Datadog Role Permissions

After creating a role, assign or remove permissions to this role directly by updating the role in Datadog, or through the Datadog Permission API. Find below a list of available permissions.


General permissions

General permissions provide the base level of access for your role. Advanced Permissions are explicitly defined permissions that augment the base permissions.

adminDeprecated. Privileged Access (also known as Admin permission) has been replaced by more specific permissions: Access Management, Org Management, Billing Read/Write, Usage Read/Write.
standardView and edit components in your Datadog organization that do not have explicitly defined permissions. This includes configuring events, facets (except logs), and saved views.

Note: There is no read-only permission as it is defined by the lack of the standard permission for a role.

Advanced permissions

By default, existing users are associated with one of the three out-of-the-box roles:

  • Datadog Admin
  • Datadog Standard
  • Datadog Read-Only.

All users can read all data types. Admin and Standard users have write permissions on assets.

Note: When adding a new custom role to a user, make sure to remove the out-of-the-box Datadog role associated with that user in order to enforce the new role permissions.

In addition to the general permissions, you can define more granular permissions for specific assets or data types. Permissions can be either global or scoped to a subset of elements. Find below the details of these options and the impact they have on each available permission.

API and Application Keys

Find below the list of permissions for the api and application keys assets:

user_app_keysView and manage Application Keys owned by the user.false
org_app_keys_readView Application Keys owned by all users in the organization.false
org_app_keys_writeManage Application Keys owned by all users in the organization.false
api_keys_readList and retrieve the key values of all API Keys in your organization.false
api_keys_writeCreate, rename, and revoke API Keys for your organization.false


Find below the list of permissions for the apm assets:

apm_readRead and query APM and Trace Analytics.false
apm_retention_filter_readRead trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.false
apm_retention_filter_writeCreate, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.false
apm_service_ingest_readAccess service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.false
apm_service_ingest_writeEdit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.false
apm_apdex_manage_writeSet Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.false
apm_tag_management_writeEdit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.false
apm_primary_operation_writeEdit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.false
debugger_writeEdit Dynamic Instrumentation configuration.false
debugger_readView Dynamic Instrumentation configuration.false
apm_generate_metricsCreate custom metrics from spans.false
apm_pipelines_writeAdd and change APM pipeline configurations.false
apm_pipelines_readView APM pipeline configurations.false
apm_service_catalog_writeAdd, modify, and delete service catalog definitions when those definitions are maintained by Datadog.false
apm_service_catalog_readView service catalog and service definitions.false
apm_remote_configuration_writeEdit APM Remote Configuration.false
apm_remote_configuration_readView APM Remote Configuration.false
continuous_profiler_readView data in Continuous Profiler.false

Access Management

Find below the list of permissions for the access management assets:

user_access_inviteInvite other users to your organization.false
user_access_manageDisable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.false
service_account_writeCreate, disable, and use Service Accounts in your organization.false
org_managementEdit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.false

Billing and Usage

Find below the list of permissions for the billing and usage assets:

billing_readView your organization's subscription and payment method but not make edits.false
billing_editManage your organization's subscription and payment method.false
usage_readView your organization's usage and usage attribution.false
usage_editManage your organization's usage attribution set-up.false
usage_notifications_readReceive notifications and view currently configured notification settings.false
usage_notifications_writeReceive notifications and configure notification settings.false

CI Visibility

Find below the list of permissions for the ci visibility assets:

ci_visibility_readView CI Visibility.false
ci_visibility_writeCreate, edit and delete CI Visibility tests and pipelines.false
ci_provider_settings_writeEdit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.false
ci_visibility_settings_writeConfigure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.false
intelligent_test_runner_activation_writeEnable or disable Intelligent Test Runner.false
intelligent_test_runner_settings_writeEdit Intelligent Test Runner settings, such as modifying ITR excluded branch list.false

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

incident_readView incidents in Datadog.false
incident_writeCreate, view, and manage incidents in Datadog.false
incident_settings_readView Incidents settings.false
incident_settings_writeConfigure Incidents settings.false
incidents_private_global_accessAccess all private incidents in Datadog, even when not added as a responder.false
cases_readView Cases.false
cases_writeCreate and update cases.false
incident_notification_settings_readView Incidents Notification settings.false
incident_notification_settings_writeConfigure Incidents Notification settings.false

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

security_monitoring_rules_readRead Detection Rules.false
security_monitoring_rules_writeCreate and edit Detection Rules.false
security_monitoring_signals_readView Security Signals.false
security_monitoring_signals_writeModify Security Signals.false
security_monitoring_filters_readRead Security Filters.false
security_monitoring_filters_writeCreate, edit, and delete Security Filters.false
appsec_event_rule_readView Application Security Management Event Rules.false
appsec_event_rule_writeEdit Application Security Management Event Rules.false
security_monitoring_notification_profiles_readRead Notification Rules.false
security_monitoring_notification_profiles_writeCreate, edit, and delete Notification Rules.false
security_monitoring_cws_agent_rules_readRead Cloud Workload Security Agent Rules.false
security_monitoring_cws_agent_rules_writeCreate, edit, and delete Cloud Workload Security Agent Rules.false
appsec_protect_readView blocked attackers.false
appsec_protect_writeManage blocked attackers.false
appsec_activation_readView whether Application Security Management is enabled or disabled on services.false
appsec_activation_writeEnable or disable Application Security Management on services.false


Find below the list of permissions for the compliance assets:

audit_logs_readView Audit Trail in your organization.false
audit_logs_writeConfigure Audit Trail in your organization.false
data_scanner_readView Data Scanner configurations.false
data_scanner_writeEdit Data Scanner configurations.false


Find below the list of permissions for the dashboards assets:

dashboards_readView dashboards.false
dashboards_writeCreate and change dashboards.false
dashboards_public_shareGenerate public and authenticated links to share dashboards externally.false
generate_dashboard_reportsSchedule custom reports from a dashboard. These reports will display any viewable data regardless of any granular restrictions (restriction queries, scoped indexes) applied to the report's creator.false


Find below the list of permissions for the integrations assets:

integrations_apiDeprecated. Use the Integrations APIs to configure integrations. In order to configure integrations from the UI, a user must also have Standard Access.false
manage_integrationsInstall, uninstall, and configure integrations.false

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

logs_modify_indexesRead and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.false
logs_write_exclusion_filtersAdd and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.true
logs_write_pipelinesAdd and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.false
logs_write_processorsAdd and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.true
logs_write_archivesAdd and edit Log Archives.false
logs_generate_metricsCreate custom metrics from logs.false
logs_read_dataRead log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.true
logs_read_archivesRead Log Archives location and use it for rehydration.true
logs_write_historical_viewRehydrate logs from Archives.false
logs_write_facetsCreate or edit Log Facets.false
logs_delete_dataDelete data from your Logs, including entire indexes.false
logs_write_forwarding_rulesAdd and edit forwarding destinations and rules for logs.false

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

logs_live_tailAccess the live tail featurefalse
logs_read_index_dataRead a subset log data (index based)true


Find below the list of permissions for the metrics assets:

metric_tags_writeEdit and save tag configurations for custom metrics.false


Find below the list of permissions for the monitors assets:

monitors_readView monitors.false
monitors_writeEdit, mute, and delete individual monitors.false
monitors_downtimeSet downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes.false
monitor_config_policy_writeCreate, update, and delete monitor configuration policies.false


Find below the list of permissions for the notebooks assets:

notebooks_readView notebooks.false
notebooks_writeCreate and change notebooks.false

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

observability_pipelines_readView pipeline configurations.false
observability_pipelines_writeCreate, edit, and delete pipeline configurations.false

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

rum_apps_writeCreate, edit, and delete RUM Applications.false
rum_apps_readView RUM Applications data.false
rum_session_replay_readView Session Replays.false
rum_generate_metricsCreate custom metrics from RUM events.false

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

slos_readView SLOs and status corrections.false
slos_writeCreate, edit, and delete SLOs.false
slos_correctionsApply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.false

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

synthetics_private_location_readView, search, and use Synthetics private locations.false
synthetics_private_location_writeCreate and delete private locations in addition to having access to the associated installation guidelines.false
synthetics_global_variable_readView, search, and use Synthetics global variables.false
synthetics_global_variable_writeCreate, edit, and delete global variables for Synthetics.false
synthetics_readList and view configured Synthetic tests and test results.false
synthetics_writeCreate, edit, and delete Synthetic tests.false
synthetics_default_settings_readView the default settings for Synthetic Monitoring.false
synthetics_default_settings_writeEdit the default settings for Synthetic Monitoring.false


Find below the list of permissions for the teams assets:

teams_manageManage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.false


Find below the list of permissions for the watchdog assets:

watchdog_insights_readView Watchdog Insights.false


Find below the list of permissions for the workflows assets:

workflows_readView workflows.false
workflows_writeCreate, edit, and delete workflows.false
workflows_runRun workflows.false
connections_readList and view available connections. Connections contain secrets that cannot be revealed.false
connections_writeCreate and delete connections.false
connections_resolveResolve connections.false

Further reading

*Log Rehydration is a trademark of Datadog, Inc.