Datadog ロールのアクセス許可

ロールを作成した後、Datadog でロールを更新するか Datadog Permission API を使用して、このロールへアクセス許可を直接割り当てたり削除したりできます。利用可能なアクセス許可の一覧は次のとおりです。

概要

デフォルトで、既存ユーザーは 3 つのすぐに使用できるロールのうち 1 つに紐付けられています。

  • Datadog 管理者
  • Datadog 標準
  • Datadog 読み取り専用

上記いずれかのロールを持つユーザーは全員、すべてのデータタイプを読み取ることができます。管理者および標準ユーザーは、アセットに対する書き込み権限を有します。管理者ユーザーは、ユーザー管理、組織管理、請求、使用状況に関する機密アセットに対する追加的な読み取り・書き込み権限を持ちます。

: ユーザーに新しいカスタムロールを追加する際、新しいロールの権限を適用するために、そのユーザーに関連付けられている既存の Datadog ロールを必ず削除してください。

各アセットタイプには、対応する読み取り・書き込み権限があります。これらの権限の詳細は、下の表で確認することができます。

API and Application Keys

Find below the list of permissions for the api and application keys assets:

NameDescriptionDefault Role
user_app_keysView and manage Application Keys owned by the user.Datadog Standard Role
org_app_keys_readView Application Keys owned by all users in the organization.Datadog Standard Role
org_app_keys_writeManage Application Keys owned by all users in the organization.Datadog Admin Role
api_keys_readList and retrieve the key values of all API Keys in your organization.Datadog Standard Role
api_keys_writeCreate and rename API Keys for your organization.Datadog Admin Role
client_tokens_readRead Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.Datadog Read Only Role
client_tokens_writeCreate and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.Datadog Standard Role
api_keys_deleteDelete API Keys for your organization.Datadog Admin Role

APM

Find below the list of permissions for the apm assets:

NameDescriptionDefault Role
apm_readRead and query APM and Trace Analytics.Datadog Read Only Role
apm_retention_filter_readRead trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.Datadog Read Only Role
apm_retention_filter_writeCreate, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.Datadog Admin Role
apm_service_ingest_readAccess service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.Datadog Read Only Role
apm_service_ingest_writeEdit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.Datadog Admin Role
apm_apdex_manage_writeSet Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.Datadog Admin Role
apm_tag_management_writeEdit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.Datadog Standard Role
apm_primary_operation_writeEdit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.Datadog Standard Role
debugger_writeEdit Dynamic Instrumentation configuration. Create or modify Dynamic Instrumentation probes that do not capture function state.Datadog Admin Role
debugger_readView Dynamic Instrumentation configuration.Datadog Read Only Role
apm_generate_metricsCreate custom metrics from spans.Datadog Standard Role
apm_pipelines_writeAdd and change APM pipeline configurations.Datadog Admin Role
apm_pipelines_readView APM pipeline configurations.Datadog Read Only Role
apm_service_catalog_writeAdd, modify, and delete service catalog definitions when those definitions are maintained by Datadog.Datadog Standard Role
apm_service_catalog_readView service catalog and service definitions.Datadog Read Only Role
apm_remote_configuration_writeEdit APM Remote Configuration.Datadog Admin Role
apm_remote_configuration_readView APM Remote Configuration.Datadog Standard Role
continuous_profiler_readView data in Continuous Profiler.Datadog Read Only Role
debugger_capture_variablesCreate or modify Dynamic Instrumentation probes that capture function state: local variables, method arguments, fields, and return value or thrown exception.Datadog Admin Role

Access Management

Find below the list of permissions for the access management assets:

NameDescriptionDefault Role
user_access_inviteInvite other users to your organization.Datadog Standard Role
user_access_manageDisable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.Datadog Admin Role
service_account_writeCreate, disable, and use Service Accounts in your organization.Datadog Admin Role
org_managementEdit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.Datadog Admin Role

Billing and Usage

Find below the list of permissions for the billing and usage assets:

NameDescriptionDefault Role
billing_readView your organization's subscription and payment method but not make edits.Datadog Admin Role
billing_editManage your organization's subscription and payment method.Datadog Admin Role
usage_readView your organization's usage and usage attribution.Datadog Admin Role
usage_editManage your organization's usage attribution set-up.Datadog Admin Role
usage_notifications_readReceive notifications and view currently configured notification settings.Datadog Admin Role
usage_notifications_writeReceive notifications and configure notification settings.Datadog Admin Role

CI Visibility

Find below the list of permissions for the ci visibility assets:

NameDescriptionDefault Role
ci_visibility_readView CI Visibility.Datadog Read Only Role
ci_visibility_writeEdit flaky tests and delete Test Services.Datadog Standard Role
ci_provider_settings_writeEdit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.Datadog Admin Role
ci_visibility_settings_writeConfigure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.Datadog Standard Role
intelligent_test_runner_activation_writeEnable or disable Intelligent Test Runner.Datadog Admin Role
intelligent_test_runner_settings_writeEdit Intelligent Test Runner settings, such as modifying ITR excluded branch list.Datadog Standard Role
ci_ingestion_control_writeEdit CI Ingestion Control exclusion filters.Datadog Admin Role
ci_visibility_pipelines_writeCreate CI Visibility pipeline spans using the API.Datadog Standard Role
quality_gate_rules_readView Quality Gate Rules.Datadog Read Only Role
quality_gate_rules_writeEdit Quality Gate Rules.Datadog Admin Role

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

NameDescriptionDefault Role
incident_readView incidents in Datadog.Datadog Read Only Role
incident_writeCreate, view, and manage incidents in Datadog.Datadog Standard Role
incident_settings_readView Incident Settings.Datadog Standard Role
incident_settings_writeConfigure Incident Settings.Datadog Standard Role
incidents_private_global_accessAccess all private incidents in Datadog, even when not added as a responder.None
cases_readView Cases.Datadog Read Only Role
cases_writeCreate and update cases.Datadog Standard Role
incident_notification_settings_readView Incidents Notification settings.Datadog Standard Role
incident_notification_settings_writeConfigure Incidents Notification settings.Datadog Standard Role

Cloud Cost Management

Find below the list of permissions for the cloud cost management assets:

NameDescriptionDefault Role
cloud_cost_management_readView Cloud Cost pages. This does not restrict access to the cloud cost data source in dashboards and notebooks.Datadog Read Only Role
cloud_cost_management_writeConfigure cloud cost accounts and global customizations.Datadog Standard Role

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

NameDescriptionDefault Role
security_monitoring_rules_readRead Detection Rules.Datadog Read Only Role
security_monitoring_rules_writeCreate and edit Detection Rules.Datadog Standard Role
security_monitoring_signals_readView Security Signals.Datadog Read Only Role
security_monitoring_signals_writeModify Security Signals.Datadog Standard Role
security_monitoring_filters_readRead Security Filters.Datadog Read Only Role
security_monitoring_filters_writeCreate, edit, and delete Security Filters.Datadog Admin Role
appsec_event_rule_readView Application Security Management Event Rules.Datadog Read Only Role
appsec_event_rule_writeEdit Application Security Management Event Rules.Datadog Standard Role
security_monitoring_notification_profiles_readRead Notification Rules.Datadog Read Only Role
security_monitoring_notification_profiles_writeCreate, edit, and delete Notification Rules.Datadog Standard Role
security_monitoring_cws_agent_rules_readRead Cloud Workload Security Agent Rules.Datadog Read Only Role
security_monitoring_cws_agent_rules_writeCreate, edit, and delete Cloud Workload Security Agent Rules.Datadog Standard Role
appsec_protect_readView blocked attackers.Datadog Read Only Role
appsec_protect_writeManage blocked attackers.Datadog Standard Role
appsec_activation_readView whether Application Security Management has been enabled or disabled on services via 1-click enablement with Remote Configuration.Datadog Read Only Role
appsec_activation_writeEnable or disable Application Security Management on services via 1-click enablement.Datadog Standard Role
security_monitoring_findings_readView CSPM Findings.Datadog Standard Role
security_monitoring_findings_writeMute CSPM Findings.Datadog Standard Role
appsec_vm_writeUpdate status or assignee of vulnerabilities.Datadog Standard Role
appsec_vm_readView vulnerabilities. This does not restrict access to the vulnerability data source through the API or inventory SQL.Datadog Read Only Role

Compliance

Find below the list of permissions for the compliance assets:

NameDescriptionDefault Role
audit_logs_readView Audit Trail in your organization.Datadog Admin Role
audit_logs_writeConfigure Audit Trail in your organization.Datadog Admin Role
data_scanner_readView Data Scanner configurations.Datadog Admin Role
data_scanner_writeEdit Data Scanner configurations.Datadog Admin Role

Cross-Product Features

Find below the list of permissions for the cross-product features assets:

NameDescriptionDefault Role
saved_views_writeModify Saved Views across all Datadog products.Datadog Standard Role
facets_writeManage facets for products other than Log Management, such as APM Traces. To modify Log Facets, use Logs Write Facets.Datadog Standard Role

Dashboards

Find below the list of permissions for the dashboards assets:

NameDescriptionDefault Role
dashboards_readView dashboards.Datadog Read Only Role
dashboards_writeCreate and change dashboards.Datadog Standard Role
dashboards_public_shareGenerate public and authenticated links to share dashboards or embeddable graphs externally.Datadog Standard Role
generate_dashboard_reportsSchedule custom reports from a dashboard. These reports will display any viewable data regardless of any granular restrictions (restriction queries, scoped indexes) applied to the report's creator.Datadog Admin Role

Error Tracking

Find below the list of permissions for the error tracking assets:

NameDescriptionDefault Role
error_tracking_writeEdit Error Tracking settings.Datadog Standard Role

Events

Find below the list of permissions for the events assets:

NameDescriptionDefault Role
event_correlation_config_readRead Event Correlation Configuration data such as Correlation Rules and Settings.Datadog Standard Role
event_correlation_config_writeManage Event Correlation Configuration such as Correlation Rules and Settings.Datadog Standard Role
event_config_writeManage general event configuration such as API Emails.Datadog Standard Role

Fleet Automation

Find below the list of permissions for the fleet automation assets:

NameDescriptionDefault Role
agent_flare_collectionCollect an Agent flare with Fleet Automation.Datadog Standard Role

Integrations

Find below the list of permissions for the integrations assets:

NameDescriptionDefault Role
manage_integrationsInstall, uninstall, and configure integrations.Datadog Standard Role

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

NameDescriptionDefault Role
logs_modify_indexesRead and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.Datadog Standard Role
logs_write_exclusion_filtersAdd and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.Datadog Standard Role
logs_write_pipelinesAdd and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.Datadog Standard Role
logs_write_processorsAdd and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.Datadog Standard Role
logs_write_archivesAdd and edit Log Archives.Datadog Admin Role
logs_generate_metricsCreate custom metrics from logs.Datadog Standard Role
logs_read_dataRead log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.Datadog Read Only Role
logs_read_archivesRead Log Archives location and use it for rehydration.Datadog Read Only Role
logs_write_historical_viewRehydrate logs from Archives.Datadog Standard Role
logs_write_facetsCreate or edit Log Facets.Datadog Standard Role
logs_delete_dataDelete data from your Logs, including entire indexes.Datadog Admin Role
logs_write_forwarding_rulesAdd and edit forwarding destinations and rules for logs.Datadog Admin Role

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

NameDescriptionDefault Role
logs_live_tailAccess the live tail featureDatadog Read Only Role
logs_read_index_dataRead a subset log data (index based)Datadog Read Only Role

Metrics

Find below the list of permissions for the metrics assets:

NameDescriptionDefault Role
metric_tags_writeEdit and save tag configurations for custom metrics.Datadog Standard Role
host_tags_writeAdd and change tags on hosts.Datadog Standard Role
metrics_metadata_writeEdit metadata on metrics.Datadog Standard Role

Monitors

Find below the list of permissions for the monitors assets:

NameDescriptionDefault Role
monitors_readView monitors.Datadog Read Only Role
monitors_writeEdit and delete individual monitors.Datadog Standard Role
monitors_downtimeSet downtimes to suppress alerts from any monitor in an organization. Mute and unmute hosts. The ability to write monitors is not required to set downtimes.Datadog Standard Role
monitor_config_policy_writeCreate, update, and delete monitor configuration policies.Datadog Admin Role

Notebooks

Find below the list of permissions for the notebooks assets:

NameDescriptionDefault Role
notebooks_readView notebooks.Datadog Read Only Role
notebooks_writeCreate and change notebooks.Datadog Standard Role

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

NameDescriptionDefault Role
observability_pipelines_readView pipelines in your organization.Datadog Read Only Role
observability_pipelines_writeEdit pipelines in your organization.Datadog Standard Role
observability_pipelines_deleteDelete pipelines from your organization.Datadog Admin Role
observability_pipelines_deployDeploy pipelines in your organization.Datadog Admin Role

Processes

Find below the list of permissions for the processes assets:

NameDescriptionDefault Role
processes_generate_metricsCreate custom metrics from processes.Datadog Standard Role

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

NameDescriptionDefault Role
rum_apps_writeCreate, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.Datadog Standard Role
rum_apps_readView RUM Applications data.Datadog Read Only Role
rum_session_replay_readView Session Replays.Datadog Read Only Role
rum_generate_metricsCreate custom metrics from RUM events.Datadog Standard Role
rum_delete_dataDelete data from RUM.Datadog Admin Role
rum_playlist_writeCreate, update, and delete RUM playlists. Add and remove sessions from RUM playlists.Datadog Standard Role

Reference Tables

Find below the list of permissions for the reference tables assets:

NameDescriptionDefault Role
reference_tables_writeCreate or modify Reference Tables.Datadog Standard Role

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

NameDescriptionDefault Role
slos_readView SLOs and status corrections.Datadog Read Only Role
slos_writeCreate, edit, and delete SLOs.Datadog Standard Role
slos_correctionsApply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.Datadog Standard Role

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

NameDescriptionDefault Role
synthetics_private_location_readView, search, and use Synthetics private locations.Datadog Standard Role
synthetics_private_location_writeCreate and delete private locations in addition to having access to the associated installation guidelines.Datadog Admin Role
synthetics_global_variable_readView, search, and use Synthetics global variables.Datadog Standard Role
synthetics_global_variable_writeCreate, edit, and delete global variables for Synthetics.Datadog Standard Role
synthetics_readList and view configured Synthetic tests and test results.Datadog Read Only Role
synthetics_writeCreate, edit, and delete Synthetic tests.Datadog Standard Role
synthetics_default_settings_readView the default settings for Synthetic Monitoring.Datadog Standard Role
synthetics_default_settings_writeEdit the default settings for Synthetic Monitoring.Datadog Standard Role

Teams

Find below the list of permissions for the teams assets:

NameDescriptionDefault Role
teams_manageManage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.Datadog Standard Role

Watchdog

Find below the list of permissions for the watchdog assets:

NameDescriptionDefault Role
watchdog_alerts_writeManage Watchdog Alerts.Datadog Standard Role

Workflow Automation

Find below the list of permissions for the workflow automation assets:

NameDescriptionDefault Role
workflows_readView workflows.Datadog Read Only Role
workflows_writeCreate, edit, and delete workflows.Datadog Standard Role
workflows_runRun workflows.Datadog Standard Role
connections_readList and view available connections. Connections contain secrets that cannot be revealed.Datadog Read Only Role
connections_writeCreate and delete connections.Datadog Standard Role
connections_resolveResolve connections.Datadog Standard Role

参考資料

お役に立つドキュメント、リンクや記事:

ロールの作成、更新、削除ドキュメント more more Permission API を使用してアクセス許可を管理するドキュメント more more

*Log Rehydration は Datadog, Inc. の商標です