Datadog Role Permissions

Once your roles are created, assign or remove permission to this role directly by updating the role in the Datadog application, or through the Datadog Permission API. Find below a list of available permissions.

Overview

General permissions

General permissions provide the base level of access for your role. Advanced Permissions are explicitly defined permissions that augment the base permissions.

Permission Name	Description
admin	This permission gives to the role the ability to view and edit everything in your Datadog organization that does not have an explicitly defined permission. This includes billing and usage, API keys, and organization management. This permission is inclusive of all Standard Access permissions.
standard	This permission gives to the role the ability to view and edit components in your Datadog organization that do not have explicitly defined permissions. This includes APM, Events, and other non-Account Management functionality.

Note: There is no read-only permission as it is defined by the lack of both the admin and standard permissions for a role.

Advanced permissions

By default, existing users are already associated with one of the three out-of-the-box Datadog Admin, Standard, or Read-Only Roles, so all users already have permissions to read all data types, and Admin or Standard users already have write permissions on assets.

Note: When adding a new custom role to a user, make sure to remove the out-of-the-box Datadog role associated with that user in order to enforce the new role permissions.

In addition of the general permissions, it is possible to define more granular permissions for specific assets or data types. Permissions can be either global or scoped to a subset of elements. Find below the details of these options and the impact they have on each available permission.

Access Management

Find below the list of permissions for Access Management:

Name	Description	Scopable
`user_access_manage`	Grants the permission to disable users, manage user roles and SAML-to-role mappings.	false
`user_access_invite`	Allows users to invite other users to your organization.	false

API and application keys

The following permissions are available for API and application keys:

Name	Description	Scopable
`user_app_keys`	Grants the user the ability to create, view, and manage application keys they own.	false
`org_app_keys_read`	Grants the user the ability to list application keys owned by all users in the organization.	false
`org_app_keys_write`	Grants the user the ability to manage application keys owned by all users in the organization.	false

Dashboards

Find below the list of permissions for the dashboard assets:

Name	Description	Scopable
`dashboards_read`	Ability to view dashboards	false
`dashboards_write`	Ability to create and change dashboards	false
`dashboards_public_share`	Ability to share dashboards externally	false

Monitors

Find below the list of permissions for the monitor assets:

Name	Description	Scopable
`monitors_read`	Ability to view monitors	false
`monitors_write`	Ability to change, mute, and delete monitors	false
`monitors_downtime`	Ability to set downtimes for your monitors	false

Security Monitoring

Find below the list of permissions for the Security Monitoring assets:

Name	Description	Scopable
`security_monitoring_rules_read`	Ability to view detection rules	false
`security_monitoring_rules_write`	Ability to create, edit, and delete detection rules	false
`security_monitoring_signals_read`	Ability to view security signals	false

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

Name	Description	Scopable	Typical User
`logs_read_data`	Read access to log data	true	Read-Only
`logs_modify_indexes`	Update the definition of log indexes	false	Admin
`logs_write_facets`	Create, Update and Delete Log Facets	false	Standard
`logs_write_exclusion_filters`	Update indexes exclusion filters	true	Standard
`logs_write_pipelines`	Update log pipelines	false	Admin
`logs_write_processors`	Update the log processors in a pipeline	true	Standard
`logs_write_archives`	Update the external archives configuration	false	Admin
`logs_read_archives`	See archive configuration details, access content from the archive	true	Standard
`logs_write_historical_views`	Rehydrate data from Archives	false	Standard
`logs_public_config_api`	Access the Logs Public Config API (r/w)	false	Admin
`logs_generate_metrics`	Access the Generate Metrics feature	false	Standard

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

Name	Description	Scopable	Typical User
`logs_live_tail`	Access the live tail feature	false	Read-Only
`logs_read_index_data`	Read a subset log data (index based)	true	Read-Only

Dropdown

Once your roles are created, assign or remove permission to this role directly by updating the role in the Datadog application.

Once your roles are created, assign or remove permission to this role directly through the Datadog Permission API.

More details about these permissions below.

Log configuration access

logs_generate_metrics

Grants a role the ability to use the Generate Metrics feature.

This permission is global and enables both the creation of new metrics, and the edition or deletion of existing ones.

logs_write_facets

Grants a role the ability to use the Create, Edit, and Delete facets.

This permission is global and enables both the creation of new facets, and the edition or deletion of existing ones.

This permission has no effect on the management of standard attributes or aliasing facets.

logs_modify_indexes

Grants a role the ability to create and modify log indexes. This includes:

Setting indexes filters for which logs should be routed into an index.
Setting log retention for an index.
Granting another role the Logs Read Index Data and Logs Write Exclsion Filters permissions, scoped for a specific index.

This permission is global and enables both the creation of new indexes, and the edition of existing ones.

Note: This permission also grants Logs Read Index Data and Logs Write Exlcusion Filters permissions behind the scenes.

logs_write_exclusion_filters

Grants a role the ability to create or modify exclusion filters within an index.

This permission can be assigned either globally or restricted to a subset of indexes.

Subset of indexes:

Dropdown

Remove the global permission on the role.
Grant this permission to the role in [the Index page of the Datadog app][2] by editing an index and adding a role to the “Grant editing Exclusion Filters of this index to” field (screenshot below).

This configuration is only supported through the UI.

logs_write_pipelines

Grants a role the ability to create and modify log processing pipelines. This includes:

Setting the name of the pipeline
Setting pipelines filters for what logs should enter the processing pipeline
Reorder pipelines
Granting another role the Logs Write Processors permission, scoped for that pipeline

Note: This permission also grants Logs Write Processors (for all processors on all pipelines) permissions behind the scenes.

logs_write_processors

Grants a role the ability to create, edit or delete processors and nested pipelines12.

This permission can be assigned either globally or restricted to a subset of pipelines.

Dropdown

Assign the role(s) in the modal of a specific pipeline.

Preliminary,

Get the Roles ID of the role you want to assign to specific pipelines.
Get the Permission ID for the logs_write_processors permission API for your region.
Get the Pipeline ID(s) of the pipeline(s) you want to assign this role on.
Grant permission to that role with the following call:

curl -X POST \
        https://app.datadoghq.com/api/v1/role/<ROLE_UUID>/permission/<PERMISSION_UUID> \
        -H "Content-Type: application/json" \
        -H "DD-API-KEY: <YOUR_DATADOG_API_KEY>" \
        -H "DD-APPLICATION-KEY: <YOUR_DATADOG_APPLICATION_KEY>" \
        -d '{
                "scope": {
                    "pipelines": [ "<PIPELINE-X_ID>", "<PIPELINE-Y_ID>"]
                }
            }'

logs_write_archives

Grants the ability to create, edit or delete Log Archives. This includes:

Setting archives filters for what logs should be routed to the archive
Setting the name of the archive
Reordering archives
Restricting the Logs Read Archives permission to a subset of roles.

This permission is global and enables the creation of new archives, and the edition and deletion of existing ones.

logs_read_archives

Grants the ability to access the details of the archive configuration. In conjunction with Logs Write Historical Views, this permission also grants the ability to trigger a Rehydration from Archives.

This permission can be scoped to a subset of archives. An archive with no restrictions is accessible to anyone who belongs to a role with the logs_read_archives permission. An archive with restrictions is only accessible to the users who belong to one of the registered roles, provided theses roles have the logs_read_archives permission.

In the following example, assuming all roles but Guest have the logs_read_archive permission:

Staging is accessible to all users, except users that only belong to the Guest role.
Prod is accessible to all users belonging to Customer Support.
Security-Audit is not accessible to users who belong to Customer Support, unless they also belong to Audit & Security.

Dropdown

Proceed to archive creation, or update at any moment while editing the archive.

Use the Logs Archive API either to assign or revoke a role from a given Archive.

logs_write_historical_views

Grants the ability to write historical views, meaning to trigger a Log Rehydration*.

This permission is global. It enables users to trigger a rehydration for archives on which they have Logs Read Archive permission.

In the example above:

ADMIN Role members can rehydrate from the Audit Archive, as they have the Write Historical View (Rehydrate) permission, as well as the Read Archive permission on that archive.
AUDIT Role members cannot rehydrate from the Audit Archive, as they do not have the Write Historical View (Rehydrate) permission.
PROD Role members cannot rehydrate from the Audit Archive, as they do not have the Read Archive permission.

When assigning team:audit tags on all logs rehydrated from the Audit Archive, make sure that Audit role members who are restricted to read team:auditlogs can only access rehydrated content. For more details on how to add tags and rehydration, see the Log Archive Setup section.

For service:ci-cd logs that are rehydrated from the Prod Archive, note the following:

If you do not use the Log Read Index Data legacy permission, these logs are accessible for CI-CD role members.
If you do use the Log Read Index Data legacy permission, these logs are not accessible for CI-CD role members, as the resulting historical view is restricted to PROD and ADMIN role members.

logs_public_config_api

Grants the ability to create or modify log configuration through the Datadog API:

Configure Archives through the API
Configure Indexes through the API
Configure Pipelines through the API
Configure Restriction Queries through the API

The Log Public Configuration API permission only grants the permission to operate actions through API. For instance, a user without Log Write Exclusion Filter Permission cannot update sampling rate through API, even if granted The Log Public Configuration API permission.

Log data access

Grant the following permissions to manage read access on subsets of log data:

Logs Read Data (Recommended) offers finer grained access control by restricting a role’s access to logs matching a log restriction queries.
Logs Read Index Data is the legacy approach to restrict data access to indexed log data on a per-index basis (it is still required to have this permission enabled to access indexed data).

logs_read_data

Read access to log data. If granted, other restrictions then apply such as logs_read_index_data or with restriction query.

Roles are additive: if a user belongs to multiple roles, the data they have access to is the union of all the permissions from each of the roles.

Example:

If a user belongs to a role with log read data and also belongs to a role without log read data, then they have the permission to read data.
If a user is restricted to service:sandbox through one role, and is restricted to env:prod through another role, then the user can access all env:prod and service:sandbox logs.

Dropdown

To restrict users so they see no more than logs matching a restriction query, use the Data Access page in the Datadog App to:

Create a restriction query.
Assign one or multiple roles to that restriction query.
Check what roles and users are assigned to which restriction queries.

This view lists:

Restricted Access section: all the restriction queries, and what role(s) are attached to them,
Unrestricted Access section: all roles that have log_read_data permission with no further restrictions,
No Access section: all roles that does not have the log_read_data permission.

Create a restriction query

Create a new restriction query defining its query filter. The new query appears in the list of restrictions with no role attached to it.

Assign a role to a restriction query

Pick the role wherever it stands, and assign it to the intended restriction query.

Note: Keep in mind that a role can be assigned no more than one restriction query. Meaning, when you assign a role to a restriction query, it loses connection to the restriction query it was already attached to.

Likewise, use the same “Move” interaction to grant Unrestricted Access to a Role, or conversely to turn it into a No Access role.

Check restriction queries

This page won’t display more than 50 restriction queries at once, and more than 50 roles per section. In case you have hundreds if not thousands of roles and restriction queries, use the filters to scope this view down:

with the restriction query filter:

with the role filter:

with the user filter, which is a convenient way to see what a specific user belonging to multiple roles actually has access to:

Revoke or grant this permission from a role via the Roles API. Use Restriction Queries to scope the permission to a subset of Log Data.

Legacy permissions

These permissions are globally enabled by default for all users.

Logs Read Data permission comes on top of these legacy permissions. For instance, say a user is restricted to the query service:api.

If this user has scoped Read Index Data permission on audit and errors indexes, this user only sees service:api logs within these indexes.
If this user has livetail permission, this users sees only sees service:api logs in the livetail.

logs_read_index_data

Grants a role read access on some number of log indexes. Can be set either globally or limited to a subset of log indexes.

To scope this permission to a subset of indexes, first remove the logs_read_index_data and logs_modify_indexes permissions on the role. Then

Dropdown

Grant this role access to the index in Configuration page.

Grant read access for indexes to specific roles

Get the Roles ID of the role you want to assign to specific pipelines.
Get the Permission ID for the logs_write_processors permission API for your region.
Get the Index ID(s) of the pipeline(s) you want to assign this role on.
Grant permission to that role with the following call:

curl -X POST \
        https://app.datadoghq.com/api/v1/role/<ROLE_UUID>/permission/<PERMISSION_UUID> \
        -H "Content-Type: application/json" \
        -H "DD-API-KEY: <YOUR_DATADOG_API_KEY>" \
        -H "DD-APPLICATION-KEY: <YOUR_DATADOG_APPLICATION_KEY>" \
        -d '{
                "scope": {
                    "indexes": ["<INDEX-1_ID>",["<INDEX-2_ID>"]
                }
            }'