Autorisations des rôles Datadog
Une fois votre rôle créé, attribuez ou retirez des autorisations pour ce rôle directement en le mettant à jour dans Datadog ou via l’API Permission de Datadog. Vous trouverez ci-dessous la liste des autorisations disponibles.
Présentation
Autorisations générales
Les autorisations générales définissent les niveaux d’accès minimum pour votre rôle. Les autorisations avancées permettent ensuite d’accorder des droits supplémentaires.
Remarque : il n’existe pas d’autorisation read-only étant donné qu’elle est définie par l’absence des autorisations admin et standard pour un rôle.
Autorisations avancées
Par défaut, les utilisateurs existants sont déjà associés à l’un des trois rôles Datadog par défaut : Admin, Standard ou Read-Only. Tous les utilisateurs sont donc déjà autorisés à lire l’ensemble des types de données. Les utilisateurs avec le rôle Admin ou Standard disposent quant à eux d’un droit d’écriture sur ces ressources.
Remarque : lorsque vous attribuez un nouveau rôle personnalisé à un utilisateur, assurez-vous de supprimer le rôle Datadog par défaut attribué à cet utilisateur afin d’appliquer les nouvelles autorisations de rôle.
En plus des autorisations générales, il est possible de définir des autorisations plus granulaires pour des ressources ou des types de données spécifiques. Les autorisations peuvent être globales ou limitées à un sous-ensemble d’éléments. Vous trouverez ci-dessous les détails de ces options et leur impact sur chacune des autorisations disponibles.
API and Application Keys
Find below the list of permissions for the api and application keys assets:
| Name | Description | Scopable |
|---|
user_app_keys | View and manage Application Keys owned by the user. | false |
org_app_keys_read | View Application Keys owned by all users in the organization. | false |
org_app_keys_write | Manage Application Keys owned by all users in the organization. | false |
api_keys_read | List and retrieve the key values of all API Keys in your organization. | false |
api_keys_write | Create, rename, and revoke API Keys for your organization. | false |
APM
Find below the list of permissions for the apm assets:
| Name | Description | Scopable |
|---|
apm_read | Read and query APM and Trace Analytics. | false |
apm_retention_filter_read | Read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info. | false |
apm_retention_filter_write | Create, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters. | false |
apm_service_ingest_read | Access service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info. | false |
apm_service_ingest_write | Edit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service. | false |
apm_apdex_manage_write | Set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page. | false |
apm_tag_management_write | Edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page. | false |
apm_primary_operation_write | Edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page. | false |
apm_generate_metrics | Create custom metrics from spans. | false |
apm_pipelines_write | Add and change APM pipeline configurations. | false |
apm_pipelines_read | View APM pipeline configurations. | false |
Access Management
Find below the list of permissions for the access management assets:
| Name | Description | Scopable |
|---|
user_access_invite | Invite other users to your organization. | false |
user_access_manage | Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries. | false |
service_account_write | Create, disable, and use Service Accounts in your organization. | false |
org_management | Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace. | false |
Billing and Usage
Find below the list of permissions for the billing and usage assets:
| Name | Description | Scopable |
|---|
billing_read | View your organization's subscription and payment method but not make edits. | false |
billing_edit | Manage your organization's subscription and payment method. | false |
usage_read | View your organization's usage and usage attribution. | false |
usage_edit | Manage your organization's usage attribution set-up. | false |
usage_notifications_read | Receive notifications and view currently configured notification settings. | false |
usage_notifications_write | Receive notifications and configure notification settings. | false |
Find below the list of permissions for the cloud security platform assets:
| Name | Description | Scopable |
|---|
security_monitoring_rules_read | Read Detection Rules. | false |
security_monitoring_rules_write | Create and edit Detection Rules. | false |
security_monitoring_signals_read | View Security Signals. | false |
security_monitoring_signals_write | Modify Security Signals. | false |
security_monitoring_filters_read | Read Security Filters. | false |
security_monitoring_filters_write | Create, edit, and delete Security Filters. | false |
appsec_event_rule_read | View Application Security Event Rules. | false |
appsec_event_rule_write | Edit Application Security Event Rules. | false |
security_monitoring_notification_profiles_read | Read Notification Rules. | false |
security_monitoring_notification_profiles_write | Create, edit, and delete Notification Rules. | false |
Compliance
Find below the list of permissions for the compliance assets:
| Name | Description | Scopable |
|---|
audit_logs_read | View Audit Logs in your organization. | false |
audit_logs_write | Configure Audit Logs in your organization. | false |
data_scanner_read | View Data Scanner configurations. | false |
data_scanner_write | Edit Data Scanner configurations. | false |
Dashboards
Find below the list of permissions for the dashboards assets:
| Name | Description | Scopable |
|---|
dashboards_read | View dashboards. | false |
dashboards_write | Create and change dashboards. | false |
dashboards_public_share | Share dashboards externally. | false |
Incidents
Find below the list of permissions for the incidents assets:
| Name | Description | Scopable |
|---|
incident_read | View incidents in Datadog. | false |
incident_write | Create, view, and manage incidents in Datadog. | false |
incident_settings_read | View Incidents settings. | false |
incident_settings_write | Configure Incidents settings. | false |
incidents_private_global_access | Access all private incidents in Datadog, even when not added as a responder. | false |
Integrations
Find below the list of permissions for the integrations assets:
| Name | Description | Scopable |
|---|
integrations_api | Use the Integrations APIs to configure integrations. In order to configure integrations from the UI, a user must have Standard Access instead. | false |
Metrics
Find below the list of permissions for the metrics assets:
| Name | Description | Scopable |
|---|
metric_tags_write | Edit and save tag configurations for custom metrics. | false |
Monitors
Find below the list of permissions for the monitors assets:
| Name | Description | Scopable |
|---|
monitors_read | View monitors. | false |
monitors_write | Edit, mute, and delete individual monitors. | false |
monitors_downtime | Set downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes. | false |
Notebooks
Find below the list of permissions for the notebooks assets:
| Name | Description | Scopable |
|---|
notebooks_read | View notebooks. | false |
notebooks_write | Create and change notebooks. | false |
Observability Pipelines
Find below the list of permissions for the observability pipelines assets:
| Name | Description | Scopable |
|---|
observability_pipelines_read | View pipeline configurations. | false |
observability_pipelines_write | Create, edit, and delete pipeline configurations. | false |
Real User Monitoring
Find below the list of permissions for the real user monitoring assets:
| Name | Description | Scopable |
|---|
rum_apps_write | Create, edit, and delete RUM Applications. | false |
rum_apps_read | View RUM Applications data. | false |
rum_session_replay_read | View Session Replays. | false |
rum_generate_metrics | Create custom metrics from RUM events. | false |
Synthetic Monitoring
Find below the list of permissions for the synthetic monitoring assets:
| Name | Description | Scopable |
|---|
synthetics_private_location_read | View, search, and use in tests the list of available private locations. | false |
synthetics_private_location_write | Create and delete private locations as well as seeing the associated installation guidelines. | false |
synthetics_global_variable_read | View, search, and use in tests the list of global variables available for Synthetics. | false |
synthetics_global_variable_write | Create, edit, and delete global variables for Synthetics. | false |
synthetics_read | List and view configured Synthetic tests. | false |
synthetics_write | Create, edit, and delete Synthetic tests. | false |
synthetics_default_settings_read | View default settings for Synthetics Monitoring. | false |
synthetics_default_settings_write | Edit default settings for Synthetics Monitoring. | false |
Logs
Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.
| Name | Description | Scopable |
|---|
logs_modify_indexes | Read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes. | false |
logs_write_exclusion_filters | Add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope. | true |
logs_write_pipelines | Add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines. | false |
logs_write_processors | Add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope. | true |
logs_write_archives | Add and edit Log Archives. | false |
logs_generate_metrics | Create custom metrics from logs. | false |
logs_read_data | Read log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product. | true |
logs_read_archives | Read Log Archives location and use it for rehydration. | true |
logs_write_historical_view | Rehydrate logs from Archives. | false |
logs_write_facets | Create or edit Log Facets. | false |
Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:
Pour aller plus loin
Documentation, liens et articles supplémentaires utiles:
*Log Rehydration est une marque déposée de Datadog, Inc.
