Datadog ロールのアクセス許可

ロールを作成した後、Datadog でロールを更新するか Datadog Permission API を使用して、このロールへアクセス許可を直接割り当てたり削除したりできます。利用可能なアクセス許可の一覧は次のとおりです。

概要

一般許可

一般許可は、各ロールのユーザーに対して基本的なアクセス権を許可するものです。高度な許可は、一般許可に加えて付与される特定目的の許可を指します。

NameDescription
adminDeprecated. Privileged Access (also known as Admin permission) has been replaced by more specific permissions: Access Management, Org Management, Billing Read/Write, Usage Read/Write.
standardView and edit components in your Datadog organization that do not have explicitly defined permissions. This includes configuring Events, Cloud Cost Management, Reference Tables, metadata for metrics, and facets (except Logs).
saved_views_writeModify Saved Views across all Datadog products.

: ロールに standard アクセス許可の両方がないことにより定義されるため、read-only アクセス許可はありません。

高度な許可

デフォルトで、既存ユーザーは 3 つのすぐに使用できるロールのうち 1 つに紐付けられています。

  • Datadog 管理者
  • Datadog 標準
  • Datadog 読み取り専用

すべてのユーザーは、すべてのデータタイプを読み取ることができます、管理者および標準ユーザーには、アセットでの書き込み権限があります。

: ユーザーに新しいカスタムロールを追加する際、新しいロールのアクセス許可を適用するために、そのユーザーに関連付けられている既存の Datadog ロールを必ず削除してください。

一般的な権限に加え、特定のアセットやデータタイプに対してより詳細な権限を定義することができます。以下の表では、これらのオプションの詳細と、利用可能な各権限への影響をご覧ください。

API and Application Keys

Find below the list of permissions for the api and application keys assets:

NameDescriptionScopable
user_app_keysView and manage Application Keys owned by the user.false
org_app_keys_readView Application Keys owned by all users in the organization.false
org_app_keys_writeManage Application Keys owned by all users in the organization.false
api_keys_readList and retrieve the key values of all API Keys in your organization.false
api_keys_writeCreate, rename, and revoke API Keys for your organization.false
client_tokens_readRead Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.false
client_tokens_writeCreate and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.false

APM

Find below the list of permissions for the apm assets:

NameDescriptionScopable
apm_readRead and query APM and Trace Analytics.false
apm_retention_filter_readRead trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.false
apm_retention_filter_writeCreate, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.false
apm_service_ingest_readAccess service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.false
apm_service_ingest_writeEdit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.false
apm_apdex_manage_writeSet Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.false
apm_tag_management_writeEdit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.false
apm_primary_operation_writeEdit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.false
debugger_writeEdit Dynamic Instrumentation configuration.false
debugger_readView Dynamic Instrumentation configuration.false
apm_generate_metricsCreate custom metrics from spans.false
apm_pipelines_writeAdd and change APM pipeline configurations.false
apm_pipelines_readView APM pipeline configurations.false
apm_service_catalog_writeAdd, modify, and delete service catalog definitions when those definitions are maintained by Datadog.false
apm_service_catalog_readView service catalog and service definitions.false
apm_remote_configuration_writeEdit APM Remote Configuration.false
apm_remote_configuration_readView APM Remote Configuration.false
continuous_profiler_readView data in Continuous Profiler.false

Access Management

Find below the list of permissions for the access management assets:

NameDescriptionScopable
user_access_inviteInvite other users to your organization.false
user_access_manageDisable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.false
service_account_writeCreate, disable, and use Service Accounts in your organization.false
org_managementEdit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.false

Billing and Usage

Find below the list of permissions for the billing and usage assets:

NameDescriptionScopable
billing_readView your organization's subscription and payment method but not make edits.false
billing_editManage your organization's subscription and payment method.false
usage_readView your organization's usage and usage attribution.false
usage_editManage your organization's usage attribution set-up.false
usage_notifications_readReceive notifications and view currently configured notification settings.false
usage_notifications_writeReceive notifications and configure notification settings.false

CI Visibility

Find below the list of permissions for the ci visibility assets:

NameDescriptionScopable
ci_visibility_readView CI Visibility.false
ci_visibility_writeCreate, edit and delete CI Visibility tests and pipelines.false
ci_provider_settings_writeEdit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.false
ci_visibility_settings_writeConfigure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.false
intelligent_test_runner_activation_writeEnable or disable Intelligent Test Runner.false
intelligent_test_runner_settings_writeEdit Intelligent Test Runner settings, such as modifying ITR excluded branch list.false
ci_ingestion_control_writeEdit CI Ingestion Control exclusion filters.false

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

NameDescriptionScopable
incident_readView incidents in Datadog.false
incident_writeCreate, view, and manage incidents in Datadog.false
incident_settings_readView Incident Settings.false
incident_settings_writeConfigure Incident Settings.false
incidents_private_global_accessAccess all private incidents in Datadog, even when not added as a responder.false
cases_readView Cases.false
cases_writeCreate and update cases.false
incident_notification_settings_readView Incidents Notification settings.false
incident_notification_settings_writeConfigure Incidents Notification settings.false

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

NameDescriptionScopable
security_monitoring_rules_readRead Detection Rules.false
security_monitoring_rules_writeCreate and edit Detection Rules.false
security_monitoring_signals_readView Security Signals.false
security_monitoring_signals_writeModify Security Signals.false
security_monitoring_filters_readRead Security Filters.false
security_monitoring_filters_writeCreate, edit, and delete Security Filters.false
appsec_event_rule_readView Application Security Management Event Rules.false
appsec_event_rule_writeEdit Application Security Management Event Rules.false
security_monitoring_notification_profiles_readRead Notification Rules.false
security_monitoring_notification_profiles_writeCreate, edit, and delete Notification Rules.false
security_monitoring_cws_agent_rules_readRead Cloud Workload Security Agent Rules.false
security_monitoring_cws_agent_rules_writeCreate, edit, and delete Cloud Workload Security Agent Rules.false
appsec_protect_readView blocked attackers.false
appsec_protect_writeManage blocked attackers.false
appsec_activation_readView whether Application Security Management is enabled or disabled on services.false
appsec_activation_writeEnable or disable Application Security Management on services.false
security_monitoring_findings_readView CSPM Findings.false

Compliance

Find below the list of permissions for the compliance assets:

NameDescriptionScopable
audit_logs_readView Audit Trail in your organization.false
audit_logs_writeConfigure Audit Trail in your organization.false
data_scanner_readView Data Scanner configurations.false
data_scanner_writeEdit Data Scanner configurations.false

Dashboards

Find below the list of permissions for the dashboards assets:

NameDescriptionScopable
dashboards_readView dashboards.false
dashboards_writeCreate and change dashboards.false
dashboards_public_shareGenerate public and authenticated links to share dashboards or embeddable graphs externally.false
generate_dashboard_reportsSchedule custom reports from a dashboard. These reports will display any viewable data regardless of any granular restrictions (restriction queries, scoped indexes) applied to the report's creator.false

Error Tracking

Find below the list of permissions for the error tracking assets:

NameDescriptionScopable
error_tracking_writeEdit Error Tracking settings.false

Integrations

Find below the list of permissions for the integrations assets:

NameDescriptionScopable
integrations_apiDeprecated. Use the Integrations APIs to configure integrations. In order to configure integrations from the UI, a user must also have Standard Access.false
manage_integrationsInstall, uninstall, and configure integrations.false

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

NameDescriptionScopable
logs_modify_indexesRead and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.false
logs_write_exclusion_filtersAdd and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.true
logs_write_pipelinesAdd and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.false
logs_write_processorsAdd and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.true
logs_write_archivesAdd and edit Log Archives.false
logs_generate_metricsCreate custom metrics from logs.false
logs_read_dataRead log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.false
logs_read_archivesRead Log Archives location and use it for rehydration.false
logs_write_historical_viewRehydrate logs from Archives.false
logs_write_facetsCreate or edit Log Facets.false
logs_delete_dataDelete data from your Logs, including entire indexes.false
logs_write_forwarding_rulesAdd and edit forwarding destinations and rules for logs.false

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

NameDescriptionScopable
logs_live_tailAccess the live tail featurefalse
logs_read_index_dataRead a subset log data (index based)true

Metrics

Find below the list of permissions for the metrics assets:

NameDescriptionScopable
metric_tags_writeEdit and save tag configurations for custom metrics.false

Monitors

Find below the list of permissions for the monitors assets:

NameDescriptionScopable
monitors_readView monitors.false
monitors_writeEdit, mute, and delete individual monitors.false
monitors_downtimeSet downtimes to suppress alerts from any monitor in an organization. The ability to write monitors is not required to set downtimes.false
monitor_config_policy_writeCreate, update, and delete monitor configuration policies.false

Notebooks

Find below the list of permissions for the notebooks assets:

NameDescriptionScopable
notebooks_readView notebooks.false
notebooks_writeCreate and change notebooks.false

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

NameDescriptionScopable
observability_pipelines_readView pipeline configurations.false
observability_pipelines_writeCreate, edit, and delete pipeline configurations.false

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

NameDescriptionScopable
rum_apps_writeCreate, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.false
rum_apps_readView RUM Applications data.false
rum_session_replay_readView Session Replays.false
rum_generate_metricsCreate custom metrics from RUM events.false

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

NameDescriptionScopable
slos_readView SLOs and status corrections.false
slos_writeCreate, edit, and delete SLOs.false
slos_correctionsApply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.false

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

NameDescriptionScopable
synthetics_private_location_readView, search, and use Synthetics private locations.false
synthetics_private_location_writeCreate and delete private locations in addition to having access to the associated installation guidelines.false
synthetics_global_variable_readView, search, and use Synthetics global variables.false
synthetics_global_variable_writeCreate, edit, and delete global variables for Synthetics.false
synthetics_readList and view configured Synthetic tests and test results.false
synthetics_writeCreate, edit, and delete Synthetic tests.false
synthetics_default_settings_readView the default settings for Synthetic Monitoring.false
synthetics_default_settings_writeEdit the default settings for Synthetic Monitoring.false

Teams

Find below the list of permissions for the teams assets:

NameDescriptionScopable
teams_manageManage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.false

Watchdog

Find below the list of permissions for the watchdog assets:

NameDescriptionScopable
watchdog_insights_readView Watchdog Insights.false

Workflows

Find below the list of permissions for the workflows assets:

NameDescriptionScopable
workflows_readView workflows.false
workflows_writeCreate, edit, and delete workflows.false
workflows_runRun workflows.false
connections_readList and view available connections. Connections contain secrets that cannot be revealed.false
connections_writeCreate and delete connections.false
connections_resolveResolve connections.false

その他の参考資料


*Log Rehydration は Datadog, Inc. の商標です