Datadog ロールのアクセス許可

Docs > アカウントの管理 > ロールベースのアクセス制御 > Datadog ロールのアクセス許可

ロールを作成した後、Datadog でロールを更新するか Datadog Permission API を使用して、このロールへアクセス許可を直接割り当てたり削除したりできます。利用可能なアクセス許可の一覧は次のとおりです。

概要

一般許可

一般許可は、各ロールのユーザーに対して基本的なアクセス権を許可するものです。高度な許可は、一般許可に加えて付与される特定目的の許可を指します。

Name	Description
`admin`	Deprecated. Privileged Access (also known as Admin permission) has been replaced by more specific permissions: Access Management, Org Management, Billing Read/Write, Usage Read/Write.
`standard`	View and edit components in your Datadog organization that do not have explicitly defined permissions. This includes configuring Events, Cloud Cost Management, Reference Tables, metadata for metrics, and facets (except Logs).
`saved_views_write`	Modify Saved Views across all Datadog products.

注: ロールに standard アクセス許可の両方がないことにより定義されるため、read-only アクセス許可はありません。

高度な許可

デフォルトで、既存ユーザーは 3 つのすぐに使用できるロールのうち 1 つに紐付けられています。

Datadog 管理者
Datadog 標準
Datadog 読み取り専用

すべてのユーザーは、すべてのデータタイプを読み取ることができます、管理者および標準ユーザーには、アセットでの書き込み権限があります。

注: ユーザーに新しいカスタムロールを追加する際、新しいロールのアクセス許可を適用するために、そのユーザーに関連付けられている既存の Datadog ロールを必ず削除してください。

一般的な権限に加え、特定のアセットやデータタイプに対してより詳細な権限を定義することができます。以下の表では、これらのオプションの詳細と、利用可能な各権限への影響をご覧ください。

API and Application Keys

Find below the list of permissions for the api and application keys assets:

Name	Description	Scopable
`user_app_keys`	View and manage Application Keys owned by the user.	false
`org_app_keys_read`	View Application Keys owned by all users in the organization.	false
`org_app_keys_write`	Manage Application Keys owned by all users in the organization.	false
`api_keys_read`	List and retrieve the key values of all API Keys in your organization.	false
`api_keys_write`	Create, rename, and revoke API Keys for your organization.	false
`client_tokens_read`	Read Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.	false
`client_tokens_write`	Create and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.	false

APM

Find below the list of permissions for the apm assets:

Name	Description	Scopable
`apm_read`	Read and query APM and Trace Analytics.	false
`apm_retention_filter_read`	Read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.	false
`apm_retention_filter_write`	Create, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.	false
`apm_service_ingest_read`	Access service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.	false
`apm_service_ingest_write`	Edit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.	false
`apm_apdex_manage_write`	Set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.	false
`apm_tag_management_write`	Edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.	false
`apm_primary_operation_write`	Edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.	false
`debugger_write`	Edit Dynamic Instrumentation configuration.	false
`debugger_read`	View Dynamic Instrumentation configuration.	false
`apm_generate_metrics`	Create custom metrics from spans.	false
`apm_pipelines_write`	Add and change APM pipeline configurations.	false
`apm_pipelines_read`	View APM pipeline configurations.	false
`apm_service_catalog_write`	Add, modify, and delete service catalog definitions when those definitions are maintained by Datadog.	false
`apm_service_catalog_read`	View service catalog and service definitions.	false
`apm_remote_configuration_write`	Edit APM Remote Configuration.	false
`apm_remote_configuration_read`	View APM Remote Configuration.	false
`continuous_profiler_read`	View data in Continuous Profiler.	false

Access Management

Find below the list of permissions for the access management assets:

Name	Description	Scopable
`user_access_invite`	Invite other users to your organization.	false
`user_access_manage`	Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.	false
`service_account_write`	Create, disable, and use Service Accounts in your organization.	false
`org_management`	Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.	false

Billing and Usage

Find below the list of permissions for the billing and usage assets:

Name	Description	Scopable
`billing_read`	View your organization's subscription and payment method but not make edits.	false
`billing_edit`	Manage your organization's subscription and payment method.	false
`usage_read`	View your organization's usage and usage attribution.	false
`usage_edit`	Manage your organization's usage attribution set-up.	false
`usage_notifications_read`	Receive notifications and view currently configured notification settings.	false
`usage_notifications_write`	Receive notifications and configure notification settings.	false

CI Visibility

Find below the list of permissions for the ci visibility assets:

Name	Description	Scopable
`ci_visibility_read`	View CI Visibility.	false
`ci_visibility_write`	Create, edit and delete CI Visibility tests and pipelines.	false
`ci_provider_settings_write`	Edit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.	false
`ci_visibility_settings_write`	Configure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.	false
`intelligent_test_runner_activation_write`	Enable or disable Intelligent Test Runner.	false
`intelligent_test_runner_settings_write`	Edit Intelligent Test Runner settings, such as modifying ITR excluded branch list.	false
`ci_ingestion_control_write`	Edit CI Ingestion Control exclusion filters.	false

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

Name	Description	Scopable
`incident_read`	View incidents in Datadog.	false
`incident_write`	Create, view, and manage incidents in Datadog.	false
`incident_settings_read`	View Incident Settings.	false
`incident_settings_write`	Configure Incident Settings.	false
`incidents_private_global_access`	Access all private incidents in Datadog, even when not added as a responder.	false
`cases_read`	View Cases.	false
`cases_write`	Create and update cases.	false
`incident_notification_settings_read`	View Incidents Notification settings.	false
`incident_notification_settings_write`	Configure Incidents Notification settings.	false

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

Name	Description	Scopable
`security_monitoring_rules_read`	Read Detection Rules.	false
`security_monitoring_rules_write`	Create and edit Detection Rules.	false
`security_monitoring_signals_read`	View Security Signals.	false
`security_monitoring_signals_write`	Modify Security Signals.	false
`security_monitoring_filters_read`	Read Security Filters.	false
`security_monitoring_filters_write`	Create, edit, and delete Security Filters.	false
`appsec_event_rule_read`	View Application Security Management Event Rules.	false
`appsec_event_rule_write`	Edit Application Security Management Event Rules.	false
`security_monitoring_notification_profiles_read`	Read Notification Rules.	false
`security_monitoring_notification_profiles_write`	Create, edit, and delete Notification Rules.	false
`security_monitoring_cws_agent_rules_read`	Read Cloud Workload Security Agent Rules.	false
`security_monitoring_cws_agent_rules_write`	Create, edit, and delete Cloud Workload Security Agent Rules.	false
`appsec_protect_read`	View blocked attackers.	false
`appsec_protect_write`	Manage blocked attackers.	false
`appsec_activation_read`	View whether Application Security Management is enabled or disabled on services.	false
`appsec_activation_write`	Enable or disable Application Security Management on services.	false
`security_monitoring_findings_read`	View CSPM Findings.	false

Compliance

Find below the list of permissions for the compliance assets:

Name	Description	Scopable
`audit_logs_read`	View Audit Trail in your organization.	false
`audit_logs_write`	Configure Audit Trail in your organization.	false
`data_scanner_read`	View Data Scanner configurations.	false
`data_scanner_write`	Edit Data Scanner configurations.	false

Dashboards

Find below the list of permissions for the dashboards assets:

Name	Description	Scopable
`dashboards_read`	View dashboards.	false
`dashboards_write`	Create and change dashboards.	false
`dashboards_public_share`	Generate public and authenticated links to share dashboards or embeddable graphs externally.	false
`generate_dashboard_reports`	Schedule custom reports from a dashboard. These reports will display any viewable data regardless of any granular restrictions (restriction queries, scoped indexes) applied to the report's creator.	false

Error Tracking

Find below the list of permissions for the error tracking assets:

Name	Description	Scopable
`error_tracking_write`	Edit Error Tracking settings.	false

Integrations

Find below the list of permissions for the integrations assets:

Name	Description	Scopable
`integrations_api`	Deprecated. Use the Integrations APIs to configure integrations. In order to configure integrations from the UI, a user must also have Standard Access.	false
`manage_integrations`	Install, uninstall, and configure integrations.	false

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

Name	Description	Scopable
`logs_modify_indexes`	Read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.	false
`logs_write_exclusion_filters`	Add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.	true
`logs_write_pipelines`	Add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.	false
`logs_write_processors`	Add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.	true
`logs_write_archives`	Add and edit Log Archives.	false
`logs_generate_metrics`	Create custom metrics from logs.	false
`logs_read_data`	Read log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.	false
`logs_read_archives`	Read Log Archives location and use it for rehydration.	false
`logs_write_historical_view`	Rehydrate logs from Archives.	false
`logs_write_facets`	Create or edit Log Facets.	false
`logs_delete_data`	Delete data from your Logs, including entire indexes.	false
`logs_write_forwarding_rules`	Add and edit forwarding destinations and rules for logs.	false

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

Name	Description	Scopable
`logs_live_tail`	Access the live tail feature	false
`logs_read_index_data`	Read a subset log data (index based)	true

Metrics

Find below the list of permissions for the metrics assets:

Name	Description	Scopable
`metric_tags_write`	Edit and save tag configurations for custom metrics.	false

Monitors

Find below the list of permissions for the monitors assets:

Name	Description	Scopable
`monitors_read`	View monitors.	false
`monitors_write`	Edit, mute, and delete individual monitors.	false
`monitors_downtime`	Set downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes.	false
`monitor_config_policy_write`	Create, update, and delete monitor configuration policies.	false

Notebooks

Find below the list of permissions for the notebooks assets:

Name	Description	Scopable
`notebooks_read`	View notebooks.	false
`notebooks_write`	Create and change notebooks.	false

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

Name	Description	Scopable
`observability_pipelines_read`	View pipeline configurations.	false
`observability_pipelines_write`	Create, edit, and delete pipeline configurations.	false

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

Name	Description	Scopable
`rum_apps_write`	Create, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.	false
`rum_apps_read`	View RUM Applications data.	false
`rum_session_replay_read`	View Session Replays.	false
`rum_generate_metrics`	Create custom metrics from RUM events.	false

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

Name	Description	Scopable
`slos_read`	View SLOs and status corrections.	false
`slos_write`	Create, edit, and delete SLOs.	false
`slos_corrections`	Apply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.	false

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

Name	Description	Scopable
`synthetics_private_location_read`	View, search, and use Synthetics private locations.	false
`synthetics_private_location_write`	Create and delete private locations in addition to having access to the associated installation guidelines.	false
`synthetics_global_variable_read`	View, search, and use Synthetics global variables.	false
`synthetics_global_variable_write`	Create, edit, and delete global variables for Synthetics.	false
`synthetics_read`	List and view configured Synthetic tests and test results.	false
`synthetics_write`	Create, edit, and delete Synthetic tests.	false
`synthetics_default_settings_read`	View the default settings for Synthetic Monitoring.	false
`synthetics_default_settings_write`	Edit the default settings for Synthetic Monitoring.	false

Teams

Find below the list of permissions for the teams assets:

Name	Description	Scopable
`teams_manage`	Manage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.	false

Watchdog

Find below the list of permissions for the watchdog assets:

Name	Description	Scopable
`watchdog_insights_read`	View Watchdog Insights.	false

Workflows

Find below the list of permissions for the workflows assets:

Name	Description	Scopable
`workflows_read`	View workflows.	false
`workflows_write`	Create, edit, and delete workflows.	false
`workflows_run`	Run workflows.	false
`connections_read`	List and view available connections. Connections contain secrets that cannot be revealed.	false
`connections_write`	Create and delete connections.	false
`connections_resolve`	Resolve connections.	false

その他の参考資料

お役に立つドキュメント、リンクや記事:

ロールの作成、更新、削除ドキュメント

Permission API を使用してアクセス許可を管理するドキュメント

*Log Rehydration は Datadog, Inc. の商標です