Role Based Access Control

Roles categorize users and define what account permissions those users have, such as what data they can read or what account assets they can modify. By default, Datadog offers three roles, and you can create custom roles so you can define a better mapping between your users and their permissions.

By granting permissions to roles, any user who is associated with that role receives that permission. When users are associated with multiple roles, they receive all the permissions granted to each of their roles. The more roles a user is associated with, the more access they have within a Datadog account.

Note If you use a SAML identity provider, you can integrate it with Datadog for authentication, and you can map identity attributes to Datadog default and custom roles. For more information, see Single Sign On With SAML.

Datadog default roles

Datadog Admin Role: Users have access to billing information and the ability to revoke API keys. They can manage users and configure read-only dashboards. They can also promote standard users to administrators.
Datadog Standard Role: Users are allowed to view and modify all monitoring features that Datadog offers, such as dashboards, monitors, events, and notebooks. Standard users can also invite other users to organizations.
Datadog Read Only Role: Users do not have access to edit within Datadog. This comes in handy when you’d like to share specific read-only views with a client, or when a member of one business unit needs to share a dashboard with someone outside their unit.

Custom roles

Creating and modifying custom roles is an opt-in Enterprise feature. Contact Datadog support to get it enabled for your account.

Manage your custom roles through the Datadog application, the Datadog Role API, or SAML directly. Find below how to create, update, delete a role. See the Datadog Role permissions documentation for more information about available permissions. Only users with the Access Management permission can create or edit roles in Datadog.

Create a custom role

You can create custom roles with:

Dropdown

To create a custom role:

Go to your Datadog Roles page.
Select New Role in the upper right corner of the page.
Give a name to your role.
Optional - Assigning a set of permissions to your Role. See the Datadog Role permissions documentation for more information about available permissions.

Once a role is created you can add this role to existing users.

Find an example of how to create a Role in the Datadog Create Role API documentation.

Update a role

Dropdown

To edit a custom role:

Go to your Datadog Roles page.
Select the edit button on the Role you would like to modify.
Modify the set of permissions to your Role. See the Datadog Role permissions documentation for more information about available permissions.
Save your changes.

Once a role is modified, permissions are updated for all users with the role.

Find an example of how to update a Role in the Datadog Create Role API documentation.

Delete a role

Dropdown

To delete a custom role:

Go to your Datadog Roles page.
Select the delete button on the Role you would like to delete.
Confirm your decision.

Once a role is deleted, permissions are updated for all users with the role. Users without any roles cannot use Datadog effectively, but still maintain limited access. You should always make sure users either have a Role or are disabled if they do not need access to your organization.

Find an example of how to delete a Role in the Datadog Create Role API documentation.

Restrict access to dashboards and monitors

Once you have RBAC roles set up, you can restrict access to dashboards and monitors by user role. For more information, see the Dashboard Permissions docs and the Monitors Permissions docs.

Datadog Docs