Authorization Scopes

Authorization scopes

Scope is an authorization mechanism that allows you to limit and define the granular access that applications have to an organization’s Datadog data. When authorized access on behalf of a user or service account, applications can access only the information explicitly requested and nothing more.

The best practice for scoping applications is to maintain the minimal privileges and most restrictive scopes necessary for an application to function as intended. This gives users fine-grained access control of applications and transparency into how an application is using their data. For example, a third-party application that only reads dashboard data does not need permissions to delete or manage users in an organization.

You may use scopes two ways with Datadog:

Cloud Workload Security

Scope name

Description

Endpoints that require this scope

Dashboards, Dashboard Lists

Downtimes, Monitors

Scope name

Description

Endpoints that require this scope

monitors_downtime

The ability to set downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes.

monitors_write

The ability to change, mute, and delete individual monitors.

Events

Scope name

Description

Endpoints that require this scope

events_read

The ability to read Events data.

Incidents, Incident Services, Incident Teams

Metrics

Scope name

Description

Endpoints that require this scope

timeseries_query

The ability to query Timeseries data.

Security Monitoring, Cloud Workload Security

Scope name

Description

Endpoints that require this scope

security_monitoring_filters_read

The ability to read Security Filters.

security_monitoring_filters_write

The ability to create, edit and delete Security Filters.

security_monitoring_rules_read

The ability to read Detection Rules.

security_monitoring_rules_write

The ability to create and edit Detection Rules.

security_monitoring_signals_read

The ability to view Security Signals.

Synthetics

Scope name

Description

Endpoints that require this scope

synthetics_global_variable_read

The ability to view, search and use in tests the list of global variables available for Synthetics.

synthetics_global_variable_write

The ability to create, edit, and delete global variables for Synthetics.

synthetics_private_location_read

The ability to view, search and use in tests the list of private locations available.

Usage Metering