span class=\"hljs-keyword\">if<\/span> needed\n  \u2193\nTest <span class=\"hljs-keyword\">with<\/span> pilot users\n  \u2193\nRoll out to more users\n  \u2193\nMonitor sign-<span class=\"hljs-keyword\">in<\/span> and access issues\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">8.5 Fallback admin account<\/h2>\n\n\n\n<p>Before enabling SAML, maintain an emergency\/fallback admin account outside the federated domain if supported by your governance rules.<\/p>\n\n\n\n<p>Why:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If SAML breaks, you need a way to recover access.<\/li>\n\n\n\n<li>If the IdP is unavailable, administrators may be locked out.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.6 SAML authorization patterns<\/h2>\n\n\n\n<p>SAML can be used only for authentication, or also for authorization through group mapping.<\/p>\n\n\n\n<p>Common patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authenticate via SAML, manage groups in Dynatrace.<\/li>\n\n\n\n<li>Authenticate via SAML, map IdP groups to Dynatrace groups.<\/li>\n\n\n\n<li>Use SCIM for group provisioning and keep authorization in IdP.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.7 SCIM constraints to know<\/h2>\n\n\n\n<p>Key SCIM concepts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users must belong to verified email domains.<\/li>\n\n\n\n<li>User identifiers should be persistent.<\/li>\n\n\n\n<li>Email changes may not be supported in some workflows.<\/li>\n\n\n\n<li>Group provisioning should be planned carefully to avoid accidental permission changes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8.8 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SAML = federated authentication \/ SSO.<\/li>\n\n\n\n<li>SCIM = automated user\/group provisioning.<\/li>\n\n\n\n<li>Domain verification is required.<\/li>\n\n\n\n<li>Keep fallback access.<\/li>\n\n\n\n<li>IdP group mapping can simplify authorization.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">9. Tokens, OAuth clients, and API access<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">9.1 Why token governance matters<\/h2>\n\n\n\n<p>Administrators often need programmatic access for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automation<\/li>\n\n\n\n<li>Scripts<\/li>\n\n\n\n<li>CI\/CD<\/li>\n\n\n\n<li>Monaco<\/li>\n\n\n\n<li>Terraform<\/li>\n\n\n\n<li>Data export<\/li>\n\n\n\n<li>API integrations<\/li>\n\n\n\n<li>Account management<\/li>\n\n\n\n<li>Settings deployment<\/li>\n\n\n\n<li>Workflow management<\/li>\n<\/ul>\n\n\n\n<p>Incorrect token management can create security and audit risks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9.2 Token and credential types<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Platform tokens<\/h3>\n\n\n\n<p>Platform tokens are long-lived tokens for programmatic access to Dynatrace platform services. They operate within the permissions of the assigned user or service user.<\/p>\n\n\n\n<p>Good for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scripts<\/li>\n\n\n\n<li>Direct API integrations<\/li>\n\n\n\n<li>Scheduled Grail queries<\/li>\n\n\n\n<li>Dashboard sync scripts<\/li>\n\n\n\n<li>Business metric or event ingestion<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">OAuth clients<\/h3>\n\n\n\n<p>OAuth clients use client credentials and are suitable for service-to-service integrations and account-management automation.<\/p>\n\n\n\n<p>Good for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>External system integrations<\/li>\n\n\n\n<li>Monaco automation<\/li>\n\n\n\n<li>Account Management API<\/li>\n\n\n\n<li>CI\/CD deployments<\/li>\n\n\n\n<li>Enterprise automation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Access tokens classic<\/h3>\n\n\n\n<p>Classic access tokens are used for older Dynatrace Environment API and Configuration API scenarios. In latest Dynatrace, prefer platform tokens or OAuth clients where supported.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service users<\/h3>\n\n\n\n<p>Service users are non-human identities used by applications, services, or automation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9.3 Token best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege scopes.<\/li>\n\n\n\n<li>Prefer service users for automation.<\/li>\n\n\n\n<li>Avoid personal tokens for production automation where possible.<\/li>\n\n\n\n<li>Rotate tokens regularly.<\/li>\n\n\n\n<li>Set expirations where feasible.<\/li>\n\n\n\n<li>Store secrets in a password manager or secure vault.<\/li>\n\n\n\n<li>Never put tokens in scripts, source control, wiki pages, or screenshots.<\/li>\n\n\n\n<li>Disable tokens that are no longer used.<\/li>\n\n\n\n<li>Document token owner, purpose, scopes, and expiry.<\/li>\n\n\n\n<li>Use OAuth clients for automation requiring specific scopes and governance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9.4 Common scopes and permissions to recognize<\/h2>\n\n\n\n<p>You do not need to memorize every scope, but you should understand scope categories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Read settings<\/li>\n\n\n\n<li>Write settings<\/li>\n\n\n\n<li>Read schemas<\/li>\n\n\n\n<li>Manage workflows<\/li>\n\n\n\n<li>Manage calendars\/rules<\/li>\n\n\n\n<li>Manage buckets<\/li>\n\n\n\n<li>Manage documents<\/li>\n\n\n\n<li>Manage OpenPipeline<\/li>\n\n\n\n<li>Manage segments<\/li>\n\n\n\n<li>Manage SLOs<\/li>\n\n\n\n<li>Query Grail data<\/li>\n\n\n\n<li>Access account management<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9.5 Monaco authentication<\/h2>\n\n\n\n<p>Monaco supports platform tokens and OAuth clients. Each configuration type requires the correct scopes and permissions.<\/p>\n\n\n\n<p>For example, Monaco may need permissions to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Read\/write Settings 2.0 objects<\/li>\n\n\n\n<li>Read schemas<\/li>\n\n\n\n<li>Manage workflows<\/li>\n\n\n\n<li>Manage buckets<\/li>\n\n\n\n<li>Manage OpenPipeline<\/li>\n\n\n\n<li>Manage segments<\/li>\n\n\n\n<li>Manage SLOs<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9.6 Exam focus<\/h2>\n\n\n\n<p>Expect scenario questions like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A CI\/CD pipeline needs to deploy settings. Which access type is appropriate?<\/li>\n\n\n\n<li>A script needs long-lived platform API access. Which token type may fit?<\/li>\n\n\n\n<li>A personal access token was committed to Git. What should you do? Revoke\/rotate immediately.<\/li>\n\n\n\n<li>A Monaco deployment fails with unauthorized. What should you check? OAuth\/platform token scopes and user\/group policies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">10. Settings app and settings framework<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">10.1 What the Settings app is<\/h2>\n\n\n\n<p>Settings is a preinstalled Dynatrace app that centralizes environment configuration. It controls how data is collected, processed, stored, and analyzed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10.2 What administrators use Settings for<\/h2>\n\n\n\n<p>Common settings areas:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Preferences<\/li>\n\n\n\n<li>Data privacy<\/li>\n\n\n\n<li>OneAgent behavior<\/li>\n\n\n\n<li>Log monitoring<\/li>\n\n\n\n<li>OpenPipeline<\/li>\n\n\n\n<li>Storage management<\/li>\n\n\n\n<li>Anomaly detection<\/li>\n\n\n\n<li>Alerting<\/li>\n\n\n\n<li>Tags<\/li>\n\n\n\n<li>Management zones<\/li>\n\n\n\n<li>Synthetic settings<\/li>\n\n\n\n<li>RUM settings<\/li>\n\n\n\n<li>API\/token settings<\/li>\n\n\n\n<li>Integration settings<\/li>\n\n\n\n<li>Extension settings<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">10.3 Settings access<\/h2>\n\n\n\n<p>Access to settings is controlled by IAM policies. Some users may only read settings; others may modify settings.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10.4 Settings scope and hierarchy<\/h2>\n\n\n\n<p>Many settings can exist at different scopes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Global\/environment level<\/li>\n\n\n\n<li>Host group level<\/li>\n\n\n\n<li>Host level<\/li>\n\n\n\n<li>Process group level<\/li>\n\n\n\n<li>Service level<\/li>\n\n\n\n<li>Application level<\/li>\n\n\n\n<li>Entity-specific scope<\/li>\n<\/ul>\n\n\n\n<p>Important rule:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The most specific setting usually takes precedence.<\/p>\n<\/blockquote>\n\n\n\n<p>Example:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Host-level setting\n  overrides\nHost-group-level setting\n  overrides\nEnvironment-level setting\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">10.5 Settings objects and schemas<\/h2>\n\n\n\n<p>The Settings framework uses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Settings object<\/strong>: an actual configuration instance.<\/li>\n\n\n\n<li><strong>Settings schema<\/strong>: the structure that defines which parameters the object supports.<\/li>\n<\/ul>\n\n\n\n<p>Schemas are managed by Dynatrace. Objects are controlled by administrators.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10.6 Programmatic settings management<\/h2>\n\n\n\n<p>Administrators can manage settings through:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Settings app<\/li>\n\n\n\n<li>Settings API<\/li>\n\n\n\n<li>Monaco configuration as code<\/li>\n\n\n\n<li>Terraform provider in some use cases<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">10.7 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Settings is the central place for environment configuration.<\/li>\n\n\n\n<li>Settings can be scoped.<\/li>\n\n\n\n<li>More specific settings override broader settings.<\/li>\n\n\n\n<li>Settings access is controlled by IAM policies.<\/li>\n\n\n\n<li>Settings can be managed through UI, API, and Monaco.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">11. Configuration as Code with Monaco<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">11.1 What Monaco is<\/h2>\n\n\n\n<p>Monaco is Dynatrace\u2019s native Configuration as Code CLI. It enables administrators to manage monitoring configuration through files, version control, reviews, and deployment pipelines.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11.2 Why Monaco matters<\/h2>\n\n\n\n<p>Monaco helps with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardizing configuration across environments<\/li>\n\n\n\n<li>Promoting settings from dev to staging to prod<\/li>\n\n\n\n<li>Backing up configurations<\/li>\n\n\n\n<li>Version-controlling changes<\/li>\n\n\n\n<li>Reviewing configuration changes through pull requests<\/li>\n\n\n\n<li>Reusing templates<\/li>\n\n\n\n<li>Reducing manual UI drift<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">11.3 Typical Monaco workflow<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Export\/download existing configuration\n  \u2193\nStore in Git\n  \u2193\nReview and edit YAML\/config files\n  \u2193\nDeploy to target environment\n  \u2193\nValidate configuration\n  \u2193\nPromote to additional environments\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">11.4 What can be managed through Monaco<\/h2>\n\n\n\n<p>Depending on current support and permissions, Monaco can manage many settings and platform resources, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Settings 2.0 objects<\/li>\n\n\n\n<li>Dashboards\/documents<\/li>\n\n\n\n<li>Workflows<\/li>\n\n\n\n<li>Buckets<\/li>\n\n\n\n<li>OpenPipeline<\/li>\n\n\n\n<li>Segments<\/li>\n\n\n\n<li>SLOs<\/li>\n\n\n\n<li>Alerting-related settings<\/li>\n\n\n\n<li>Some classic configuration objects<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">11.5 Monaco authentication<\/h2>\n\n\n\n<p>Monaco needs platform tokens or OAuth clients with correct scopes and matching user\/group permissions.<\/p>\n\n\n\n<p>Common failure causes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Missing OAuth scope<\/li>\n\n\n\n<li>User lacks policy permission<\/li>\n\n\n\n<li>Service user lacks group membership<\/li>\n\n\n\n<li>Wrong environment\/account target<\/li>\n\n\n\n<li>Missing schema read permission<\/li>\n\n\n\n<li>Token expired or disabled<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">11.6 Monaco best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Store configuration in Git.<\/li>\n\n\n\n<li>Use separate folders for environments.<\/li>\n\n\n\n<li>Use variables for environment-specific values.<\/li>\n\n\n\n<li>Review changes through pull requests.<\/li>\n\n\n\n<li>Use service users rather than personal accounts.<\/li>\n\n\n\n<li>Use least privilege OAuth scopes.<\/li>\n\n\n\n<li>Test in non-production before production.<\/li>\n\n\n\n<li>Keep naming conventions consistent.<\/li>\n\n\n\n<li>Document ownership of each configuration package.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">11.7 Exam focus<\/h2>\n\n\n\n<p>Know that Monaco is for Configuration as Code and helps manage Dynatrace configuration at scale. Understand why OAuth scopes and policies matter.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">12. Tags and metadata<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">12.1 What tags are<\/h2>\n\n\n\n<p>Tags are labels applied to monitored entities. They are used to organize, filter, alert, analyze, and scope data.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>environment:production<\/code><\/li>\n\n\n\n<li><code>team:payments<\/code><\/li>\n\n\n\n<li><code>application:checkout<\/code><\/li>\n\n\n\n<li><code>owner:sre<\/code><\/li>\n\n\n\n<li><code>criticality:high<\/code><\/li>\n\n\n\n<li><code>region:apac<\/code><\/li>\n\n\n\n<li><code>cost-center:1234<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12.2 Why tags matter<\/h2>\n\n\n\n<p>Tags are used for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtering dashboards<\/li>\n\n\n\n<li>Filtering problems<\/li>\n\n\n\n<li>Alerting profiles<\/li>\n\n\n\n<li>Maintenance windows<\/li>\n\n\n\n<li>Ownership mapping<\/li>\n\n\n\n<li>Team-based views<\/li>\n\n\n\n<li>Search and navigation<\/li>\n\n\n\n<li>Cost attribution patterns<\/li>\n\n\n\n<li>Management zone rules<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12.3 Manual tags<\/h2>\n\n\n\n<p>Manual tags are useful for a small number of static entities.<\/p>\n\n\n\n<p>Use manual tags when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You only need to tag a few entities.<\/li>\n\n\n\n<li>The tag does not follow predictable metadata.<\/li>\n\n\n\n<li>The entity is temporary or special.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12.4 Automatic tags<\/h2>\n\n\n\n<p>Automatic tags are created based on rules.<\/p>\n\n\n\n<p>Use automatic tags when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need consistency at scale.<\/li>\n\n\n\n<li>You can match entity metadata.<\/li>\n\n\n\n<li>You want tags derived from cloud tags, Kubernetes labels, host names, process group names, or custom properties.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12.5 Tag governance<\/h2>\n\n\n\n<p>Recommended naming model:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">key<\/span><span class=\"hljs-selector-pseudo\">:value<\/span>\n\n<span class=\"hljs-selector-tag\">Examples<\/span>:\n  <span class=\"hljs-selector-tag\">app<\/span><span class=\"hljs-selector-pseudo\">:checkout<\/span>\n  <span class=\"hljs-selector-tag\">env<\/span><span class=\"hljs-selector-pseudo\">:prod<\/span>\n  <span class=\"hljs-selector-tag\">owner<\/span><span class=\"hljs-selector-pseudo\">:platform<\/span>\n  <span class=\"hljs-selector-tag\">service-tier<\/span><span class=\"hljs-selector-pseudo\">:gold<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Avoid inconsistent tags like:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Prod\nproduction\nprd\nPROD\nEnvironment Production\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">12.6 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tags organize and filter entities.<\/li>\n\n\n\n<li>Tags can be manual or automatic.<\/li>\n\n\n\n<li>Tags are important for alerting, dashboards, maintenance windows, and management zone rules.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">13. Management zones, segments, and security context<\/h1>\n\n\n\n<p>This is a high-value administration topic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.1 Management zones<\/h2>\n\n\n\n<p>Management zones organize Dynatrace environments and control user access to specific data.<\/p>\n\n\n\n<p>Management zones are defined by rules that determine which entities and dimensional data are included.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production services only<\/li>\n\n\n\n<li>Payments application<\/li>\n\n\n\n<li>APAC region<\/li>\n\n\n\n<li>Kubernetes platform team<\/li>\n\n\n\n<li>Database team<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13.2 What management zones affect<\/h2>\n\n\n\n<p>Management zones can affect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Entity visibility<\/li>\n\n\n\n<li>Dashboards<\/li>\n\n\n\n<li>Problems<\/li>\n\n\n\n<li>Alerting scopes<\/li>\n\n\n\n<li>Maintenance windows<\/li>\n\n\n\n<li>Classic Dynatrace access control<\/li>\n\n\n\n<li>Team-specific views<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13.3 Management zone rule examples<\/h2>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Include services tagged <code>app:checkout<\/code>.<\/li>\n\n\n\n<li>Include hosts with host group <code>prod-linux<\/code>.<\/li>\n\n\n\n<li>Include Kubernetes workloads with label <code>team=payments<\/code>.<\/li>\n\n\n\n<li>Include entities belonging to a process group naming pattern.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13.4 Management zones and problems<\/h2>\n\n\n\n<p>When a problem spans multiple zones, users may see an end-to-end view of the problem, but detailed analysis is limited to entities they are allowed to view.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.5 Segments<\/h2>\n\n\n\n<p>Latest Dynatrace introduces segments as a more modern way to define data visibility and access patterns for cloud-native and AI-native environments.<\/p>\n\n\n\n<p>Administrators should understand that organizations may need to migrate or map use cases from classic management zones to newer access-control models such as segments and security context.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.6 Security context<\/h2>\n\n\n\n<p>Security context helps grant access to entities and related data based on context. In latest Dynatrace, access control for Grail-powered data such as logs, spans, metrics, and events may use storage fields and policy-based access rather than classic management-zone inheritance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.7 Management zones vs Grail data access<\/h2>\n\n\n\n<p>Important concept:<\/p>\n\n\n\n<p>Classic management zones do not automatically solve all Grail data access cases. Logs, spans, metrics, and events in Grail may require IAM policy controls, storage fields, buckets, segments, or security context.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.8 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Management zones organize entities and control access in classic-style scopes.<\/li>\n\n\n\n<li>Segments\/security context are important in latest Dynatrace access control.<\/li>\n\n\n\n<li>Grail data access may require IAM\/policy\/storage-based controls.<\/li>\n\n\n\n<li>Do not assume management zones automatically protect every log, span, metric, or event.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">14. Host groups<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">14.1 What host groups are<\/h2>\n\n\n\n<p>Host groups are used to group monitored hosts logically, often by environment, application, or operational ownership.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>prod-payments<\/code><\/li>\n\n\n\n<li><code>nonprod-checkout<\/code><\/li>\n\n\n\n<li><code>linux-web-tier<\/code><\/li>\n\n\n\n<li><code>k8s-platform<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14.2 Why host groups matter<\/h2>\n\n\n\n<p>Host groups can influence:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitoring configuration<\/li>\n\n\n\n<li>Settings scope<\/li>\n\n\n\n<li>Alerting behavior<\/li>\n\n\n\n<li>Naming and organization<\/li>\n\n\n\n<li>OneAgent behavior<\/li>\n\n\n\n<li>Entity relationships<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14.3 Host group best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define host groups before broad OneAgent rollout.<\/li>\n\n\n\n<li>Use consistent naming.<\/li>\n\n\n\n<li>Avoid overly broad host groups.<\/li>\n\n\n\n<li>Align host groups with operational ownership.<\/li>\n\n\n\n<li>Understand that changing host groups after installation may require process or service restarts to fully apply some changes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14.4 Exam focus<\/h2>\n\n\n\n<p>Host groups are an important scoping mechanism for OneAgent-monitored hosts and settings.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">15. ActiveGate and network zones<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">15.1 ActiveGate refresher<\/h2>\n\n\n\n<p>ActiveGate is a secure communication gateway\/proxy used between monitored environments and Dynatrace.<\/p>\n\n\n\n<p>Common uses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneAgent traffic routing<\/li>\n\n\n\n<li>Private network communication<\/li>\n\n\n\n<li>Cloud integrations<\/li>\n\n\n\n<li>Kubernetes support<\/li>\n\n\n\n<li>Extensions execution<\/li>\n\n\n\n<li>Private synthetic locations<\/li>\n\n\n\n<li>Reducing outbound firewall rules<\/li>\n\n\n\n<li>Connectivity isolation<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">15.2 Network zones<\/h2>\n\n\n\n<p>Network zones represent network structure in Dynatrace. They help route traffic efficiently and avoid unnecessary cross-data-center or cross-region communication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">15.3 OneAgent connectivity in network zones<\/h2>\n\n\n\n<p>Network zones can influence which ActiveGates OneAgents use. A network zone can prioritize ActiveGates in the same zone.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">15.4 Why administrators care<\/h2>\n\n\n\n<p>Administrators should understand:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which hosts can reach which ActiveGates.<\/li>\n\n\n\n<li>Which ActiveGates can reach Dynatrace.<\/li>\n\n\n\n<li>How to minimize cross-region traffic.<\/li>\n\n\n\n<li>How to design zones for data centers, cloud regions, and network boundaries.<\/li>\n\n\n\n<li>How ActiveGate high availability works conceptually.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">15.5 Network zone design example<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Network zones:\n  nz-aws-us-east-1\n  nz-aws-eu-west-1\n  nz-onprem-dc1\n  nz-onprem-dc2\n\nActiveGates:\n  ag-us-east-1-a, ag-us-east-1-b\n  ag-eu-west-1-a, ag-eu-west-1-b\n  ag-dc1-a, ag-dc1-b\n\nOneAgents:\n  Configured to prefer ActiveGates in their local network zone\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">15.6 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ActiveGate routes\/proxies monitoring traffic and supports integrations.<\/li>\n\n\n\n<li>Network zones model network structure and prioritize connectivity.<\/li>\n\n\n\n<li>Network zones help reduce unnecessary traffic across data centers or regions.<\/li>\n\n\n\n<li>ActiveGate does not replace OneAgent.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">16. OneAgent administration<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">16.1 What administrators need to know<\/h2>\n\n\n\n<p>Even though OneAgent installation may be more implementation-focused, administrators need to manage ongoing OneAgent behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">16.2 Key admin areas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deployment status<\/li>\n\n\n\n<li>Monitoring modes<\/li>\n\n\n\n<li>Auto-update configuration<\/li>\n\n\n\n<li>Host group assignment<\/li>\n\n\n\n<li>Network zone assignment<\/li>\n\n\n\n<li>Exclusions<\/li>\n\n\n\n<li>Log collection settings<\/li>\n\n\n\n<li>Sensitive data masking<\/li>\n\n\n\n<li>Remote configuration<\/li>\n\n\n\n<li>Health and connectivity<\/li>\n\n\n\n<li>Environment-wide settings<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16.3 Monitoring modes<\/h2>\n\n\n\n<p>Common OneAgent modes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Full-stack monitoring<\/li>\n\n\n\n<li>Infrastructure monitoring<\/li>\n\n\n\n<li>Discovery mode<\/li>\n\n\n\n<li>Application-only monitoring in some deployment patterns<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16.4 Auto-update governance<\/h2>\n\n\n\n<p>Administrators should decide:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Should OneAgents auto-update automatically?<\/li>\n\n\n\n<li>Are there maintenance windows for updates?<\/li>\n\n\n\n<li>Are some environments updated before others?<\/li>\n\n\n\n<li>Are production updates delayed or staged?<\/li>\n\n\n\n<li>Who owns update validation?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16.5 Deployment health checklist<\/h2>\n\n\n\n<p>For each environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Are all expected hosts monitored?<\/li>\n\n\n\n<li>Are OneAgents healthy?<\/li>\n\n\n\n<li>Are OneAgents current or within supported version range?<\/li>\n\n\n\n<li>Are network zones configured correctly?<\/li>\n\n\n\n<li>Are ActiveGates reachable?<\/li>\n\n\n\n<li>Are host groups correct?<\/li>\n\n\n\n<li>Are unwanted hosts excluded?<\/li>\n\n\n\n<li>Are process groups and services discovered as expected?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16.6 Exam focus<\/h2>\n\n\n\n<p>Know how OneAgent administration connects to host groups, network zones, ActiveGate, auto-update, monitoring modes, and log ingestion.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">17. Log administration<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">17.1 Why logs are an admin topic<\/h2>\n\n\n\n<p>Logs can create high value and high cost. Administrators must manage ingestion, filtering, retention, masking, access, and query behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17.2 Log ingestion sources<\/h2>\n\n\n\n<p>Logs can enter Dynatrace through:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneAgent<\/li>\n\n\n\n<li>APIs<\/li>\n\n\n\n<li>OpenTelemetry<\/li>\n\n\n\n<li>Cloud integrations<\/li>\n\n\n\n<li>Extensions<\/li>\n\n\n\n<li>Log shippers \/ integrations<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">17.3 OneAgent log ingestion<\/h2>\n\n\n\n<p>OneAgent can automatically discover logs and offers central management options.<\/p>\n\n\n\n<p>Admins may configure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which logs are collected<\/li>\n\n\n\n<li>Which logs are excluded<\/li>\n\n\n\n<li>Log ingest rules<\/li>\n\n\n\n<li>Sensitive data masking<\/li>\n\n\n\n<li>Host\/host group\/environment-level log settings<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">17.4 Grail log storage<\/h2>\n\n\n\n<p>In latest Dynatrace, logs are stored in Grail. Administrators manage retention and access using bucket and policy concepts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17.5 Log retention<\/h2>\n\n\n\n<p>Retention should match use case:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Short retention for debugging<\/li>\n\n\n\n<li>Medium retention for operational investigations<\/li>\n\n\n\n<li>Long retention for compliance\/audit<\/li>\n\n\n\n<li>Dedicated buckets for high-value or regulated logs<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">17.6 Log cost governance<\/h2>\n\n\n\n<p>Cost drivers can include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ingested log volume<\/li>\n\n\n\n<li>Retained log volume<\/li>\n\n\n\n<li>Query\/scanned data volume<\/li>\n\n\n\n<li>Frequent dashboard refreshes over log data<\/li>\n\n\n\n<li>Broad DQL queries<\/li>\n\n\n\n<li>Long retention on high-volume buckets<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">17.7 Log governance best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filter noisy logs before storage.<\/li>\n\n\n\n<li>Route logs to appropriate buckets.<\/li>\n\n\n\n<li>Use OpenPipeline to drop, enrich, route, or mask data.<\/li>\n\n\n\n<li>Create dedicated buckets for high-volume sources.<\/li>\n\n\n\n<li>Set retention by business need.<\/li>\n\n\n\n<li>Avoid running broad log queries over long time periods.<\/li>\n\n\n\n<li>Control access to buckets.<\/li>\n\n\n\n<li>Use dashboards carefully when based on log data.<\/li>\n\n\n\n<li>Mask sensitive data before it leaves the environment when required.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">17.8 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Logs are stored in Grail.<\/li>\n\n\n\n<li>Retention can be configured through bucket strategy.<\/li>\n\n\n\n<li>Logs can be filtered on ingest using OneAgent or OpenPipeline.<\/li>\n\n\n\n<li>DQL queries can impact query consumption\/cost depending on licensing model.<\/li>\n\n\n\n<li>Sensitive data should be masked early where possible.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">18. Grail buckets, retention, and storage governance<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">18.1 What buckets are<\/h2>\n\n\n\n<p>Buckets are logical storage containers in Grail. They help administrators control retention, access, and storage organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">18.2 Bucket strategy<\/h2>\n\n\n\n<p>A good bucket strategy considers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data type<\/li>\n\n\n\n<li>Business owner<\/li>\n\n\n\n<li>Retention requirement<\/li>\n\n\n\n<li>Compliance requirement<\/li>\n\n\n\n<li>Access requirement<\/li>\n\n\n\n<li>Query cost pattern<\/li>\n\n\n\n<li>Environment<\/li>\n\n\n\n<li>Criticality<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">18.3 Example bucket design<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">logs_prod_critical_90d\nlogs_prod_debug_14d\nlogs_nonprod_7d\nlogs_security_audit_365d\nevents_prod_90d\ntraces_prod_30d\nbusiness_events_orders_180d\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">18.4 Retention strategy<\/h2>\n\n\n\n<p>Ask:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How long do teams need this data for troubleshooting?<\/li>\n\n\n\n<li>Is there a compliance requirement?<\/li>\n\n\n\n<li>How often will users query historical data?<\/li>\n\n\n\n<li>Can high-volume low-value data be dropped or shortened?<\/li>\n\n\n\n<li>Should data be split into separate buckets?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">18.5 Access strategy<\/h2>\n\n\n\n<p>Do not allow every team to query every bucket by default.<\/p>\n\n\n\n<p>Use IAM policies and storage permissions to control:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can query which buckets<\/li>\n\n\n\n<li>Who can manage bucket definitions<\/li>\n\n\n\n<li>Who can change retention<\/li>\n\n\n\n<li>Who can modify OpenPipeline routing to buckets<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">18.6 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Buckets are important for Grail storage and retention.<\/li>\n\n\n\n<li>Retention is configured according to business\/compliance needs.<\/li>\n\n\n\n<li>Bucket access should be governed with IAM policies.<\/li>\n\n\n\n<li>Bucket strategy is part of cost control.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">19. OpenPipeline administration<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">19.1 What OpenPipeline does<\/h2>\n\n\n\n<p>OpenPipeline processes telemetry data. It can route, filter, transform, enrich, mask, and contextualize data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">19.2 Why administrators use OpenPipeline<\/h2>\n\n\n\n<p>Use cases:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Drop noisy logs<\/li>\n\n\n\n<li>Route logs to custom buckets<\/li>\n\n\n\n<li>Mask sensitive data<\/li>\n\n\n\n<li>Extract fields<\/li>\n\n\n\n<li>Normalize attributes<\/li>\n\n\n\n<li>Convert logs to business events<\/li>\n\n\n\n<li>Enrich records with team\/application metadata<\/li>\n\n\n\n<li>Apply different retention strategies through routing<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">19.3 OpenPipeline concepts<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Source<\/li>\n\n\n\n<li>Pipeline<\/li>\n\n\n\n<li>Processor<\/li>\n\n\n\n<li>Matcher\/filter condition<\/li>\n\n\n\n<li>Record transformation<\/li>\n\n\n\n<li>Routing<\/li>\n\n\n\n<li>Bucket assignment<\/li>\n\n\n\n<li>Data enrichment<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">19.4 Example scenarios<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 1: Drop debug logs from production<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">If loglevel == DEBUG and environment == production\n  then drop record\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Scenario 2: Route payment logs to a dedicated bucket<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">If app == payments\n  then route to logs_prod_payments_90d\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Scenario 3: Mask credit card-like patterns<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">If content contains sensitive payment pattern\n  then mask matching value\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Scenario 4: Extract order ID<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">If<\/span> <span class=\"hljs-selector-tag\">content<\/span> <span class=\"hljs-selector-tag\">contains<\/span> <span class=\"hljs-selector-tag\">order_id<\/span>\n  <span class=\"hljs-selector-tag\">then<\/span> <span class=\"hljs-selector-tag\">parse<\/span> <span class=\"hljs-selector-tag\">and<\/span> <span class=\"hljs-selector-tag\">add<\/span> <span class=\"hljs-selector-tag\">attribute<\/span> <span class=\"hljs-selector-tag\">order<\/span><span class=\"hljs-selector-class\">.id<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">19.5 OpenPipeline best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Test changes in non-production first.<\/li>\n\n\n\n<li>Document why processors exist.<\/li>\n\n\n\n<li>Keep processors simple and readable.<\/li>\n\n\n\n<li>Use naming conventions.<\/li>\n\n\n\n<li>Monitor data volume before and after changes.<\/li>\n\n\n\n<li>Avoid dropping data required for compliance.<\/li>\n\n\n\n<li>Coordinate with data owners before changing routing.<\/li>\n\n\n\n<li>Validate DQL queries after field extraction.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">19.6 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OpenPipeline controls ingestion and processing.<\/li>\n\n\n\n<li>It can filter, mask, enrich, transform, and route data.<\/li>\n\n\n\n<li>It is central to cost, privacy, and data-quality governance.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">20. Licensing, subscription, cost, and consumption<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">20.1 Why licensing matters for administrators<\/h2>\n\n\n\n<p>Administrators must understand how Dynatrace usage affects cost and how to monitor consumption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">20.2 Dynatrace Platform Subscription<\/h2>\n\n\n\n<p>Dynatrace Platform Subscription, or DPS, is the current strategic licensing model for the latest Dynatrace platform. It provides a single commitment model across platform capabilities, with consumption accruing based on capability usage.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">20.3 Classic licensing<\/h2>\n\n\n\n<p>Classic licensing may include concepts such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Host units<\/li>\n\n\n\n<li>Host unit hours<\/li>\n\n\n\n<li>DEM units<\/li>\n\n\n\n<li>Davis Data Units<\/li>\n\n\n\n<li>Application Security units<\/li>\n<\/ul>\n\n\n\n<p>Administrators may need to understand classic licensing if their organization still uses it or is migrating.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">20.4 Account Management subscription views<\/h2>\n\n\n\n<p>License administrators can view:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consumption<\/li>\n\n\n\n<li>Forecasts<\/li>\n\n\n\n<li>Cost allocation<\/li>\n\n\n\n<li>Historical usage<\/li>\n\n\n\n<li>Budget summaries<\/li>\n\n\n\n<li>Cost and usage breakdowns by environment or capability<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">20.5 Cost governance areas<\/h2>\n\n\n\n<p>High-impact cost areas:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Full-stack host monitoring scale<\/li>\n\n\n\n<li>Log ingest volume<\/li>\n\n\n\n<li>Log retention duration<\/li>\n\n\n\n<li>Log query volume<\/li>\n\n\n\n<li>Trace retention<\/li>\n\n\n\n<li>Business events<\/li>\n\n\n\n<li>Synthetic monitor frequency<\/li>\n\n\n\n<li>RUM traffic volume<\/li>\n\n\n\n<li>Custom metrics<\/li>\n\n\n\n<li>Platform extensions<\/li>\n\n\n\n<li>Automation\/workflows depending on usage model<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">20.6 Cost control practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor usage regularly.<\/li>\n\n\n\n<li>Create budgets or internal cost guardrails.<\/li>\n\n\n\n<li>Use cost allocation for teams\/products when available.<\/li>\n\n\n\n<li>Optimize log ingest and retention.<\/li>\n\n\n\n<li>Filter noisy data.<\/li>\n\n\n\n<li>Use separate buckets by retention and access need.<\/li>\n\n\n\n<li>Educate users on query cost.<\/li>\n\n\n\n<li>Avoid uncontrolled dashboard refreshes over huge datasets.<\/li>\n\n\n\n<li>Review new integrations before enabling large-scale ingestion.<\/li>\n\n\n\n<li>Set ownership for high-volume sources.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">20.7 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DPS is the strategic subscription model for latest Dynatrace.<\/li>\n\n\n\n<li>Classic licensing may still exist.<\/li>\n\n\n\n<li>Administrators use Account Management to view subscription\/license usage.<\/li>\n\n\n\n<li>Cost governance is tied to ingestion, retention, query behavior, monitoring scale, and feature usage.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">21. Alerting and notifications<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">21.1 Alerting flow<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Telemetry collected\n  \u2193\nDynatrace detects anomaly or threshold violation\n  \u2193\nEvent is created\n  \u2193\nDavis correlates related events into a problem\n  \u2193\nAlerting profile decides whether notification should be sent\n  \u2193\nNotification integration or workflow delivers action\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">21.2 Alerting profiles<\/h2>\n\n\n\n<p>Alerting profiles control which problems generate notifications. They can filter by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Severity<\/li>\n\n\n\n<li>Duration<\/li>\n\n\n\n<li>Custom events<\/li>\n\n\n\n<li>Tags<\/li>\n\n\n\n<li>Management zones\/scopes in some use cases<\/li>\n\n\n\n<li>Problem type or event type depending on configuration<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">21.3 Notification integrations<\/h2>\n\n\n\n<p>Notifications can go to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Email<\/li>\n\n\n\n<li>Slack<\/li>\n\n\n\n<li>Microsoft Teams<\/li>\n\n\n\n<li>PagerDuty<\/li>\n\n\n\n<li>Opsgenie<\/li>\n\n\n\n<li>ServiceNow<\/li>\n\n\n\n<li>Jira<\/li>\n\n\n\n<li>Webhooks<\/li>\n\n\n\n<li>Ansible Tower<\/li>\n\n\n\n<li>Custom integrations<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">21.4 Default alerting profile<\/h2>\n\n\n\n<p>Each environment has a default alerting profile. Administrators often create team-specific profiles to reduce noise and route alerts correctly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">21.5 Alerting profile design<\/h2>\n\n\n\n<p>Recommended pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Critical production availability\n  \u2192 page on-call immediately\n\nPerformance degradation lasting 15+ minutes\n  \u2192 notify team channel\n\nNon-production issue\n  \u2192 create ticket or send lower-priority notification\n\nMaintenance-tagged entities\n  \u2192 suppress or delay notifications\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">21.6 Common mistakes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sending all problems to all teams.<\/li>\n\n\n\n<li>Not using duration filters.<\/li>\n\n\n\n<li>Not filtering by tags or ownership.<\/li>\n\n\n\n<li>Creating duplicate notifications through overlapping profiles.<\/li>\n\n\n\n<li>Forgetting to test notification integrations.<\/li>\n\n\n\n<li>Alerting on symptoms instead of root-cause problems.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">21.7 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alerting profiles filter problem notifications.<\/li>\n\n\n\n<li>Notifications integrate with third-party tools.<\/li>\n\n\n\n<li>Problems still appear in Dynatrace even without external notification integrations.<\/li>\n\n\n\n<li>Avoid alert noise through severity, duration, tags, and team-based routing.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">22. Anomaly detection and metric events<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">22.1 Anomaly detection purpose<\/h2>\n\n\n\n<p>Dynatrace continuously monitors applications, services, and infrastructure, learns baselines, and detects abnormal behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">22.2 Types of anomaly detection<\/h2>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Service response time degradation<\/li>\n\n\n\n<li>Service failure rate increase<\/li>\n\n\n\n<li>Traffic drops or spikes<\/li>\n\n\n\n<li>Host CPU saturation<\/li>\n\n\n\n<li>Memory outage<\/li>\n\n\n\n<li>Disk problems<\/li>\n\n\n\n<li>Network problems<\/li>\n\n\n\n<li>Missing data alerts<\/li>\n\n\n\n<li>Custom metric events<\/li>\n\n\n\n<li>DQL-based advanced custom alerts<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22.3 Baselines<\/h2>\n\n\n\n<p>Dynatrace can use automatic baselining to detect deviations from normal behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">22.4 Static thresholds<\/h2>\n\n\n\n<p>Static thresholds trigger when a metric crosses a fixed value.<\/p>\n\n\n\n<p>Good for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hard capacity limits<\/li>\n\n\n\n<li>Compliance thresholds<\/li>\n\n\n\n<li>Well-known SLO boundaries<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22.5 Auto-adaptive thresholds<\/h2>\n\n\n\n<p>Auto-adaptive thresholds adjust based on behavior and are useful for metrics with changing patterns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">22.6 Metric events<\/h2>\n\n\n\n<p>Metric events allow administrators to create custom events based on metric thresholds.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">22.7 DQL-based anomaly detection<\/h2>\n\n\n\n<p>Advanced custom alerts can be based on DQL queries. These need careful design because the query may execute regularly and should be efficient.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">22.8 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dynatrace uses baselines and anomaly detection.<\/li>\n\n\n\n<li>Admins can adjust sensitivity.<\/li>\n\n\n\n<li>Custom metric events can be configured.<\/li>\n\n\n\n<li>DQL-based alerts require efficient queries.<\/li>\n\n\n\n<li>Missing data alerts are useful when the absence of telemetry is itself a problem.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">23. Maintenance windows<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">23.1 What maintenance windows do<\/h2>\n\n\n\n<p>Maintenance windows define periods when planned or unplanned maintenance occurs.<\/p>\n\n\n\n<p>They can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suppress or modify alerting behavior<\/li>\n\n\n\n<li>Exclude maintenance periods from baseline calculations<\/li>\n\n\n\n<li>Prevent planned changes from polluting anomaly baselines<\/li>\n\n\n\n<li>Filter by tags or management zones<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23.2 Planned vs unplanned<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Planned maintenance<\/h3>\n\n\n\n<p>Defined in advance.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Database upgrade Saturday 01:00\u201303:00.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Unplanned maintenance<\/h3>\n\n\n\n<p>Defined retroactively or for an ongoing outage.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Emergency network outage started 20 minutes ago.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23.3 Best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use maintenance windows for planned releases and infrastructure work.<\/li>\n\n\n\n<li>Scope windows narrowly using tags or zones.<\/li>\n\n\n\n<li>Do not use broad all-environment windows unless necessary.<\/li>\n\n\n\n<li>Document maintenance ownership.<\/li>\n\n\n\n<li>Align with change-management processes.<\/li>\n\n\n\n<li>Validate alert behavior before planned production maintenance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23.4 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintenance windows can affect alerting and baseline calculation.<\/li>\n\n\n\n<li>They should be scoped carefully.<\/li>\n\n\n\n<li>They can be planned or unplanned.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">24. Workflows and automation<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">24.1 What workflows do<\/h2>\n\n\n\n<p>Workflows automate operational actions in Dynatrace.<\/p>\n\n\n\n<p>They can be triggered by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Problems<\/li>\n\n\n\n<li>Events<\/li>\n\n\n\n<li>Schedules<\/li>\n\n\n\n<li>Manual execution<\/li>\n\n\n\n<li>API calls<\/li>\n\n\n\n<li>Other platform events depending on configuration<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">24.2 Workflow use cases<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Notify team channels<\/li>\n\n\n\n<li>Create incidents<\/li>\n\n\n\n<li>Enrich problem context<\/li>\n\n\n\n<li>Run remediation actions<\/li>\n\n\n\n<li>Query data with DQL<\/li>\n\n\n\n<li>Send reports<\/li>\n\n\n\n<li>Trigger webhooks<\/li>\n\n\n\n<li>Perform checks after deployment<\/li>\n\n\n\n<li>Coordinate follow-up actions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">24.3 Workflow governance<\/h2>\n\n\n\n<p>Administrators should control:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can create workflows<\/li>\n\n\n\n<li>Who can run workflows<\/li>\n\n\n\n<li>Which external endpoints workflows can call<\/li>\n\n\n\n<li>Which credentials workflows can use<\/li>\n\n\n\n<li>Which workflows run automatically on production problems<\/li>\n\n\n\n<li>How workflow failures are monitored<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">24.4 Best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with notification\/enrichment workflows.<\/li>\n\n\n\n<li>Test in non-production.<\/li>\n\n\n\n<li>Use credential vault for secrets.<\/li>\n\n\n\n<li>Avoid hardcoding secrets.<\/li>\n\n\n\n<li>Add ownership and descriptions.<\/li>\n\n\n\n<li>Use rate limits and safety conditions.<\/li>\n\n\n\n<li>Log or document workflow output.<\/li>\n\n\n\n<li>Avoid automation that can make incidents worse without guardrails.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">24.5 Exam focus<\/h2>\n\n\n\n<p>Know that workflows are the automation layer and can help streamline alerting, notifications, and response.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">25. Credential vault<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">25.1 What Credential vault is<\/h2>\n\n\n\n<p>Credential vault stores credentials used by Dynatrace features such as Synthetic Monitoring, extensions, and integrations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">25.2 Why administrators care<\/h2>\n\n\n\n<p>Credentials must be secured because they may allow access to internal applications, APIs, cloud services, or third-party systems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">25.3 Credential types<\/h2>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username\/password<\/li>\n\n\n\n<li>Token<\/li>\n\n\n\n<li>Certificate<\/li>\n\n\n\n<li>AWS credential configurations<\/li>\n\n\n\n<li>External vault references<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">25.4 External vault integration<\/h2>\n\n\n\n<p>Dynatrace can integrate with external vaults for some credential types, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Key Vault<\/li>\n\n\n\n<li>HashiCorp Vault<\/li>\n\n\n\n<li>CyberArk<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">25.5 Best practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Credential vault instead of hardcoding credentials.<\/li>\n\n\n\n<li>Limit owner access where appropriate.<\/li>\n\n\n\n<li>Rotate credentials regularly.<\/li>\n\n\n\n<li>Use external vault integration when required by policy.<\/li>\n\n\n\n<li>Remove unused credentials.<\/li>\n\n\n\n<li>Track which monitors or integrations use a credential.<\/li>\n\n\n\n<li>Avoid screenshots or documentation that expose secrets.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">25.6 Exam focus<\/h2>\n\n\n\n<p>Know that Credential vault securely stores secrets for monitors and integrations, and can be integrated with external vault systems.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">26. Data privacy, masking, and sensitive data<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">26.1 Why privacy matters<\/h2>\n\n\n\n<p>Dynatrace can collect URLs, request attributes, logs, user\/session data, traces, exception messages, and metadata. Some of this may contain personal or sensitive data.<\/p>\n\n\n\n<p>Administrators must configure controls so sensitive data is not exposed unnecessarily.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">26.2 Masking approaches<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Mask at capture<\/h3>\n\n\n\n<p>Sensitive data is masked before it leaves the monitored environment.<\/p>\n\n\n\n<p>Best when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data must never leave the customer environment.<\/li>\n\n\n\n<li>Compliance requires strong privacy controls.<\/li>\n\n\n\n<li>Logs or URLs may contain personal data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Mask at storage or processing<\/h3>\n\n\n\n<p>Data is transformed during processing or ingestion.<\/p>\n\n\n\n<p>Best when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data can be processed but should not be stored in raw form.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Mask at display<\/h3>\n\n\n\n<p>Data is stored but hidden from users unless they have permission.<\/p>\n\n\n\n<p>Best when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some privileged users need access but most users should not see personal data.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">26.3 OneAgent-side masking<\/h2>\n\n\n\n<p>OneAgent can mask certain sensitive data at first contact. This helps ensure selected sensitive data is not sent to Dynatrace servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">26.4 Log masking<\/h2>\n\n\n\n<p>Log masking can be configured for log data, including at-capture masking through OneAgent and processing\/masking through OpenPipeline.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">26.5 Privacy checklist<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify data that may contain personal information.<\/li>\n\n\n\n<li>Decide whether to mask at capture, processing, or display.<\/li>\n\n\n\n<li>Use least-privilege access to sensitive data.<\/li>\n\n\n\n<li>Validate log collection before production rollout.<\/li>\n\n\n\n<li>Avoid collecting secrets, tokens, passwords, or full PII.<\/li>\n\n\n\n<li>Configure RUM privacy settings for user data.<\/li>\n\n\n\n<li>Review request attributes that may capture sensitive values.<\/li>\n\n\n\n<li>Audit who can view sensitive data.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">26.6 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Masking at capture is strongest because data does not leave the environment.<\/li>\n\n\n\n<li>OneAgent-side masking can be used for sensitive data.<\/li>\n\n\n\n<li>Log masking and privacy settings are key admin controls.<\/li>\n\n\n\n<li>Display masking is not the same as capture masking.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">27. Audit logs and governance<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">27.1 Why audit logs matter<\/h2>\n\n\n\n<p>Audit logs help administrators track who changed what and when.<\/p>\n\n\n\n<p>They support:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security investigations<\/li>\n\n\n\n<li>Compliance<\/li>\n\n\n\n<li>Access review<\/li>\n\n\n\n<li>Change management<\/li>\n\n\n\n<li>Troubleshooting misconfiguration<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">27.2 What to audit<\/h2>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User\/group changes<\/li>\n\n\n\n<li>Policy changes<\/li>\n\n\n\n<li>Token creation\/deletion<\/li>\n\n\n\n<li>SAML\/SCIM configuration changes<\/li>\n\n\n\n<li>Settings changes<\/li>\n\n\n\n<li>Bucket\/retention changes<\/li>\n\n\n\n<li>OpenPipeline changes<\/li>\n\n\n\n<li>Workflow changes<\/li>\n\n\n\n<li>Alerting changes<\/li>\n\n\n\n<li>Integration changes<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">27.3 Audit practice<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep admin changes traceable.<\/li>\n\n\n\n<li>Use named accounts or service users, not shared accounts.<\/li>\n\n\n\n<li>Use change tickets or pull requests for important changes.<\/li>\n\n\n\n<li>Use Monaco\/Git for configuration where possible.<\/li>\n\n\n\n<li>Review high-risk changes regularly.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">28. Dashboards, notebooks, documents, and user enablement<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">28.1 Why dashboards are an admin topic<\/h2>\n\n\n\n<p>Administrators often define platform standards for dashboards:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can create dashboards<\/li>\n\n\n\n<li>Who can share dashboards<\/li>\n\n\n\n<li>Which dashboards are official<\/li>\n\n\n\n<li>Which dashboards use expensive queries<\/li>\n\n\n\n<li>Which dashboards are deprecated<\/li>\n\n\n\n<li>How naming and ownership work<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">28.2 Dashboard governance<\/h2>\n\n\n\n<p>Recommended dashboard naming:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-attr\">&#91;Team]<\/span> <span class=\"hljs-selector-attr\">&#91;Environment]<\/span> <span class=\"hljs-selector-attr\">&#91;Use case]<\/span>\n\n<span class=\"hljs-selector-tag\">Examples<\/span>:\n  <span class=\"hljs-selector-tag\">Payments<\/span> <span class=\"hljs-selector-tag\">Prod<\/span> <span class=\"hljs-selector-tag\">Service<\/span> <span class=\"hljs-selector-tag\">Health<\/span>\n  <span class=\"hljs-selector-tag\">Platform<\/span> <span class=\"hljs-selector-tag\">Kubernetes<\/span> <span class=\"hljs-selector-tag\">Overview<\/span>\n  <span class=\"hljs-selector-tag\">Security<\/span> <span class=\"hljs-selector-tag\">Runtime<\/span> <span class=\"hljs-selector-tag\">Vulnerabilities<\/span>\n  <span class=\"hljs-selector-tag\">Executive<\/span> <span class=\"hljs-selector-tag\">Business<\/span> <span class=\"hljs-selector-tag\">Impact<\/span> <span class=\"hljs-selector-tag\">Overview<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">28.3 Notebooks<\/h2>\n\n\n\n<p>Notebooks are used for investigation and analysis. Admins may govern:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can create and share notebooks<\/li>\n\n\n\n<li>Which notebooks are official runbooks<\/li>\n\n\n\n<li>How DQL query cost is managed<\/li>\n\n\n\n<li>How sensitive data is handled<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">28.4 Documents<\/h2>\n\n\n\n<p>Documents can be used for operational notes, runbooks, or analysis depending on the app capabilities enabled.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">28.5 Exam focus<\/h2>\n\n\n\n<p>Know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dashboards are for ongoing visual monitoring.<\/li>\n\n\n\n<li>Notebooks are for analysis and investigation.<\/li>\n\n\n\n<li>Admins should govern sharing, access, query cost, and ownership.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">29. Service-level objectives<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">29.1 What SLOs are<\/h2>\n\n\n\n<p>Service-level objectives define reliability targets.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checkout API availability should be 99.9% over 30 days.<\/li>\n\n\n\n<li>Login latency should meet threshold 95% of the time.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">29.2 SLO concepts<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SLI: Service-level indicator, the measurement.<\/li>\n\n\n\n<li>SLO: Service-level objective, the target.<\/li>\n\n\n\n<li>Error budget: Allowed unreliability within the target window.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">29.3 Administrator role<\/h2>\n\n\n\n<p>Administrators may control:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can create SLOs<\/li>\n\n\n\n<li>Which teams own SLOs<\/li>\n\n\n\n<li>Standard naming<\/li>\n\n\n\n<li>Dashboarding<\/li>\n\n\n\n<li>Alerting on SLO burn rate or target violation<\/li>\n\n\n\n<li>Integration with governance and reporting<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">29.4 Exam focus<\/h2>\n\n\n\n<p>Know the basic purpose of SLOs and the difference between SLI, SLO, and error budget.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">30. Extensions and integrations<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">30.1 Why integrations matter<\/h2>\n\n\n\n<p>Dynatrace environments often ingest or interact with systems beyond OneAgent monitoring.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS<\/li>\n\n\n\n<li>Azure<\/li>\n\n\n\n<li>Google Cloud<\/li>\n\n\n\n<li>Kubernetes<\/li>\n\n\n\n<li>VMware<\/li>\n\n\n\n<li>Databases<\/li>\n\n\n\n<li>Network devices<\/li>\n\n\n\n<li>Messaging systems<\/li>\n\n\n\n<li>CI\/CD systems<\/li>\n\n\n\n<li>Incident-management tools<\/li>\n\n\n\n<li>ChatOps tools<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">30.2 Extension governance<\/h2>\n\n\n\n<p>Administrators should manage:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who can install extensions<\/li>\n\n\n\n<li>Which extensions are approved<\/li>\n\n\n\n<li>Which credentials are used<\/li>\n\n\n\n<li>Which ActiveGate executes the extension<\/li>\n\n\n\n<li>Ingest volume generated by the extension<\/li>\n\n\n\n<li>Ownership and support model<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">30.3 Cloud integration governance<\/h2>\n\n\n\n<p>For cloud integrations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least-privilege cloud permissions.<\/li>\n\n\n\n<li>Avoid collecting unnecessary services.<\/li>\n\n\n\n<li>Monitor usage\/consumption impact.<\/li>\n\n\n\n<li>Tag cloud resources consistently.<\/li>\n\n\n\n<li>Align cloud tags with Dynatrace tags and cost allocation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">30.4 Exam focus<\/h2>\n\n\n\n<p>Know that integrations and extensions can increase observability coverage but require permission, credential, ActiveGate, and cost governance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">31. Platform health and operational support<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">31.1 What admins should monitor<\/h2>\n\n\n\n<p>A Dynatrace administrator should monitor the monitoring platform itself.<\/p>\n\n\n\n<p>Checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneAgent health<\/li>\n\n\n\n<li>ActiveGate health<\/li>\n\n\n\n<li>Data ingest status<\/li>\n\n\n\n<li>Token and OAuth client usage<\/li>\n\n\n\n<li>Log ingestion volume<\/li>\n\n\n\n<li>OpenPipeline errors<\/li>\n\n\n\n<li>Workflow failures<\/li>\n\n\n\n<li>Synthetic location status<\/li>\n\n\n\n<li>Subscription\/license usage<\/li>\n\n\n\n<li>User access requests<\/li>\n\n\n\n<li>Failed SAML\/SCIM provisioning<\/li>\n\n\n\n<li>Unused dashboards and configurations<\/li>\n\n\n\n<li>Deprecated settings or migration tasks<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">31.2 Operating cadence<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Daily<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review critical platform health issues.<\/li>\n\n\n\n<li>Check major ingest failures.<\/li>\n\n\n\n<li>Review urgent access problems.<\/li>\n\n\n\n<li>Review alerting or workflow failures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Weekly<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review usage\/cost anomalies.<\/li>\n\n\n\n<li>Review OneAgent\/ActiveGate update status.<\/li>\n\n\n\n<li>Review failed workflows and integrations.<\/li>\n\n\n\n<li>Review new high-volume log sources.<\/li>\n\n\n\n<li>Review open admin tickets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monthly<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access review for privileged groups.<\/li>\n\n\n\n<li>Token review.<\/li>\n\n\n\n<li>Dashboard\/report cleanup.<\/li>\n\n\n\n<li>Bucket\/retention review.<\/li>\n\n\n\n<li>OpenPipeline rule review.<\/li>\n\n\n\n<li>License\/subscription forecast review.<\/li>\n\n\n\n<li>SAML\/SCIM sync health review.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quarterly<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review admin policies.<\/li>\n\n\n\n<li>Review management zones\/segments.<\/li>\n\n\n\n<li>Review tagging standards.<\/li>\n\n\n\n<li>Review cost allocation.<\/li>\n\n\n\n<li>Review operating model with teams.<\/li>\n\n\n\n<li>Test fallback access and emergency procedures.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">32. Common admin scenarios and best answers<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 1: A new application team needs access only to its own services<\/h2>\n\n\n\n<p>Best approach:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure entities are tagged consistently.<\/li>\n\n\n\n<li>Create or reuse a management zone \/ segment \/ security context for the application.<\/li>\n\n\n\n<li>Create a group for the team.<\/li>\n\n\n\n<li>Bind policies\/permissions to that group with the correct scope.<\/li>\n\n\n\n<li>Validate effective permissions with a test user.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 2: Users can see dashboards but not logs<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User group membership<\/li>\n\n\n\n<li>IAM policies for logs and Grail query access<\/li>\n\n\n\n<li>Bucket access permissions<\/li>\n\n\n\n<li>Management zone\/segment\/security context behavior<\/li>\n\n\n\n<li>Whether the dashboard uses a data source the user cannot query<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 3: Monaco deployment fails<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token\/OAuth credentials<\/li>\n\n\n\n<li>Required scopes<\/li>\n\n\n\n<li>User\/service user group permissions<\/li>\n\n\n\n<li>Environment\/account target<\/li>\n\n\n\n<li>Settings schema availability<\/li>\n\n\n\n<li>Object scope<\/li>\n\n\n\n<li>API errors<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 4: Log costs suddenly increase<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>New log source or cloud integration<\/li>\n\n\n\n<li>OpenPipeline routing changes<\/li>\n\n\n\n<li>Log ingest rules<\/li>\n\n\n\n<li>Bucket retention changes<\/li>\n\n\n\n<li>Dashboard query refreshes<\/li>\n\n\n\n<li>DQL queries over broad timeframes<\/li>\n\n\n\n<li>New high-volume Kubernetes workloads<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 5: Alerts are too noisy<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alerting profiles<\/li>\n\n\n\n<li>Problem severity filters<\/li>\n\n\n\n<li>Duration filters<\/li>\n\n\n\n<li>Tags\/ownership filters<\/li>\n\n\n\n<li>Duplicate integrations<\/li>\n\n\n\n<li>Anomaly detection sensitivity<\/li>\n\n\n\n<li>Missing maintenance windows<\/li>\n\n\n\n<li>Custom metric events with too-sensitive thresholds<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 6: Users are locked out after SAML change<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Domain verification<\/li>\n\n\n\n<li>IdP metadata<\/li>\n\n\n\n<li>Dynatrace SAML configuration<\/li>\n\n\n\n<li>Attribute mapping<\/li>\n\n\n\n<li>Group mapping<\/li>\n\n\n\n<li>IdP certificate expiry<\/li>\n\n\n\n<li>Fallback admin access<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 7: Sensitive data appears in logs<\/h2>\n\n\n\n<p>Actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Determine source and field.<\/li>\n\n\n\n<li>Decide whether masking must happen at capture.<\/li>\n\n\n\n<li>Configure OneAgent sensitive data masking if appropriate.<\/li>\n\n\n\n<li>Configure OpenPipeline masking\/transformation as needed.<\/li>\n\n\n\n<li>Restrict bucket access.<\/li>\n\n\n\n<li>Review retention and purge requirements with compliance\/security.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario 8: A private synthetic monitor cannot reach an internal app<\/h2>\n\n\n\n<p>Check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private location configuration<\/li>\n\n\n\n<li>ActiveGate health<\/li>\n\n\n\n<li>Network\/firewall routing<\/li>\n\n\n\n<li>DNS resolution<\/li>\n\n\n\n<li>Credential vault entries<\/li>\n\n\n\n<li>Authentication configuration<\/li>\n\n\n\n<li>Monitor location assignment<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">33. DQL for administrators<\/h1>\n\n\n\n<p>Administration Professional does not require being a DQL expert, but you should be comfortable with basic admin queries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">33.1 Basic log query<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">fetch logs, <span class=\"hljs-attr\">from<\/span>:now()<span class=\"hljs-number\">-1<\/span>h\n| filter loglevel == <span class=\"hljs-string\">\"ERROR\"<\/span>\n| fields timestamp, loglevel, content, dt.entity.host, dt.entity.service\n| sort timestamp desc\n| limit <span class=\"hljs-number\">100<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">33.2 Count logs by level<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">fetch logs, <span class=\"hljs-attr\">from<\/span>:now()<span class=\"hljs-number\">-24<\/span>h\n| summarize count(), <span class=\"hljs-attr\">by<\/span>:{loglevel}\n| sort <span class=\"hljs-string\">`count()`<\/span> desc\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">33.3 Search for token-like or sensitive patterns conceptually<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">fetch logs, <span class=\"hljs-attr\">from<\/span>:now()<span class=\"hljs-number\">-24<\/span>h\n| search <span class=\"hljs-string\">\"password\"<\/span>\n| fields timestamp, content, dt.entity.host\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">33.4 Find events<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">fetch events, from:now()-24h\n| fields timestamp, event.kind, event.type, event.name, dt.entity.host\n| sort timestamp desc\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">33.5 Query admin-style data carefully<\/h2>\n\n\n\n<p>Guidelines:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with short time windows.<\/li>\n\n\n\n<li>Add filters early.<\/li>\n\n\n\n<li>Select only needed fields.<\/li>\n\n\n\n<li>Summarize when appropriate.<\/li>\n\n\n\n<li>Avoid broad queries over long retention unless necessary.<\/li>\n\n\n\n<li>Be aware of query-cost models.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">34. Hands-on lab checklist<\/h1>\n\n\n\n<p>Use this checklist before taking the exam.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">34.1 IAM labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Find Account Management.<\/li>\n\n\n\n<li>Invite a user.<\/li>\n\n\n\n<li>Create a group.<\/li>\n\n\n\n<li>Add a user to a group.<\/li>\n\n\n\n<li>Review group permissions.<\/li>\n\n\n\n<li>Understand policy binding.<\/li>\n\n\n\n<li>View effective policies conceptually.<\/li>\n\n\n\n<li>Explain SAML setup steps.<\/li>\n\n\n\n<li>Explain SCIM setup steps.<\/li>\n\n\n\n<li>Explain domain verification.<\/li>\n\n\n\n<li>Create or explain OAuth client creation.<\/li>\n\n\n\n<li>Create or explain platform token creation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.2 Settings labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open the Settings app.<\/li>\n\n\n\n<li>Search for a setting.<\/li>\n\n\n\n<li>Explain settings scope.<\/li>\n\n\n\n<li>Explain hierarchy and override behavior.<\/li>\n\n\n\n<li>Identify read vs write access needs.<\/li>\n\n\n\n<li>Explain Settings API and Monaco usage.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.3 Organization labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create or explain automatic tags.<\/li>\n\n\n\n<li>Create or explain management zone rules.<\/li>\n\n\n\n<li>Explain management zones vs segments\/security context.<\/li>\n\n\n\n<li>Explain tag naming standards.<\/li>\n\n\n\n<li>Use tags in alerting or dashboards.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.4 Connectivity labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explain ActiveGate use cases.<\/li>\n\n\n\n<li>Explain network zones.<\/li>\n\n\n\n<li>Identify why OneAgents might use local ActiveGates.<\/li>\n\n\n\n<li>Explain private synthetic location concept.<\/li>\n\n\n\n<li>Explain ActiveGate health troubleshooting.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.5 Logs and storage labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open Logs.<\/li>\n\n\n\n<li>Run a DQL query.<\/li>\n\n\n\n<li>Filter logs.<\/li>\n\n\n\n<li>Explain buckets.<\/li>\n\n\n\n<li>Explain retention.<\/li>\n\n\n\n<li>Explain OpenPipeline routing.<\/li>\n\n\n\n<li>Explain log masking.<\/li>\n\n\n\n<li>Explain cost-control strategy.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.6 Alerting labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explain problem lifecycle.<\/li>\n\n\n\n<li>Find alerting profiles.<\/li>\n\n\n\n<li>Explain alerting profile filters.<\/li>\n\n\n\n<li>Explain maintenance windows.<\/li>\n\n\n\n<li>Explain metric events.<\/li>\n\n\n\n<li>Explain anomaly detection sensitivity.<\/li>\n\n\n\n<li>Explain notification integration flow.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.7 Automation labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explain workflows.<\/li>\n\n\n\n<li>Explain workflow triggers.<\/li>\n\n\n\n<li>Explain secure credential usage.<\/li>\n\n\n\n<li>Explain Monaco deployment flow.<\/li>\n\n\n\n<li>Explain API\/token troubleshooting.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">34.8 Licensing labs<\/h2>\n\n\n\n<p>You should be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Find subscription\/license view.<\/li>\n\n\n\n<li>Explain DPS vs classic concepts.<\/li>\n\n\n\n<li>Identify usage\/cost breakdown.<\/li>\n\n\n\n<li>Explain budget and cost allocation concepts.<\/li>\n\n\n\n<li>Explain how logs and queries may affect cost.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">35. Study plan: 21 days<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Day 1: Certification orientation<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review current Dynatrace University learning path.<\/li>\n\n\n\n<li>Verify exam details.<\/li>\n\n\n\n<li>Review Associate concepts.<\/li>\n\n\n\n<li>Set up tenant or playground access.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 2: Account and environment model<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study Account Management.<\/li>\n\n\n\n<li>Understand accounts, environments, users, groups, policies, subscription.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 3: Users and groups<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Practice user\/group concepts.<\/li>\n\n\n\n<li>Design sample group model.<\/li>\n\n\n\n<li>Understand group inheritance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 4: IAM policies and permissions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study default policies, custom policies, policy boundaries, effective permissions.<\/li>\n\n\n\n<li>Practice least-privilege scenarios.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 5: SAML and SCIM<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study domain verification.<\/li>\n\n\n\n<li>Study SAML setup flow.<\/li>\n\n\n\n<li>Study SCIM provisioning flow.<\/li>\n\n\n\n<li>Review fallback admin concept.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 6: Tokens and OAuth<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study platform tokens, OAuth clients, access tokens classic, service users.<\/li>\n\n\n\n<li>Review token governance and rotation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 7: Settings app and settings hierarchy<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study Settings app.<\/li>\n\n\n\n<li>Understand scopes, schemas, objects, overrides.<\/li>\n\n\n\n<li>Practice finding settings.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 8: Monaco and configuration as code<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study Monaco purpose.<\/li>\n\n\n\n<li>Review deploy\/download workflow.<\/li>\n\n\n\n<li>Understand OAuth scopes and service users.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 9: Tags and metadata<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study manual vs automatic tags.<\/li>\n\n\n\n<li>Create naming convention examples.<\/li>\n\n\n\n<li>Map tags to ownership, alerting, dashboards.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 10: Management zones, segments, security context<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study access scoping.<\/li>\n\n\n\n<li>Understand classic vs latest access patterns.<\/li>\n\n\n\n<li>Review Grail data access considerations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 11: ActiveGate and network zones<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study ActiveGate use cases.<\/li>\n\n\n\n<li>Study network zone design.<\/li>\n\n\n\n<li>Practice troubleshooting connectivity scenarios.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 12: OneAgent admin operations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study monitoring modes, host groups, updates, health, remote configuration.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 13: Logs and Grail buckets<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study log ingestion, bucket strategy, retention, access.<\/li>\n\n\n\n<li>Practice DQL basics.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 14: OpenPipeline<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study filtering, routing, enrichment, masking.<\/li>\n\n\n\n<li>Write sample scenarios.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 15: Licensing and cost<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study DPS vs classic concepts.<\/li>\n\n\n\n<li>Review usage\/cost drivers.<\/li>\n\n\n\n<li>Build a cost-control checklist.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 16: Alerting profiles and notifications<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study problem notifications.<\/li>\n\n\n\n<li>Design team-based alert routing.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 17: Anomaly detection and maintenance windows<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study anomaly detection, metric events, baselines, thresholds, maintenance windows.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 18: Workflows and automation<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study workflow triggers, credentials, governance, response automation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 19: Privacy, credential vault, audit<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study masking, credential vault, external vault, audit logs, security governance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 20: Scenario review<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Work through all scenarios in this guide.<\/li>\n\n\n\n<li>Practice hands-on lab checklist.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Day 21: Final mock review<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Complete practice questions.<\/li>\n\n\n\n<li>Review weak areas.<\/li>\n\n\n\n<li>Re-verify exam format in Dynatrace University.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">36. Final revision cheat sheets<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">36.1 Component cheat sheet<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Admin must know<\/th><\/tr><\/thead><tbody><tr><td>Account Management<\/td><td>Users, groups, policies, environments, SAML, SCIM, OAuth, license\/subscription<\/td><\/tr><tr><td>Users<\/td><td>Invite, assign, remove, federated vs non-federated<\/td><\/tr><tr><td>Groups<\/td><td>Users inherit permissions from group membership<\/td><\/tr><tr><td>Policies<\/td><td>Fine-grained access control enforced at runtime<\/td><\/tr><tr><td>SAML<\/td><td>Federated SSO authentication<\/td><\/tr><tr><td>SCIM<\/td><td>Automated user\/group provisioning<\/td><\/tr><tr><td>Domain verification<\/td><td>Required for SAML\/SCIM domain ownership proof<\/td><\/tr><tr><td>Platform tokens<\/td><td>Long-lived programmatic access within user\/service user permissions<\/td><\/tr><tr><td>OAuth clients<\/td><td>Service-to-service \/ automation authentication<\/td><\/tr><tr><td>Settings app<\/td><td>Central configuration entry point<\/td><\/tr><tr><td>Settings hierarchy<\/td><td>More specific settings override broader settings<\/td><\/tr><tr><td>Monaco<\/td><td>Configuration as Code CLI<\/td><\/tr><tr><td>Tags<\/td><td>Entity organization and filtering<\/td><\/tr><tr><td>Management zones<\/td><td>Classic entity\/data access scoping<\/td><\/tr><tr><td>Segments\/security context<\/td><td>Latest platform access scoping concepts<\/td><\/tr><tr><td>ActiveGate<\/td><td>Secure gateway\/proxy and integration point<\/td><\/tr><tr><td>Network zones<\/td><td>Connectivity routing model for network structure<\/td><\/tr><tr><td>Buckets<\/td><td>Grail storage\/retention\/access containers<\/td><\/tr><tr><td>OpenPipeline<\/td><td>Ingest filtering, routing, transformation, enrichment, masking<\/td><\/tr><tr><td>Alerting profiles<\/td><td>Filter which problems create notifications<\/td><\/tr><tr><td>Maintenance windows<\/td><td>Suppress\/adjust alerts and protect baselines during maintenance<\/td><\/tr><tr><td>Workflows<\/td><td>Automation and operational response<\/td><\/tr><tr><td>Credential vault<\/td><td>Secure storage for credentials<\/td><\/tr><tr><td>DPS<\/td><td>Current strategic platform subscription model<\/td><\/tr><tr><td>Classic licensing<\/td><td>HU, DEM, DDU, ASU concepts in older licensing<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">36.2 Access troubleshooting cheat sheet<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Symptom<\/th><th>Check<\/th><\/tr><\/thead><tbody><tr><td>User cannot log in<\/td><td>SAML\/IdP, domain, user status, fallback path<\/td><\/tr><tr><td>User sees no environment<\/td><td>Account\/environment access, group membership<\/td><\/tr><tr><td>User cannot see data<\/td><td>Policies, management zones, segments, bucket access<\/td><\/tr><tr><td>User cannot edit settings<\/td><td>Pro\/admin policy, settings-specific policy<\/td><\/tr><tr><td>API call unauthorized<\/td><td>Token scope, OAuth scopes, service user policies<\/td><\/tr><tr><td>Monaco deployment fails<\/td><td>Token\/OAuth, scopes, schema access, write permissions<\/td><\/tr><tr><td>Dashboard tile fails<\/td><td>Data source permission, DQL\/bucket access, app permission<\/td><\/tr><tr><td>User sees too much<\/td><td>Group memberships, broad policies, missing boundaries<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">36.3 Cost troubleshooting cheat sheet<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Symptom<\/th><th>Check<\/th><\/tr><\/thead><tbody><tr><td>Log ingest spike<\/td><td>New source, OneAgent rules, cloud logs, OpenPipeline changes<\/td><\/tr><tr><td>Log query cost spike<\/td><td>Broad DQL queries, dashboards, notebooks, API queries<\/td><\/tr><tr><td>Retention cost spike<\/td><td>Bucket retention changes, new buckets, high-volume data<\/td><\/tr><tr><td>Host monitoring cost spike<\/td><td>New OneAgents, autoscaling, full-stack enabled broadly<\/td><\/tr><tr><td>Synthetic cost spike<\/td><td>Monitor frequency, locations, clickpaths<\/td><\/tr><tr><td>RUM cost spike<\/td><td>Traffic volume, session replay, applications added<\/td><\/tr><tr><td>Custom metric cost spike<\/td><td>New integrations, cardinality, metric dimensions<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">36.4 Alerting troubleshooting cheat sheet<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Symptom<\/th><th>Check<\/th><\/tr><\/thead><tbody><tr><td>Too many alerts<\/td><td>Alerting profile filters, duration, severity, tags<\/td><\/tr><tr><td>No notification<\/td><td>Integration, alerting profile, maintenance window, problem severity<\/td><\/tr><tr><td>Duplicate notifications<\/td><td>Overlapping profiles\/integrations\/workflows<\/td><\/tr><tr><td>Alerts during deployment<\/td><td>Missing maintenance window or tags<\/td><\/tr><tr><td>Alerts not relevant to team<\/td><td>Ownership tags or scopes missing<\/td><\/tr><tr><td>Custom alert noisy<\/td><td>Threshold too sensitive, DQL query too broad<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">37. Practice questions<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Question 1<\/h2>\n\n\n\n<p>What is the primary focus of Dynatrace Administration Professional Certification?<\/p>\n\n\n\n<p>A. Writing application code<br>B. Managing and maintaining the Dynatrace SaaS platform for users<br>C. Designing logos<br>D. Replacing cloud providers<\/p>\n\n\n\n<p><strong>Answer: B. Managing and maintaining the Dynatrace SaaS platform for users<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 2<\/h2>\n\n\n\n<p>Where are users, groups, policies, SAML, SCIM, OAuth clients, and subscription views commonly managed?<\/p>\n\n\n\n<p>A. Account Management<br>B. PurePath only<br>C. Smartscape only<br>D. Browser DevTools<\/p>\n\n\n\n<p><strong>Answer: A. Account Management<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 3<\/h2>\n\n\n\n<p>In Dynatrace, users commonly inherit permissions through what?<\/p>\n\n\n\n<p>A. Group membership<br>B. Browser cookies only<br>C. Host CPU limits<br>D. Synthetic locations<\/p>\n\n\n\n<p><strong>Answer: A. Group membership<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 4<\/h2>\n\n\n\n<p>What do IAM policies define?<\/p>\n\n\n\n<p>A. Whether actions in Dynatrace are allowed<br>B. Which font dashboards use<br>C. Which host has the highest CPU<br>D. Which application is slow<\/p>\n\n\n\n<p><strong>Answer: A. Whether actions in Dynatrace are allowed<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 5<\/h2>\n\n\n\n<p>What is the purpose of SAML in Dynatrace?<\/p>\n\n\n\n<p>A. Federated authentication \/ SSO<br>B. Log storage<br>C. Trace analysis<br>D. Dashboard coloring<\/p>\n\n\n\n<p><strong>Answer: A. Federated authentication \/ SSO<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 6<\/h2>\n\n\n\n<p>What is the purpose of SCIM?<\/p>\n\n\n\n<p>A. Automated user and group provisioning<br>B. Distributed tracing<br>C. Data masking only<br>D. Host CPU monitoring<\/p>\n\n\n\n<p><strong>Answer: A. Automated user and group provisioning<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 7<\/h2>\n\n\n\n<p>Before configuring SAML or SCIM for an email domain, what must typically be completed?<\/p>\n\n\n\n<p>A. Domain verification<br>B. Dashboard creation<br>C. Synthetic clickpath recording<br>D. Log query execution<\/p>\n\n\n\n<p><strong>Answer: A. Domain verification<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 8<\/h2>\n\n\n\n<p>What is a platform token used for?<\/p>\n\n\n\n<p>A. Programmatic access to Dynatrace platform services<br>B. Restarting a host physically<br>C. Drawing topology manually<br>D. Creating user sessions<\/p>\n\n\n\n<p><strong>Answer: A. Programmatic access to Dynatrace platform services<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 9<\/h2>\n\n\n\n<p>Which credential type is commonly suitable for service-to-service automation?<\/p>\n\n\n\n<p>A. OAuth client<br>B. Manual tag<br>C. User action<br>D. Process group<\/p>\n\n\n\n<p><strong>Answer: A. OAuth client<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 10<\/h2>\n\n\n\n<p>What is Monaco?<\/p>\n\n\n\n<p>A. Dynatrace Configuration as Code CLI<br>B. A tracing span<br>C. A synthetic location<br>D. A license unit<\/p>\n\n\n\n<p><strong>Answer: A. Dynatrace Configuration as Code CLI<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 11<\/h2>\n\n\n\n<p>What is the Settings app used for?<\/p>\n\n\n\n<p>A. Centralized environment configuration<br>B. Only viewing user sessions<br>C. Only viewing dashboards<br>D. Only editing browser bookmarks<\/p>\n\n\n\n<p><strong>Answer: A. Centralized environment configuration<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 12<\/h2>\n\n\n\n<p>If a host-level setting and environment-level setting conflict, which generally takes precedence?<\/p>\n\n\n\n<p>A. The more specific host-level setting<br>B. The less specific environment-level setting<br>C. Neither setting<br>D. The oldest setting<\/p>\n\n\n\n<p><strong>Answer: A. The more specific host-level setting<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 13<\/h2>\n\n\n\n<p>What are tags used for?<\/p>\n\n\n\n<p>A. Organizing, filtering, alerting, and scoping entities<br>B. Encrypting all traffic<br>C. Replacing OneAgent<br>D. Running OAuth flows<\/p>\n\n\n\n<p><strong>Answer: A. Organizing, filtering, alerting, and scoping entities<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 14<\/h2>\n\n\n\n<p>What are management zones used for?<\/p>\n\n\n\n<p>A. Organizing environments and controlling access to scoped entities\/data<br>B. Installing the browser extension<br>C. Replacing ActiveGate<br>D. Creating API tokens only<\/p>\n\n\n\n<p><strong>Answer: A. Organizing environments and controlling access to scoped entities\/data<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 15<\/h2>\n\n\n\n<p>Which latest-platform concepts are important when moving beyond classic management zones?<\/p>\n\n\n\n<p>A. Segments and security context<br>B. Browser bookmarks<br>C. Local printer groups<br>D. Social media tags<\/p>\n\n\n\n<p><strong>Answer: A. Segments and security context<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 16<\/h2>\n\n\n\n<p>What is ActiveGate commonly used for?<\/p>\n\n\n\n<p>A. Secure routing\/proxying and integrations<br>B. Replacing OneAgent<br>C. Editing dashboards only<br>D. Increasing alert noise<\/p>\n\n\n\n<p><strong>Answer: A. Secure routing\/proxying and integrations<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 17<\/h2>\n\n\n\n<p>What are network zones used for?<\/p>\n\n\n\n<p>A. Modeling network structure and optimizing routing to ActiveGates<br>B. Creating user passwords<br>C. Querying logs only<br>D. Changing dashboard fonts<\/p>\n\n\n\n<p><strong>Answer: A. Modeling network structure and optimizing routing to ActiveGates<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 18<\/h2>\n\n\n\n<p>What is a Grail bucket used for?<\/p>\n\n\n\n<p>A. Storage, retention, and access organization for data<br>B. Drawing topology<br>C. Restarting ActiveGate<br>D. Creating users<\/p>\n\n\n\n<p><strong>Answer: A. Storage, retention, and access organization for data<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 19<\/h2>\n\n\n\n<p>What does OpenPipeline help administrators do?<\/p>\n\n\n\n<p>A. Filter, route, transform, enrich, and mask telemetry<br>B. Replace SAML<br>C. Create user accounts only<br>D. Install operating systems<\/p>\n\n\n\n<p><strong>Answer: A. Filter, route, transform, enrich, and mask telemetry<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 20<\/h2>\n\n\n\n<p>What is an alerting profile used for?<\/p>\n\n\n\n<p>A. Controlling which problems trigger notifications<br>B. Creating users<br>C. Installing OneAgent<br>D. Querying all logs<\/p>\n\n\n\n<p><strong>Answer: A. Controlling which problems trigger notifications<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 21<\/h2>\n\n\n\n<p>What do maintenance windows help with?<\/p>\n\n\n\n<p>A. Suppressing\/adjusting alerting and protecting baselines during maintenance<br>B. Creating OAuth clients<br>C. Storing credentials<br>D. Replacing dashboards<\/p>\n\n\n\n<p><strong>Answer: A. Suppressing\/adjusting alerting and protecting baselines during maintenance<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 22<\/h2>\n\n\n\n<p>What is the Credential vault used for?<\/p>\n\n\n\n<p>A. Secure storage of credentials for monitors and integrations<br>B. Storing all logs<br>C. Replacing IAM policies<br>D. Creating process groups<\/p>\n\n\n\n<p><strong>Answer: A. Secure storage of credentials for monitors and integrations<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 23<\/h2>\n\n\n\n<p>Which masking approach is strongest when data must never leave the monitored environment?<\/p>\n\n\n\n<p>A. Mask at capture<br>B. Mask only at display<br>C. Do not mask<br>D. Mask in a dashboard title<\/p>\n\n\n\n<p><strong>Answer: A. Mask at capture<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 24<\/h2>\n\n\n\n<p>Which licensing model is the current strategic model for latest Dynatrace platform consumption?<\/p>\n\n\n\n<p>A. Dynatrace Platform Subscription<br>B. Printer page count<br>C. Manual invoices only<br>D. Hostnames only<\/p>\n\n\n\n<p><strong>Answer: A. Dynatrace Platform Subscription<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 25<\/h2>\n\n\n\n<p>A Monaco deployment fails because it cannot write settings. What should you check first?<\/p>\n\n\n\n<p>A. Token\/OAuth scopes and user\/service-user policies<br>B. Dashboard color<br>C. User session duration<br>D. Browser clickpath screenshots<\/p>\n\n\n\n<p><strong>Answer: A. Token\/OAuth scopes and user\/service-user policies<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 26<\/h2>\n\n\n\n<p>A team can see services but cannot query logs. What should you check?<\/p>\n\n\n\n<p>A. Grail\/bucket\/log query permissions and IAM policies<br>B. Only CPU usage<br>C. Only host restart time<br>D. Only browser version<\/p>\n\n\n\n<p><strong>Answer: A. Grail\/bucket\/log query permissions and IAM policies<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 27<\/h2>\n\n\n\n<p>What should you use to reduce noisy production logs before storage?<\/p>\n\n\n\n<p>A. OneAgent log ingest rules or OpenPipeline<br>B. User profile settings<br>C. Browser font settings<br>D. Manual screenshots<\/p>\n\n\n\n<p><strong>Answer: A. OneAgent log ingest rules or OpenPipeline<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 28<\/h2>\n\n\n\n<p>Which feature can automate responses to problems or schedules?<\/p>\n\n\n\n<p>A. Workflows<br>B. Tags only<br>C. Hostnames only<br>D. User avatars<\/p>\n\n\n\n<p><strong>Answer: A. Workflows<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 29<\/h2>\n\n\n\n<p>What is the best practice for production automation credentials?<\/p>\n\n\n\n<p>A. Use service users \/ OAuth or scoped platform tokens with least privilege<br>B. Use a shared admin password in a script<br>C. Put tokens in Git<br>D. Use personal tokens without expiration for everything<\/p>\n\n\n\n<p><strong>Answer: A. Use service users \/ OAuth or scoped platform tokens with least privilege<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 30<\/h2>\n\n\n\n<p>A sudden log cost increase is reported. Which is a likely admin investigation path?<\/p>\n\n\n\n<p>A. Check new sources, ingest volume, retention, OpenPipeline, and query activity<br>B. Only check dashboard titles<br>C. Only check user profile photos<br>D. Only restart a browser<\/p>\n\n\n\n<p><strong>Answer: A. Check new sources, ingest volume, retention, OpenPipeline, and query activity<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">38. Final readiness checklist<\/h1>\n\n\n\n<p>You are ready for Administration Professional when you can explain and apply all of these without notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Account vs environment<\/li>\n\n\n\n<li>Account Management purpose<\/li>\n\n\n\n<li>Users and groups<\/li>\n\n\n\n<li>IAM policies<\/li>\n\n\n\n<li>Default vs custom policies<\/li>\n\n\n\n<li>Policy boundaries<\/li>\n\n\n\n<li>Effective permissions<\/li>\n\n\n\n<li>SAML setup flow<\/li>\n\n\n\n<li>SCIM setup flow<\/li>\n\n\n\n<li>Domain verification<\/li>\n\n\n\n<li>Fallback admin strategy<\/li>\n\n\n\n<li>Platform tokens<\/li>\n\n\n\n<li>OAuth clients<\/li>\n\n\n\n<li>Access tokens classic<\/li>\n\n\n\n<li>Service users<\/li>\n\n\n\n<li>Settings app<\/li>\n\n\n\n<li>Settings objects and schemas<\/li>\n\n\n\n<li>Settings scope and hierarchy<\/li>\n\n\n\n<li>Settings API<\/li>\n\n\n\n<li>Monaco<\/li>\n\n\n\n<li>Tags<\/li>\n\n\n\n<li>Management zones<\/li>\n\n\n\n<li>Segments<\/li>\n\n\n\n<li>Security context<\/li>\n\n\n\n<li>Host groups<\/li>\n\n\n\n<li>ActiveGate<\/li>\n\n\n\n<li>Network zones<\/li>\n\n\n\n<li>OneAgent monitoring modes<\/li>\n\n\n\n<li>OneAgent auto-update governance<\/li>\n\n\n\n<li>Log ingestion<\/li>\n\n\n\n<li>Grail buckets<\/li>\n\n\n\n<li>Retention<\/li>\n\n\n\n<li>OpenPipeline<\/li>\n\n\n\n<li>Sensitive data masking<\/li>\n\n\n\n<li>Credential vault<\/li>\n\n\n\n<li>DPS licensing<\/li>\n\n\n\n<li>Classic licensing concepts<\/li>\n\n\n\n<li>Subscription\/license usage views<\/li>\n\n\n\n<li>Cost allocation<\/li>\n\n\n\n<li>Alerting profiles<\/li>\n\n\n\n<li>Problem notifications<\/li>\n\n\n\n<li>Maintenance windows<\/li>\n\n\n\n<li>Anomaly detection<\/li>\n\n\n\n<li>Metric events<\/li>\n\n\n\n<li>DQL-based custom alerts<\/li>\n\n\n\n<li>Workflows<\/li>\n\n\n\n<li>Audit logs<\/li>\n\n\n\n<li>Dashboard and notebook governance<\/li>\n\n\n\n<li>SLO basics<\/li>\n\n\n\n<li>Extension and integration governance<\/li>\n\n\n\n<li>Platform health operations<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">39. Last-minute memory map<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Admin foundation:\n  Account \u2192 Environment \u2192 Users \u2192 Groups \u2192 Policies \u2192 Effective access\n\n<span class=\"hljs-attr\">Identity<\/span>:\n  SAML = SSO\n  SCIM = provisioning\n  Domain verification = prove ownership\n  Fallback admin = recovery path\n\nAutomation access:\n  Platform token = programmatic platform access\n  OAuth client = service-to-service automation\n  Classic token = older API access\n\n<span class=\"hljs-attr\">Configuration<\/span>:\n  Settings app = central config\n  Scope hierarchy = most specific wins\n  Monaco = config <span class=\"hljs-keyword\">as<\/span> code\n\n<span class=\"hljs-attr\">Organization<\/span>:\n  Tags = labels\n  Management zones = scoped classic entity access\n  Segments\/security context = latest access scoping\n\n<span class=\"hljs-attr\">Connectivity<\/span>:\n  ActiveGate = secure gateway\/proxy\n  Network zones = localize routing\n\nData governance:\n  Grail = storage\/query\n  Buckets = retention\/access\n  OpenPipeline = process\/filter\/route\/mask\/enrich\n\n<span class=\"hljs-attr\">Alerting<\/span>:\n  Anomaly \u2192 event \u2192 problem \u2192 alerting profile \u2192 notification\/workflow\n\n<span class=\"hljs-attr\">Privacy<\/span>:\n  Mask at capture when data must never leave environment\n  Credential vault <span class=\"hljs-keyword\">for<\/span> secrets\n\n<span class=\"hljs-attr\">Cost<\/span>:\n  Monitor ingest, retain, query, host scale, synthetic\/RUM, custom metrics, extensions\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">40. Final advice<\/h1>\n\n\n\n<p>For Administration Professional, do not study only individual features. Study how the platform is governed.<\/p>\n\n\n\n<p>A strong admin thinks like this:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who owns this data?<\/li>\n\n\n\n<li>Who should access it?<\/li>\n\n\n\n<li>Which group and policy should grant access?<\/li>\n\n\n\n<li>Which tags, segments, or zones define scope?<\/li>\n\n\n\n<li>Which settings apply, and at what level?<\/li>\n\n\n\n<li>How is data collected, processed, stored, retained, and masked?<\/li>\n\n\n\n<li>How much will this cost?<\/li>\n\n\n\n<li>Who gets notified when something breaks?<\/li>\n\n\n\n<li>How can this be automated safely?<\/li>\n\n\n\n<li>How can we audit and recover from mistakes?<\/li>\n<\/ul>\n\n\n\n<p>That operating mindset is the core of Dynatrace Administration Professional readiness.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last verified: April 24, 2026Audience: Dynatrace administrators, platform owners, observability platform teams, SRE leads, operations teams, and anyone preparing for Dynatrace Administration Professional Certification. 0. What this guide is This&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-75231","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/75231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=75231"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/75231\/revisions"}],"predecessor-version":[{"id":75232,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/75231\/revisions\/75232"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=75231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=75231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=75231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}