Contextes d'autorisation

Contextes d’autorisation

La portée (ou scope) est un mécanisme d’autorisation vous permettant de définir et de restreindre l’accès granulaire dont les applications disposent pour les données Datadog d’une organisation. Lorsque des applications sont autorisées à consulter des données au nom d’un utilisateur ou d’un compte de service, elles peuvent uniquement accéder aux informations explicitement demandées.

Pour gérer au mieux les autorisations, il est recommandé de définir des contextes restrictifs et d’accorder l’accès minimal requis pour garantir le bon fonctionnement des applications. Les utilisateurs peuvent donc contrôler précisément les applications et vérifier facilement comment leurs données sont utilisées. Ainsi, il est inutile d’attribuer des autorisations de gestion ou de suppression d’utilisateurs dans une organisation à une application tierce qui est uniquement censée lire des données de dashboards.

Dans Datadog, les contextes peuvent être appliqués de deux façons différentes :

Limitez les clients OAuth2 pour vos applications Datadog.
Limitez vos clés d’application.

API Management

Scope name

Description

Endpoints that require this scope

apm_api_catalog_read

View API catalog and API definitions.

List APIs
Get an API

apm_api_catalog_write

Add, modify, and delete API catalog definitions.

Delete an API
Update an API
Create a new API

CI Visibility Pipelines, CI Visibility Tests

Scope name

Description

Endpoints that require this scope

ci_visibility_read

View CI Visibility.

Aggregate pipelines events
Get a list of pipelines events
Search pipelines events
Aggregate tests events
Get a list of tests events
Search tests events

Case Management

Scope name

Description

Endpoints that require this scope

cases_read

View Cases.

Search cases
Get all projects
Get the details of a project
Get the details of a case

cases_write

Create and update cases.

Create a case
Create a project
Remove a project
Archive case
Assign case
Update case priority
Update case status
Unarchive case
Unassign case

Cloud Cost Management

Scope name

Description

Endpoints that require this scope

cloud_cost_management_read

View Cloud Cost pages and the cloud cost data source in dashboards and notebooks. For more details, see the Cloud Cost Management docs.

List Cloud Cost Management AWS CUR configs
List Cloud Cost Management Azure configs
Get a budget
List budgets
List Custom Costs files
Get Custom Costs file

cloud_cost_management_write

Configure cloud cost accounts and global customizations. For more details, see the Cloud Cost Management docs.

Create Cloud Cost Management AWS CUR config
Delete Cloud Cost Management AWS CUR config
Update Cloud Cost Management AWS CUR config
Create Cloud Cost Management Azure configs
Delete Cloud Cost Management Azure config
Update Cloud Cost Management Azure config
Create or update a budget
Delete a budget
Upload Custom Costs file
Delete Custom Costs file

Dashboard Lists, Dashboards, Powerpack

Scope name

Description

Endpoints that require this scope

dashboards_read

View dashboards.

Get all dashboards
Get all dashboard lists
Get a dashboard list
Get a shared dashboard
Get a dashboard
Get items of a Dashboard List
Get all powerpacks
Get a Powerpack

dashboards_write

Create and change dashboards.

Delete dashboards
Restore deleted dashboards
Create a new dashboard
Create a dashboard list
Delete a dashboard list
Update a dashboard list
Delete a dashboard
Update a dashboard
Create a new powerpack
Delete a powerpack
Update a powerpack

dashboards_public_share

Generate public and authenticated links to share dashboards or embeddable graphs externally.

Create a shared dashboard
Revoke a shared dashboard URL
Update a shared dashboard
Revoke shared dashboard invitations
Get all invitations for a shared dashboard
Send shared dashboard invitation email

Domain Allowlist, IP Allowlist

Scope name

Description

Endpoints that require this scope

org_management

Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.

Get Domain Allowlist
Sets Domain Allowlist
Get IP Allowlist
Update IP Allowlist

Downtimes, Monitors

Scope name

Description

Endpoints that require this scope

monitors_downtime

Set downtimes to suppress alerts from any monitor in an organization. Mute and unmute monitors. The ability to write monitors is not required to set downtimes.

Schedule a downtime
Cancel downtimes by scope
Cancel a downtime
Update a downtime
Get all downtimes
Schedule a downtime
Cancel a downtime
Get a downtime
Update a downtime
Get active downtimes for a monitor

monitors_read

View monitors.

Get all downtimes
Get a downtime
Get all monitors
Check if a monitor can be deleted
Monitors group search
Monitors search
Get a monitor's details
Get active downtimes for a monitor
Get all monitor notification rules
Get a monitor notification rule
Get all monitor configuration policies
Get a monitor configuration policy

monitor_config_policy_write

Edit and delete monitor configuration.

Create a monitor notification rule
Delete a monitor notification rule
Update a monitor notification rule

monitors_write

Edit, delete, and resolve individual monitors.

Create a monitor
Validate a monitor
Delete a monitor
Edit a monitor
Mute a monitor
Unmute a monitor
Validate an existing monitor

Events

Scope name

Description

Endpoints that require this scope

events_read

Read Events data.

Get a list of events
Get an event
Get a list of events

Hosts

Scope name

Description

Endpoints that require this scope

hosts_read

List hosts and their attributes.

Get all hosts for your organization
Get the total number of active hosts

Incident Services, Incident Teams, Incidents

Scope name

Description

Endpoints that require this scope

incident_read

View incidents in Datadog.

Get a list of incidents
Get a list of incident types
Get incident type details
Search for incidents
Get the details of an incident
Get a list of an incident's integration metadata
Get incident integration metadata details
Get a list of an incident's todos
Get incident todo details
Get a list of all incident services
Get details of an incident service
Get a list of all incident teams
Get details of an incident team

incident_settings_write

Configure Incident Settings.

Create an incident type
Delete an incident type
Update an incident type
Create a new incident service
Delete an existing incident service
Update an existing incident service
Create a new incident team
Delete an existing incident team
Update an existing incident team

incident_write

Create, view, and manage incidents in Datadog.

Create an incident
Delete an existing incident
Update an existing incident
Create an incident integration metadata
Delete an incident integration metadata
Update an existing incident integration metadata
Create an incident todo
Delete an incident todo
Update an incident todo

Metrics

Scope name

Description

Endpoints that require this scope

metrics_read

View custom metrics.

Get active metrics list
Get metric metadata
Get a list of metrics
List tags by metric name
List tag configuration by name

timeseries_query

Query Timeseries data.

Query timeseries points
Query scalar data across multiple products
Query timeseries data across multiple products

Roles, Users

Scope name

Description

Endpoints that require this scope

user_access_manage

Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.

Create role
Delete role
Update a role
Create a new role by cloning an existing role
Revoke permission
Grant permission to a role
Remove a user from a role
Add a user to a role
Disable a user
Update a user

user_access_read

View users and their roles and settings.

List all users
List permissions
List roles
Get a role
List permissions for a role
Get all users of a role
List all users
Get user details
Get a user permissions

user_access_invite

Invite other users to your organization.

Send invitation emails
Get a user invitation
Create a user

Security Monitoring

Scope name

Description

Endpoints that require this scope

appsec_vm_read

View infrastructure, application code, and library vulnerabilities. This does not restrict API or inventory SQL access to the vulnerability data source.

List vulnerable assets
Get SBOM
List vulnerabilities

security_monitoring_filters_read

Read Security Filters.

Get all security filters
Get a security filter

security_monitoring_filters_write

Create, edit, and delete Security Filters.

Create a security filter
Delete a security filter
Update a security filter

security_monitoring_findings_read

View a list of findings that include both misconfigurations and identity risks.

List findings
Get a finding

security_monitoring_notification_profiles_read

View Rule Security Notification rules.

Get the list of signal-based notification rules
Get details of a signal-based notification rule
Get the list of vulnerability notification rules
Get details of a vulnerability notification rule

security_monitoring_notification_profiles_write

Create, edit, and delete Security Notification rules.

Create a new signal-based notification rule
Delete a signal-based notification rule
Patch a signal-based notification rule
Create a new vulnerability-based notification rule
Delete a vulnerability-based notification rule
Patch a vulnerability-based notification rule

security_monitoring_rules_read

Read Detection Rules.

Create a custom framework
Delete a custom framework
Get a custom framework
Update a custom framework
List rules
Get a rule's details
Convert an existing rule from JSON to Terraform
Get a job's details

security_monitoring_rules_write

Create and edit Detection Rules.

Create a custom framework
Delete a custom framework
Update a custom framework
Create a detection rule
Convert a rule from JSON to Terraform
Test a rule
Validate a detection rule
Delete an existing rule
Update an existing rule
Test an existing rule
Run a historical job
Cancel a historical job

security_monitoring_signals_read

View Security Signals.

Get a quick list of security signals
Get a list of security signals
Get a signal's details

security_monitoring_suppressions_read

Read Rule Suppressions.

Get all suppression rules
Get a suppression rule

security_monitoring_suppressions_write

Write Rule Suppressions.

Create a suppression rule
Delete a suppression rule
Update a suppression rule

Service Definition, Service Scorecards, Software Catalog

Scope name

Description

Endpoints that require this scope

apm_service_catalog_read

View service catalog and service definitions.

Get a list of entities
List all rule outcomes
List all rules
Get all service definitions
Get a single service definition

apm_service_catalog_write

Add, modify, and delete service catalog definitions when those definitions are maintained by Datadog.

Create or update entities
Delete a single entity
Create outcomes batch
Create a new rule
Delete a rule
Update an existing rule
Create or update service definition
Delete a single service definition

Service Level Objective Corrections, Service Level Objectives

Scope name

Description

Endpoints that require this scope

slos_corrections

Apply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.

Create an SLO correction

slos_read

View SLOs and status corrections.

Get all SLOs
Check if SLOs can be safely deleted
Get all SLO corrections
Search for SLOs
Get an SLO's details
Get Corrections For an SLO
Get an SLO's history
Create a new SLO report
Get SLO report
Get SLO report status

slos_write

Create, edit, and delete SLOs.

Create an SLO object
Bulk Delete SLO Timeframes
Delete an SLO
Update an SLO

Spans

Scope name

Description

Endpoints that require this scope

apm_read

Read and query APM and Trace Analytics.

Aggregate spans
Get a list of spans
Search spans

Synthetics

Scope name

Description

Endpoints that require this scope

synthetics_global_variable_read

View, search, and use Synthetics global variables.

Get all global variables
Get a global variable

synthetics_global_variable_write

Create, edit, and delete global variables for Synthetics.

Create a global variable
Delete a global variable
Edit a global variable

synthetics_private_location_read

View, search, and use Synthetics private locations.

Get all locations (public and private)
Get a private location

synthetics_private_location_write

Create and delete private locations in addition to having access to the associated installation guidelines.

Create a private location
Delete a private location
Edit a private location

synthetics_read

List and view configured Synthetic tests and test results.

Get details of batch
Get the list of all Synthetic tests
Get an API test
Get a browser test
Get a browser test's latest results summaries
Get a browser test result
Get a Mobile test
Fetch uptime for multiple tests
Get a test configuration
Get an API test's latest results summaries
Get an API test result

synthetics_write

Create, edit, and delete Synthetic tests.

Create a test
Create an API test
Edit an API test
Create a browser test
Edit a browser test
Delete tests
Create a mobile test
Edit a Mobile test
Trigger Synthetic tests
Trigger tests from CI/CD pipelines
Patch a Synthetic test
Edit a test
Pause or start a test

Teams

Scope name

Description

Endpoints that require this scope

teams_manage

Manage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.

Create a team
Remove a team

teams_read

Read Teams data. A User with this permission can view Team names, metadata, and which Users are on each Team.