Datadog Role permissions
Security Monitoring is now available Security Monitoring is now available

Datadog Role permissions

Once your roles are created, assign or remove permission to this role directly by updating the role in the Datadog application, or through the Datadog Permission API. Find below a list of available permissions.

Overview

General Permissions

General permissions provide the base level of access for your role. Advanced Permissions are explicitly defined permissions that augment the base permissions.

Permission NameDescription
adminThis permission gives to the role the ability to view and edit everything in your Datadog organization that does not have an explicitly defined permission. This includes billing and usage, user, key, roles, permissions and organization management. This permission is inclusive of all Standard Access permissions.
standardThis permission gives to the role the ability to view and edit components in your Datadog organization that do not have explicitly defined permissions. This includes APM, Events, and other non-Account Management functionality.

Note: There is no read-only permission as it is defined by the lack of both the admin and standard permissions for a role.

Advanced Permissions

By default, existing users are already associated with one of the three out-of-the-box Datadog Admin, Standard, or Read-Only Roles, so all users already have permissions to read all data types, and Admin or Standard users already have write permissions on assets.

Note: When adding a new custom role to a user, make sure to remove the out-of-the-box Datadog role associated with that user in order to enforce the new role permissions.

In addition of the general permissions, it is possible to define more granular permissions for specific assets or data types. Permissions can be either global or scoped to a subset of elements. Find below the details of these options and the impact they have on each available permission.

Dashboards

Find below the list of permissions for the dashboard assets:

NameDescriptionScopable
dashboards_readAbility to view dashboardsfalse
dashboards_writeAbility to create and change dashboardsfalse
dashboards_public_shareAbility to share dashboards externallyfalse

Monitors

Find below the list of permissions for the monitor assets:

NameDescriptionScopable
monitors_readAbility to view monitorsfalse
monitors_writeAbility to change, mute, and delete monitorsfalse
monitors_downtimeAbility to set downtimes for your monitorsfalse

Log Management

Find below the list of permissions for the log configuration assets and log data:

NameDescriptionScopable
logs_read_dataRead access to log data. If granted, other restrictions then apply (like logs_read_index_data or with restriction queries).true
logs_read_index_dataRead a subset log data (index based)true
logs_modify_indexesUpdate the definition of log indexesfalse
logs_live_tailAccess the live tail featurefalse
logs_write_exclusion_filtersUpdate a subset of the exclusion filterstrue
logs_write_pipelinesUpdate a subset of the log pipelinestrue
logs_write_processorsUpdate the log processors in an indextrue
logs_write_archivesUpdate the external archives configurationfalse
logs_public_config_apiAccess the Logs Public Config API (r/w)false
logs_generate_metricsAccess the Generate Metrics featurefalse

More details about these permissions below.

Log Configuration Access

logs_generate_metrics

Grants a role the ability to use the Generate Metrics feature. This permission is global and applies to the configuration of all the metrics generated from logs.

Go to your Datadog Roles page and select the checkbox other as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

logs_modify_indexes

Grants a role the ability to create and modify log indexes. This includes:

  • Setting inclusion queries for which logs should be routed into an index.
  • Setting log retention for an index.
  • Limiting which roles have read access on an index (logs_read_index_data).
  • Which roles can modify exclusion filters for an index (logs_write_exclusion_filters).

Note: This permission also grants read access on all log indexes and write permissions on all index exclusion filters.

Go to your Datadog Roles page and select the checkbox other as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

logs_write_exclusion_filters

Grants a role the ability to create or modify exclusion filters within an index. This can be assigned either globally or restricted to a subset of indexes.

Global access:

Go to your Datadog Roles Page and select the checkbox write as below for the wanted role:

Subset of indexes:

  1. Remove the global permission on the role.
  2. Grant this permission to the role in the Processing Pipelines page of the Datadog app by editing an index and adding a role to the “Grant editing Exclusion Filters of this index to” field (screenshot below).

This permission can be granted or revoked from a role via the Roles API.

logs_write_pipelines

Grants a role the ability to create and modify log processing pipelines. This includes setting matching filters for what logs should enter the processing pipeline, setting the name of the pipeline, and limiting which roles have write access on the processors within that pipeline (logs_write_processors).

Go to your Datadog Roles page and select the checkbox other as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

To grant write access to only two processing pipelines whose IDs are abcd-1234 and bcde-2345 respectively:

  1. Remove the global logs_write_pipelines permission on the role if already assigned.
  2. Get the UUID of the role you want to modify.
  3. Use the Get Permission API to find the logs_write_pipelines permission UUID for your region.
  4. Grant permission to that role with the following call:

    curl -X POST \
        https://app.datadoghq.com/api/v1/role/<ROLE_UUID>/permission/<PERMISSION_UUID> \
        -H "Content-Type: application/json" \
        -H "DD-API-KEY: <YOUR_DATADOG_API_KEY>" \
        -H "DD-APPLICATION-KEY: <YOUR_DATADOG_APPLICATION_KEY>" \
        -d '{
                "scope": {
                    "pipelines": [
                        "abcd-1234",
                        "bcde-2345"
                    ]
                }
            }'

logs_write_processors

Grants a role the ability to create or modify the processors within a processing pipeline.

Global access:

Go to your Datadog Roles page and select the checkbox write as below for the wanted role:

Subset of Pipelines:

  1. Remove the logs_write_processors and logs_write_pipelines permissions on the role.
  2. This permission can be granted to a role in the Processing Pipelines page of the Datadog app by editing a processing pipeline and adding a role to the “Grant editing Processors of this index to” field (screenshot below).

This permission can be granted or revoked from a role via the Roles API.

logs_write_archives

Grants the ability to create or modify log archives.

Go to your Datadog Roles page and select the checkbox other as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

logs_public_config_api

Grants the ability to create or modify log configuration through the Datadog API.

Go to your Datadog Roles page and select the checkbox other as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

Log Data Access

Grant the following permissions to manage read access on subsets of log data:

  • logs_read_data(Recommended) offers finer grained access control by restricting a role’s access to logs matching a log restriction queries.
  • logs_read_index_data is the alternative approach to restrict data access to indexed log data on a per-index basis.

These permissions can also be used together. A role can restrict the user to a subset of indexes and additionally apply a restriction query to limit access within these indexes.

Example: User A has access to index audit and index errors and is restricted to the query service:api. When looking in Log Explorer, this user only sees logs from the service:api into the audit and errors indexes.

In addition, access to the Live Tail can be restricted with the logs_live_tail permission regardless of the data access restriction of the user.

logs_read_data

Read access to log data. If granted, other restrictions then apply such as logs_read_index_data or with [restriction query][4].

“Role combinations are permissive. Is a user belongs to multiple roles, the most permissive role is applied.”

Example:

  • If a user belongs to a role with log read data and also belongs to a role without log read data, then they have the permission to read data.
  • If a user is restricted to service:sandbox through one role, and has is restricted to env:staging through another role, then the user can access all env:staging and service:sandbox logs.

Grant global read access to log data:

Go to your Datadog Roles page and select the checkbox read as below for the wanted role:

Restrict read access to a subset of logs:

This configuration is only supported through the API.

Revoke or grant this permission from a role via the Roles API. Use Restriction Queries to scope the permission to a subset of Log Data.

logs_read_index_data

Grants a role read access on some number of log indexes. Can be set either globally or limited to a subset of log indexes.

Global access:

Go to your Datadog Roles page and select the checkbox read as below for the wanted role:

Subset of Indexes:

  1. Remove the logs_read_index_data and logs_modify_indexes permissions on the role.
  2. This permission can be granted to a role in the Index Configuration page of the Datadog app by editing an index and adding a role to the “Grant access of this index’s content to” field.

This permission can be granted or revoked from a role via the Roles API. For example, to grant read access only on two indexes named main and support to a role, your API call looks like this:

  1. Remove the global logs_read_index_data permission on the role if already assigned.
  2. Get the UUID of the role you want to modify.
  3. Use the Get Permission API to find the logs_read_index_data permission UUID for your region.
  4. Grant permission to that role with the following call:

    curl -X POST \
        https://app.datadoghq.com/api/v1/role/<ROLE_UUID>/permission/<PERMISSION_UUID> \
        -H "Content-Type: application/json" \
        -H "DD-API-KEY: <YOUR_DATADOG_API_KEY>" \
        -H "DD-APPLICATION-KEY: <YOUR_DATADOG_APPLICATION_KEY>" \
        -d '{
                "scope": {
                    "indexes": [
                        "main",
                        "support"
                    ]
                }
            }'

logs_live_tail

Grants a role the ability to use the Live Tail feature.

Go to your Datadog Roles page and select the checkbox read as below for the wanted role:

This permission can be granted or revoked from a role via the Roles API.

Further Reading