Une fois votre rôle créé, attribuez-lui ou retirez-lui directement des autorisations en le modifiant dans Datadog ou via l’API Permission de Datadog. Vous trouverez ci-dessous la liste des autorisations disponibles.

Présentation

Autorisations générales

Les autorisations générales définissent les niveaux d’accès minimum pour votre rôle. Les autorisations avancées permettent ensuite d’accorder des droits supplémentaires.

Remarque : il n’existe pas d’autorisation read-only. Pour obtenir un accès en lecture seule, il suffit de ne pas accorder l’autorisation standard.

Autorisations avancées

Par défaut, les utilisateurs existants sont associés à l’un des trois rôles prêts à l’emploi :

  • Admin Datadog
  • Standard Datadog
  • Read-Only Datadog

Tous les utilisateurs peuvent lire l’ensemble des types de données. Les utilisateurs Admin et Standard sont autorisés à écrire des données sur des ressources.

Remarque : lorsque vous attribuez un nouveau rôle personnalisé à un utilisateur, assurez-vous de supprimer le rôle Datadog par défaut attribué à cet utilisateur afin d’appliquer les nouvelles autorisations de rôle.

En plus des autorisations générales, vous pouvez définir des autorisations plus granulaires pour des ressources ou des types de données spécifiques. Les autorisations peuvent être globales ou limitées à un sous-ensemble d’éléments. Vous trouverez ci-dessous les détails de ces options et leur impact sur chacune des autorisations disponibles.

API and Application Keys

Find below the list of permissions for the api and application keys assets:

NameDescription
user_app_keysView and manage Application Keys owned by the user.
org_app_keys_readView Application Keys owned by all users in the organization.
org_app_keys_writeManage Application Keys owned by all users in the organization.
api_keys_readList and retrieve the key values of all API Keys in your organization.
api_keys_writeCreate, rename, and revoke API Keys for your organization.
client_tokens_readRead Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.
client_tokens_writeCreate and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.

APM

Find below the list of permissions for the apm assets:

NameDescription
apm_readRead and query APM and Trace Analytics.
apm_retention_filter_readRead trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.
apm_retention_filter_writeCreate, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.
apm_service_ingest_readAccess service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.
apm_service_ingest_writeEdit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.
apm_apdex_manage_writeSet Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.
apm_tag_management_writeEdit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.
apm_primary_operation_writeEdit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.
debugger_writeEdit Dynamic Instrumentation configuration.
debugger_readView Dynamic Instrumentation configuration.
apm_generate_metricsCreate custom metrics from spans.
apm_pipelines_writeAdd and change APM pipeline configurations.
apm_pipelines_readView APM pipeline configurations.
apm_service_catalog_writeAdd, modify, and delete service catalog definitions when those definitions are maintained by Datadog.
apm_service_catalog_readView service catalog and service definitions.
apm_remote_configuration_writeEdit APM Remote Configuration.
apm_remote_configuration_readView APM Remote Configuration.
continuous_profiler_readView data in Continuous Profiler.

Access Management

Find below the list of permissions for the access management assets:

NameDescription
user_access_inviteInvite other users to your organization.
user_access_manageDisable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.
service_account_writeCreate, disable, and use Service Accounts in your organization.
org_managementEdit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.

Billing and Usage

Find below the list of permissions for the billing and usage assets:

NameDescription
billing_readView your organization's subscription and payment method but not make edits.
billing_editManage your organization's subscription and payment method.
usage_readView your organization's usage and usage attribution.
usage_editManage your organization's usage attribution set-up.
usage_notifications_readReceive notifications and view currently configured notification settings.
usage_notifications_writeReceive notifications and configure notification settings.

CI Visibility

Find below the list of permissions for the ci visibility assets:

NameDescription
ci_visibility_readView CI Visibility.
ci_visibility_writeEdit flaky tests and delete Test Services.
ci_provider_settings_writeEdit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.
ci_visibility_settings_writeConfigure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.
intelligent_test_runner_activation_writeEnable or disable Intelligent Test Runner.
intelligent_test_runner_settings_writeEdit Intelligent Test Runner settings, such as modifying ITR excluded branch list.
ci_ingestion_control_writeEdit CI Ingestion Control exclusion filters.

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

NameDescription
incident_readView incidents in Datadog.
incident_writeCreate, view, and manage incidents in Datadog.
incident_settings_readView Incident Settings.
incident_settings_writeConfigure Incident Settings.
incidents_private_global_accessAccess all private incidents in Datadog, even when not added as a responder.
cases_readView Cases.
cases_writeCreate and update cases.
incident_notification_settings_readView Incidents Notification settings.
incident_notification_settings_writeConfigure Incidents Notification settings.

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

NameDescription
security_monitoring_rules_readRead Detection Rules.
security_monitoring_rules_writeCreate and edit Detection Rules.
security_monitoring_signals_readView Security Signals.
security_monitoring_signals_writeModify Security Signals.
security_monitoring_filters_readRead Security Filters.
security_monitoring_filters_writeCreate, edit, and delete Security Filters.
appsec_event_rule_readView Application Security Management Event Rules.
appsec_event_rule_writeEdit Application Security Management Event Rules.
security_monitoring_notification_profiles_readRead Notification Rules.
security_monitoring_notification_profiles_writeCreate, edit, and delete Notification Rules.
security_monitoring_cws_agent_rules_readRead Cloud Workload Security Agent Rules.
security_monitoring_cws_agent_rules_writeCreate, edit, and delete Cloud Workload Security Agent Rules.
appsec_protect_readView blocked attackers.
appsec_protect_writeManage blocked attackers.
appsec_activation_readView whether Application Security Management has been enabled or disabled on services via 1-click enablement with Remote Configuration.
appsec_activation_writeEnable or disable Application Security Management on services via 1-click enablement with Remote Configuration.
security_monitoring_findings_readView CSPM Findings.
security_monitoring_findings_writeMute CSPM Findings.

Compliance

Find below the list of permissions for the compliance assets:

NameDescription
audit_logs_readView Audit Trail in your organization.
audit_logs_writeConfigure Audit Trail in your organization.
data_scanner_readView Data Scanner configurations.
data_scanner_writeEdit Data Scanner configurations.

Dashboards

Find below the list of permissions for the dashboards assets:

NameDescription
dashboards_readView dashboards.
dashboards_writeCreate and change dashboards.
dashboards_public_shareGenerate public and authenticated links to share dashboards or embeddable graphs externally.
generate_dashboard_reportsSchedule custom reports from a dashboard. These reports will display any viewable data regardless of any granular restrictions (restriction queries, scoped indexes) applied to the report's creator.

Error Tracking

Find below the list of permissions for the error tracking assets:

NameDescription
error_tracking_writeEdit Error Tracking settings.

Events

Find below the list of permissions for the events assets:

NameDescription
event_config_writeManage general event configuration such as API Emails.

Integrations

Find below the list of permissions for the integrations assets:

NameDescription
integrations_apiDeprecated. Use the Integrations APIs to configure integrations. In order to configure integrations from the UI, a user must also have Standard Access.
manage_integrationsInstall, uninstall, and configure integrations.

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

NameDescription
logs_modify_indexesRead and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.
logs_write_exclusion_filtersAdd and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.
logs_write_pipelinesAdd and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.
logs_write_processorsAdd and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.
logs_write_archivesAdd and edit Log Archives.
logs_generate_metricsCreate custom metrics from logs.
logs_read_dataRead log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.
logs_read_archivesRead Log Archives location and use it for rehydration.
logs_write_historical_viewRehydrate logs from Archives.
logs_write_facetsCreate or edit Log Facets.
logs_delete_dataDelete data from your Logs, including entire indexes.
logs_write_forwarding_rulesAdd and edit forwarding destinations and rules for logs.

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

NameDescription
logs_live_tailAccess the live tail feature
logs_read_index_dataRead a subset log data (index based)

Metrics

Find below the list of permissions for the metrics assets:

NameDescription
metric_tags_writeEdit and save tag configurations for custom metrics.

Monitors

Find below the list of permissions for the monitors assets:

NameDescription
monitors_readView monitors.
monitors_writeEdit, mute, and delete individual monitors.
monitors_downtimeSet downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes.
monitor_config_policy_writeCreate, update, and delete monitor configuration policies.

Notebooks

Find below the list of permissions for the notebooks assets:

NameDescription
notebooks_readView notebooks.
notebooks_writeCreate and change notebooks.

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

NameDescription
observability_pipelines_readView pipeline configurations.
observability_pipelines_writeCreate, edit, and delete pipeline configurations.

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

NameDescription
rum_apps_writeCreate, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.
rum_apps_readView RUM Applications data.
rum_session_replay_readView Session Replays.
rum_generate_metricsCreate custom metrics from RUM events.

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

NameDescription
slos_readView SLOs and status corrections.
slos_writeCreate, edit, and delete SLOs.
slos_correctionsApply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

NameDescription
synthetics_private_location_readView, search, and use Synthetics private locations.
synthetics_private_location_writeCreate and delete private locations in addition to having access to the associated installation guidelines.
synthetics_global_variable_readView, search, and use Synthetics global variables.
synthetics_global_variable_writeCreate, edit, and delete global variables for Synthetics.
synthetics_readList and view configured Synthetic tests and test results.
synthetics_writeCreate, edit, and delete Synthetic tests.
synthetics_default_settings_readView the default settings for Synthetic Monitoring.
synthetics_default_settings_writeEdit the default settings for Synthetic Monitoring.

Teams

Find below the list of permissions for the teams assets:

NameDescription
teams_manageManage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.

Watchdog

Find below the list of permissions for the watchdog assets:

NameDescription
watchdog_insights_readView Watchdog Insights.

Workflows

Find below the list of permissions for the workflows assets:

NameDescription
workflows_readView workflows.
workflows_writeCreate, edit, and delete workflows.
workflows_runRun workflows.
connections_readList and view available connections. Connections contain secrets that cannot be revealed.
connections_writeCreate and delete connections.
connections_resolveResolve connections.

Pour aller plus loin


*Log Rehydration est une marque déposée de Datadog, Inc.