Datadog Role Permissions

Datadog Role Permissions

After creating roles, assign or remove permission to this role directly by updating the role in Datadog, or through the Datadog Permission API. Find below a list of available permissions.

Overview

General permissions

General permissions provide the base level of access for your role. Advanced Permissions are explicitly defined permissions that augment the base permissions.

Name Description Scopable
admin This permission gives you the ability to view and edit everything in your Datadog organization that does not have an explicitly defined permission. This includes organization settings and SAML management. This permission is inclusive of all Standard access permissions. false
standard This permission gives you the ability to view and edit components in your Datadog organization that do not have explicitly defined permissions. This includes Notebooks, Events, and other non-Account Management functionality. false

Note: There is no read-only permission as it is defined by the lack of both the admin and standard permissions for a role.

Advanced permissions

By default, existing users are already associated with one of the three out-of-the-box Datadog Admin, Standard, or Read-Only Roles, so all users already have permissions to read all data types, and Admin or Standard users already have write permissions on assets.

Note: When adding a new custom role to a user, make sure to remove the out-of-the-box Datadog role associated with that user in order to enforce the new role permissions.

In addition of the general permissions, it is possible to define more granular permissions for specific assets or data types. Permissions can be either global or scoped to a subset of elements. Find below the details of these options and the impact they have on each available permission.

API and Application Keys

Find below the list of permissions for the api and application keys assets:

Name Description Scopable
user_app_keys The ability to view and manage Application Keys owned by the user. false
org_app_keys_read The ability to view Application Keys owned by all users in the organization. false
org_app_keys_write The ability to manage Application Keys owned by all users in the organization. false
api_keys_read The ability to list and retrieve the key values of all API Keys in your organization. false
api_keys_write The ability to create, rename, and revoke API Keys for your organization. false

APM

Find below the list of permissions for the apm assets:

Name Description Scopable
apm_read The ability to read and query APM and Trace Analytics. false
apm_retention_filter_read The ability to read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info. false
apm_retention_filter_write The ability to create, edit and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters. false
apm_service_ingest_read The ability to access Service Ingestion pages. A user with this permission can view the service ingestion page, list of root service, their statistics, and creation info. false
apm_service_ingest_write The ability to edit Service Ingestion pages root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service. false
apm_apdex_manage_write The ability to set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page. false
apm_tag_management_write The ability to edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page. false
apm_primary_operation_write The ability to edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and can modify the operation name controller on the service page. false
apm_generate_metrics The ability to create custom metrics from spans. false

Access Management

Find below the list of permissions for the access management assets:

Name Description Scopable
user_access_invite Allows users to invite other users to your organization. false
user_access_manage Grants the permission to disable users, manage user roles and SAML-to-role mappings. false
service_account_write The ability to create, disable and use Service Accounts in your organization. false
data_scanner_read View data scanner configuration. false
data_scanner_write Edit data scanner configuration. false

Application Security

Find below the list of permissions for the application security assets:

Name Description Scopable
appsec_event_rule_read The ability to view Application Security Event Rules. false
appsec_event_rule_write The ability to edit Application Security Event Rules. false

Billing and Usage

Find below the list of permissions for the billing and usage assets:

Name Description Scopable
billing_read The ability to view your organization's subscription and payment method but not make edits. false
billing_edit The ability to manage your organization's subscription and payment method. false
usage_read The ability to view your organization's usage and usage attribution. false
usage_edit The ability to manage your organization's usage attribution set-up. false

Dashboards

Find below the list of permissions for the dashboards assets:

Name Description Scopable
dashboards_read The ability to view dashboards. false
dashboards_write The ability to create and change dashboards. false
dashboards_public_share The ability to share dashboards externally. false

Incidents

Find below the list of permissions for the incidents assets:

Name Description Scopable
incident_read The ability to view incidents in Datadog. false
incident_write The ability to create, view, and manage incidents in Datadog. false
incident_settings_read The ability to view incidents Settings. false
incident_settings_write The ability to configure incident settings. false

Integrations

Find below the list of permissions for the integrations assets:

Name Description Scopable
integrations_api The ability to use the Integrations APIs to configure Integrations that the user has access to. This permission does not restrict or grant access to Integrations. false

Metrics

Find below the list of permissions for the metrics assets:

Name Description Scopable
metric_tags_write The ability to edit and save tag configurations for custom metrics. false

Monitors

Find below the list of permissions for the monitors assets:

Name Description Scopable
monitors_read The ability to view monitors. false
monitors_write The ability to change, mute, and delete individual monitors. false
monitors_downtime The ability to set downtimes for your organization. A user with this permission can suppress alerts from any monitor using a downtime, even if they do not have permission to edit those monitors explicitly. false

Organization Management

Find below the list of permissions for the organization management assets:

Name Description Scopable
audit_logs_read The ability to view Audit Logs in your organization. false
audit_logs_write The ability to configure Audit Logs in your organization. false

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

Name Description Scopable
rum_apps_write The ability to create, edit, and delete RUM Applications. false
rum_apps_read The ability to view RUM Applications data. false
rum_session_replay_read The ability to view session replays. false

Security Monitoring

Find below the list of permissions for the security monitoring assets:

Name Description Scopable
security_monitoring_rules_read The ability to read Detection rules. false
security_monitoring_rules_write The ability to create and edit Detection rules. false
security_monitoring_signals_read The ability to view Security signals. false
security_monitoring_signals_write The ability to modify Security signals. false
security_monitoring_filters_read The ability to read Security Filters. false
security_monitoring_filters_write The ability to create, edit and delete Security Filters. false
security_monitoring_notification_profiles_read The ability to read Notification Profiles. false
security_monitoring_notification_profiles_write The ability to create, edit and delete Notification Profiles. false

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

Name Description Scopable
synthetics_private_location_read The ability to view, search and use in tests the list of private locations available. false
synthetics_private_location_write The ability to create and delete private locations as well as seeing the associated installation guidelines. false
synthetics_global_variable_read The ability to view, search and use in tests the list of global variables available for Synthetics. false
synthetics_global_variable_write The ability to create, edit, and delete global variables for Synthetics. false
synthetics_read The ability to list and view configured Synthetic tests. false
synthetics_write The ability to create, edit, and delete Synthetic tests. false
synthetics_default_settings_read The ability to view default settings for Synthetics Monitoring. false
synthetics_default_settings_write The ability to edit default settings for Synthetics Monitoring. false

Logs

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

Name Description Scopable
logs_modify_indexes The ability to read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filter permission to other roles, for some or all indexes. This permission also grants global Log Index Read and Log Exclusion Filter Write implicitly. false
logs_write_exclusion_filters The ability to add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope. true
logs_write_pipelines The ability to add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines. This permission also grants global Log Processor Write implicitly. false
logs_write_processors The ability to add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope. true
logs_write_archives The ability to add and edit log archive locations. false
logs_public_config_api The ability to access and edit logs configurations via the API. false
logs_generate_metrics The ability to create custom metrics from logs. false
logs_read_data The ability to read log data. Can be restricted with restriction queries. true
logs_read_archives The ability to read logs archives location and use it for rehydration. true
logs_write_historical_view The capability to rehydrate logs from Archives. false
logs_write_facets The capability to create or edit logs facets. false

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

Name Description Scopable
logs_live_tail Access the live tail feature false
logs_read_index_data Read a subset log data (index based) true

Further reading


\*Log Rehydration is a trademark of Datadog, Inc.