Une fois votre rôle créé, vous pouvez attribuer ou supprimer des autorisations pour ce rôle directement en le mettant à jour depuis l’application Datadog ou via l’API Permission de Datadog. Vous trouverez ci-dessous la liste des autorisations disponibles.
Les autorisations générales définissent les niveaux d’accès minimum pour votre rôle. Les autorisations avancées permettent ensuite d’accorder des droits supplémentaires.
| Name | Description | Scopable |
|---|
Remarque : il n’existe pas d’autorisation read-only étant donné qu’elle est définie par l’absence des autorisations admin et standard pour un rôle.
Par défaut, les utilisateurs existants sont déjà associés à l’un des trois rôles Datadog par défaut : Admin, Standard ou Read-Only. Tous les utilisateurs sont donc déjà autorisés à lire l’ensemble des types de données. Les utilisateurs avec le rôle Admin ou Standard disposent quant à eux d’un droit d’écriture sur ces ressources.
Remarque : lorsque vous attribuez un nouveau rôle personnalisé à un utilisateur, assurez-vous de supprimer le rôle Datadog par défaut attribué à cet utilisateur afin d’appliquer les nouvelles autorisations de rôle.
En plus des autorisations générales, il est possible de définir des autorisations plus granulaires pour des ressources ou des types de données spécifiques. Les autorisations peuvent être globales ou limitées à un sous-ensemble d’éléments. Vous trouverez ci-dessous les détails de ces options et leur impact sur chacune des autorisations disponibles.
Find below the list of permissions for the api and application keys assets:
| Name | Description | Scopable |
|---|---|---|
user_app_keys | The ability to view and manage Application Keys owned by the user. | false |
org_app_keys_read | The ability to view Application Keys owned by all users in the organization. | false |
org_app_keys_write | The ability to manage Application Keys owned by all users in the organization. | false |
api_keys_read | The ability to list and retrive the key values of all API Keys in your organization. | false |
api_keys_write | The ability to create, rename, and revoke API Keys for your organization. | false |
Find below the list of permissions for the apm assets:
| Name | Description | Scopable |
|---|---|---|
apm_read | The ability to read and query APM and Trace Analytics. | false |
apm_retention_filter_read | The ability to read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info. | false |
apm_retention_filter_write | The ability to create, edit and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters. | false |
apm_service_ingest_read | The ability to access Service Ingestion pages. A user with this permission can view the service ingestion page, list of root service, their statistics, and creation info. | false |
apm_service_ingest_write | The ability to edit Service Ingestion pages root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service. | false |
apm_apdex_manage_write | The ability to set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page. | false |
apm_tag_management_write | The ability to edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page. | false |
apm_primary_operation_write | The ability to edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and can modify the operation name controller on the service page. | false |
Find below the list of permissions for the access management assets:
| Name | Description | Scopable |
|---|---|---|
user_access_invite | Allows users to invite other users to your organization. | false |
user_access_manage | Grants the permission to disable users, manage user roles and SAML-to-role mappings. | false |
data_scanner_read | View data scanner configuration. | false |
data_scanner_write | Edit data scanner configuration. | false |
Find below the list of permissions for the billing and usage assets:
| Name | Description | Scopable |
|---|---|---|
billing_read | The ability to view your organization's subscription and payment method but not make edits. | false |
billing_edit | The ability to manage your organization's subscription and payment method. | false |
usage_read | The ability to view your organization's usage and usage attribution. | false |
usage_edit | The ability to manage your organization's usage attribution set-up. | false |
Find below the list of permissions for the dashboards assets:
| Name | Description | Scopable |
|---|---|---|
dashboards_read | The ability to view dashboards. | false |
dashboards_write | The ability to create and change dashboards. | false |
dashboards_public_share | The ability to share dashboards externally. | false |
Find below the list of permissions for the incidents assets:
| Name | Description | Scopable |
|---|---|---|
incident_read | The ability to view the Incident App and see incidents. | false |
incident_write | The ability to create, view and manage incidents in the Incident App. | false |
incident_settings_read | The ability to view incidents Settings. | false |
incident_settings_write | The ability to configure incidents Settings. | false |
Find below the list of permissions for the integrations assets:
| Name | Description | Scopable |
|---|---|---|
integrations_api | The ability to use the Integrations APIs to configure Integrations that the user has access to. This permission does not restrict or grant access to Integrations. | false |
Find below the list of permissions for the metrics assets:
| Name | Description | Scopable |
|---|---|---|
metric_tags_write | The ability to edit and save tag configurations for custom metrics. | false |
Find below the list of permissions for the monitors assets:
| Name | Description | Scopable |
|---|---|---|
monitors_read | The ability to view monitors. | false |
monitors_write | The ability to change, mute, and delete individual monitors. | false |
monitors_downtime | The ability to set downtimes for your organization. A user with this permission can suppress alerts from any monitor using a downtime, even if they do not have permission to edit those monitors explicitly. | false |
Find below the list of permissions for the real user monitoring assets:
| Name | Description | Scopable |
|---|---|---|
rum_apps_write | The ability to create, edit, and delete RUM Applications. | false |
Find below the list of permissions for the security monitoring assets:
| Name | Description | Scopable |
|---|---|---|
security_monitoring_rules_read | The ability to read Detection rules. | false |
security_monitoring_rules_write | The ability to create and edit Detection rules. | false |
security_monitoring_signals_read | The ability to view Security signals. | false |
security_monitoring_filters_read | The ability to read Security Filters. | false |
security_monitoring_filters_write | The ability to create, edit and delete Security Filters. | false |
Find below the list of permissions for the synthetic monitoring assets:
| Name | Description | Scopable |
|---|---|---|
synthetics_private_location_read | The ability to view, search and use in tests the list of private locations available. | false |
synthetics_private_location_write | The ability to create and delete private locations as well as seeing the associated installation guidelines. | false |
synthetics_global_variable_read | The ability to view, search and use in tests the list of global variables available for Synthetics. | false |
synthetics_global_variable_write | The ability to create, edit, and delete global variables for Synthetics. | false |
synthetics_read | The ability to list and view configured Synthetic tests. | false |
synthetics_write | The ability to create, edit, and delete Synthetic tests. | false |
synthetics_default_settings_read | The ability to view default settings for Synthetics Monitoring. | false |
synthetics_default_settings_write | The ability to edit default settings for Synthetics Monitoring. | false |
Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.
| Name | Description | Scopable |
|---|---|---|
logs_modify_indexes | The ability to read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filter permission to other roles, for some or all indexes. This permission also grants global Log Index Read and Log Exclusion Filter Write implicitly. | false |
logs_write_exclusion_filters | The ability to add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope. | true |
logs_write_pipelines | The ability to add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines. This permission also grants global Log Processor Write implicitly. | false |
logs_write_processors | The ability to add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope. | true |
logs_write_archives | The ability to add and edit log archive locations. | false |
logs_public_config_api | The ability to access and edit logs configurations via the API. | false |
logs_generate_metrics | The ability to create custom metrics from logs. | false |
logs_read_data | The ability to read log data. Can be restricted with restriction queries. | true |
logs_read_archives | The ability to read logs archives location and use it for rehydration. | true |
logs_write_historical_view | The capability to rehydrate logs from Archives. | false |
logs_write_facets | The capability to create or edit logs facets. | false |
Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:
| Name | Description | Scopable |
|---|---|---|
logs_live_tail | Access the live tail feature | false |
logs_read_index_data | Read a subset log data (index based) | true |
Documentation, liens et articles supplémentaires utiles:
