概要
権限は、ユーザーが特定のリソースに対して持つアクセスの種類を定義します。通常、権限はユーザーにオブジェクトの読み取り、編集、削除の権利を与えます。権限は、管理対象の 3 つのロールとカスタムロールを含むすべてのロールのアクセス権の基盤です。
機密性の高い権限
Datadog の一部の権限は、以下のような注意すべきより高い特権の機能へのアクセスを提供します。
- 組織設定を変更するアクセス
- 潜在的に機密性の高いデータを読むアクセス
- 特権的な操作を実行するアクセス
機密性の高い権限は、ロールと権限のインターフェイスでフラグが立てられ、より厳重な注意が必要であることを示します。ベストプラクティスとして、ロールを構成する管理者はこれらの権限に特別な注意を払い、これらの権限のうちどれが自分のロールやユーザーに割り当てられているかを確認すべきです。
管理対象のロール
デフォルトでは、既存のユーザーは 3 つの管理対象ロールのいずれかに関連付けられています。
- Datadog 管理者
- Datadog 標準
- Datadog 読み取り専用
これらのロールのいずれかを持つユーザーは、個別に読み取りが制限されているリソースを除き、すべてのデータタイプを読み取ることができます。Admin および Standard ユーザーは、アセットに対する書き込み権限を持ちます。Admin ユーザーには、ユーザー管理、組織管理、請求、および使用に関する機密アセットに対する追加の読み取りおよび書き込み権限があります。
管理対象のロールは Datadog によって作成・維持されます。新機能の追加や権限の変更に伴い、その権限は Datadog によって自動的に更新される場合があります。ユーザーは管理対象ロールを直接変更することはできませんが、それらを複製して特定の権限を持つカスタムロールを作成できます。必要に応じて、ユーザーは自分のアカウントから管理対象ロールを削除することができます。
カスタムロール
新しいロールに権限をまとめるには、カスタムロールを作成します。カスタムロールを使用すると、例えば請求管理者などの役割を定義し、そのロールに適切な権限を割り当てることができます。ロールを作成した後、Datadog でロールを更新するか、Datadog Permission API を使用して、このロールに直接権限を割り当てたり、削除したりします。
注: 新しいカスタムロールをユーザーに追加する場合、そのユーザーに関連する管理対象の Datadog ロールを削除して、新しいロールの権限を適用してください。
権限リスト
以下の表は、Datadog で利用可能なすべての権限の名前、説明、およびデフォルトロールの一覧です。各アセットタイプには、対応する読み取り権限と書き込み権限があります。
管理対象の各ロールは、権限の少ないロールからすべての権限を継承します。したがって、Datadog Standard Role は、Datadog Read Only をデフォルトロールとして、表に記載されているすべての権限を持ちます。さらに、Datadog Admin Role には、Datadog Standard と Datadog Read Only の両方の権限が含まれています。
API and Application Keys
Find below the list of permissions for the api and application keys assets:
| Name | Description | Default Role |
|---|
User App Keys
(user_app_keys) | View and manage Application Keys owned by the user. | Datadog Standard Role |
Org App Keys Read
(org_app_keys_read) | View Application Keys owned by all users in the organization. | Datadog Standard Role |
Org App Keys Write
(org_app_keys_write) | Manage Application Keys owned by all users in the organization. | Datadog Admin Role |
API Keys Read
(api_keys_read) | List and retrieve the key values of all API Keys in your organization. | Datadog Standard Role |
API Keys Write
(api_keys_write) | Create and rename API Keys for your organization. | Datadog Admin Role |
Client Tokens Read
(client_tokens_read) | Read Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog. | Datadog Read Only Role |
Client Tokens Write
(client_tokens_write) | Create and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog. | Datadog Standard Role |
API Keys Delete
(api_keys_delete) | Delete API Keys for your organization. | Datadog Admin Role |
APM
Find below the list of permissions for the apm assets:
| Name | Description | Default Role |
|---|
APM Read
(apm_read) | Read and query APM and Trace Analytics. | Datadog Read Only Role |
APM Retention Filters Read
(apm_retention_filter_read) | Read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info. | Datadog Read Only Role |
APM Retention Filters Write
(apm_retention_filter_write) | Create, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters. | Datadog Admin Role |
APM Service Ingest Read
(apm_service_ingest_read) | Access service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info. | Datadog Read Only Role |
APM Service Ingest Write
(apm_service_ingest_write) | Edit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service. | Datadog Admin Role |
APM Apdex Manage Write
(apm_apdex_manage_write) | Set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page. | Datadog Admin Role |
APM Tag Management Write
(apm_tag_management_write) | Edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page. | Datadog Admin Role |
APM Primary Operation Write
(apm_primary_operation_write) | Edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page. | Datadog Standard Role |
Dynamic Instrumentation Write
(debugger_write) | Edit Dynamic Instrumentation configuration. Create or modify Dynamic Instrumentation probes that do not capture function state. | Datadog Admin Role |
Dynamic Instrumentation Read
(debugger_read) | View Dynamic Instrumentation configuration. | Datadog Read Only Role |
APM Generate Metrics
(apm_generate_metrics) | Create custom metrics from spans. | Datadog Standard Role |
APM Pipelines Write
(apm_pipelines_write) | Add and change APM pipeline configurations. | Datadog Admin Role |
APM Pipelines Read
(apm_pipelines_read) | View APM pipeline configurations. | Datadog Read Only Role |
Service Catalog Write
(apm_service_catalog_write) | Add, modify, and delete service catalog definitions when those definitions are maintained by Datadog. | Datadog Standard Role |
Service Catalog Read
(apm_service_catalog_read) | View service catalog and service definitions. | Datadog Read Only Role |
APM Remote Configuration Write
(apm_remote_configuration_write) | Edit APM Remote Configuration. | Datadog Admin Role |
APM Remote Configuration Read
(apm_remote_configuration_read) | View APM Remote Configuration. | Datadog Standard Role |
Continuous Profiler Read
(continuous_profiler_read) | View data in Continuous Profiler. | Datadog Read Only Role |
Dynamic Instrumentation Capture Variables
(debugger_capture_variables) | Create or modify Dynamic Instrumentation probes that capture function state: local variables, method arguments, fields, and return value or thrown exception. | Datadog Admin Role |
API Catalog Write
(apm_api_catalog_write) | Add, modify, and delete API catalog definitions. | Datadog Standard Role |
API Catalog Read
(apm_api_catalog_read) | View API catalog and API definitions. | Datadog Read Only Role |
Read Continuous Profiler Profile-Guided Optimization (PGO) Data
(continuous_profiler_pgo_read) | Read and query Continuous Profiler data for Profile-Guided Optimization (PGO). | Datadog Read Only Role |
Access Management
Find below the list of permissions for the access management assets:
| Name | Description | Default Role |
|---|
User Access Invite
(user_access_invite) | Invite other users to your organization. | Datadog Standard Role |
User Access Manage
(user_access_manage) | Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries. | Datadog Admin Role |
Service Account Write
(service_account_write) | Create, disable, and use Service Accounts in your organization. | Datadog Admin Role |
Org Management
(org_management) | Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization. | Datadog Admin Role |
Org Connections Write
(org_connections_write) | Control which organizations can query your organization's data. | Datadog Admin Role |
Org Connections Read
(org_connections_read) | View which organizations can query data from your organization. Query data from other organizations. | Datadog Read Only Role |
App Builder & Workflow Automation
Find below the list of permissions for the app builder & workflow automation assets:
| Name | Description | Default Role |
|---|
Workflows Read
(workflows_read) | View workflows. | Datadog Read Only Role |
Workflows Write
(workflows_write) | Create, edit, and delete workflows. | Datadog Standard Role |
Workflows Run
(workflows_run) | Run workflows. | Datadog Standard Role |
Connections Read
(connections_read) | List and view available connections. Connections contain secrets that cannot be revealed. | Datadog Read Only Role |
Connections Write
(connections_write) | Create and delete connections. | Datadog Standard Role |
Connections Resolve
(connections_resolve) | Resolve connections. | Datadog Standard Role |
Apps View
(apps_run) | View and run Apps in App Builder. | Datadog Standard Role |
Apps Write
(apps_write) | Create, edit, and delete Apps in App Builder. | Datadog Standard Role |
Private Action Runner Read
(on_prem_runner_read) | View and search Private Action Runners for Workflow Automation and App Builder. | Datadog Read Only Role |
Private Action Runner Contribute
(on_prem_runner_use) | Attach a Private Action Runner to a connection. | Datadog Standard Role |
Private Action Runner Write
(on_prem_runner_write) | Create and edit Private Action Runners for Workflow Automation and App Builder. | Datadog Admin Role |
Actions Datastore Read
(apps_datastore_read) | Allows read access to the data within the Actions Datastore. | Datadog Read Only Role |
Actions Datastore Write
(apps_datastore_write) | Allows modification of data within the Actions Datastore, including adding, editing, and deleting records. | Datadog Standard Role |
Actions Datastore Manage
(apps_datastore_manage) | Allows management of the Actions Datastore, including creating, updating, and deleting the datastore itself. | Datadog Standard Role |
Connection Groups Write
(connection_groups_write) | Create, delete and update connection groups. | Datadog Standard Role |
Connection Groups Read
(connection_groups_read) | Read and use connection groups. | Datadog Read Only Role |
Billing and Usage
Find below the list of permissions for the billing and usage assets:
| Name | Description | Default Role |
|---|
Billing Read
(billing_read) | View your organization's subscription and payment method but not make edits. | Datadog Admin Role |
Billing Edit
(billing_edit) | Manage your organization's subscription and payment method. | Datadog Admin Role |
Usage Read
(usage_read) | View your organization's usage and usage attribution. | Datadog Admin Role |
Usage Edit
(usage_edit) | Manage your organization's usage attribution set-up. | Datadog Admin Role |
Usage Notifications Read
(usage_notifications_read) | Receive notifications and view currently configured notification settings. | Datadog Admin Role |
Usage Notifications Write
(usage_notifications_write) | Receive notifications and configure notification settings. | Datadog Admin Role |
Case and Incident Management
Find below the list of permissions for the case and incident management assets:
| Name | Description | Default Role |
|---|
Incidents Read
(incident_read) | View incidents in Datadog. | Datadog Read Only Role |
Incidents Write
(incident_write) | Create, view, and manage incidents in Datadog. | Datadog Standard Role |
Incident Settings Read
(incident_settings_read) | View Incident Settings. | Datadog Standard Role |
Incident Settings Write
(incident_settings_write) | Configure Incident Settings. | Datadog Standard Role |
Private Incidents Global Access
(incidents_private_global_access) | Access all private incidents in Datadog, even when not added as a responder. | None |
Cases Read
(cases_read) | View Cases. | Datadog Read Only Role |
Cases Write
(cases_write) | Create and update cases. | Datadog Standard Role |
Incident Notification Settings Read
(incident_notification_settings_read) | View Incidents Notification settings. | Datadog Standard Role |
Incident Notification Settings Write
(incident_notification_settings_write) | Configure Incidents Notification settings. | Datadog Standard Role |
Cloud Cost Management
Find below the list of permissions for the cloud cost management assets:
| Name | Description | Default Role |
|---|
Cloud Cost Management Read
(cloud_cost_management_read) | View Cloud Cost pages and the cloud cost data source in dashboards and notebooks. For more details, see the Cloud Cost Management docs. | Datadog Read Only Role |
Cloud Cost Management Write
(cloud_cost_management_write) | Configure cloud cost accounts and global customizations. For more details, see the Cloud Cost Management docs. | Datadog Standard Role |
Find below the list of permissions for the cloud security platform assets:
| Name | Description | Default Role |
|---|
Security Rules Read
(security_monitoring_rules_read) | Read Detection Rules. | Datadog Read Only Role |
Security Rules Write
(security_monitoring_rules_write) | Create and edit Detection Rules. | Datadog Standard Role |
Security Signals Read
(security_monitoring_signals_read) | View Security Signals. | Datadog Read Only Role |
Security Signals Write
(security_monitoring_signals_write) | Modify Security Signals. | Datadog Standard Role |
Security Filters Read
(security_monitoring_filters_read) | Read Security Filters. | Datadog Read Only Role |
Security Filters Write
(security_monitoring_filters_write) | Create, edit, and delete Security Filters. | Datadog Admin Role |
Application Security Management Event Rules Read
(appsec_event_rule_read) | View Application Security Management Event Rules. | Datadog Read Only Role |
Application Security Management Event Rules Write
(appsec_event_rule_write) | Edit Application Security Management Event Rules. | Datadog Standard Role |
Security Notification Rules Read
(security_monitoring_notification_profiles_read) | Read Notification Rules. | Datadog Read Only Role |
Security Notification Rules Write
(security_monitoring_notification_profiles_write) | Create, edit, and delete Notification Rules. | Datadog Standard Role |
Cloud Workload Security Agent Rules Read
(security_monitoring_cws_agent_rules_read) | Read Cloud Workload Security Agent Rules. | Datadog Read Only Role |
Cloud Workload Security Agent Rules Write
(security_monitoring_cws_agent_rules_write) | Create, edit, and delete Cloud Workload Security Agent Rules. | Datadog Standard Role |
Application Security Management Protect Read
(appsec_protect_read) | View blocked attackers. | Datadog Read Only Role |
Application Security Management Protect Write
(appsec_protect_write) | Manage blocked attackers. | Datadog Standard Role |
Application Security Management 1-click Enablement Read
(appsec_activation_read) | View whether Application Security Management has been enabled or disabled on services via 1-click enablement with Remote Configuration. | Datadog Read Only Role |
Application Security Management 1-click Enablement Write
(appsec_activation_write) | Enable or disable Application Security Management on services via 1-click enablement. | Datadog Standard Role |
Security Monitoring Findings Read
(security_monitoring_findings_read) | View a list of findings that include both misconfigurations and identity risks. | Datadog Standard Role |
Security Monitoring Findings Write
(security_monitoring_findings_write) | Mute CSPM Findings. | Datadog Standard Role |
Vulnerability Management Write
(appsec_vm_write) | Update status or assignee of vulnerabilities. | Datadog Standard Role |
Security Suppressions Read
(security_monitoring_suppressions_read) | Read Rule Suppressions. | Datadog Read Only Role |
Security Suppressions Write
(security_monitoring_suppressions_write) | Write Rule Suppressions. | Datadog Standard Role |
Vulnerability Management Read
(appsec_vm_read) | View infrastructure, application code and library vulnerabilities. This does not restrict access to the vulnerability data source through the API or inventory SQL. | Datadog Read Only Role |
Security Pipelines Read
(security_pipelines_read) | View Security Pipelines. | Datadog Read Only Role |
Security Pipelines Write
(security_pipelines_write) | Create, edit, and delete Security Pipelines. | Datadog Admin Role |
Cloud Workload Security Agent Actions
(security_monitoring_cws_agent_rules_actions) | Managing actions on Cloud Workload Security Agent Rules. | Datadog Admin Role |
Security Comments Write
(security_comments_write) | Write comments into vulnerabilities. | Datadog Standard Role |
Security Comments Read
(security_comments_read) | Read comments of vulnerabilities. | Datadog Read Only Role |
CoTerm
Find below the list of permissions for the coterm assets:
| Name | Description | Default Role |
|---|
CoTerm Write
(coterm_write) | Write terminal recordings. | Datadog Standard Role |
CoTerm Read
(coterm_read) | Read terminal recordings. | Datadog Read Only Role |
Compliance
Find below the list of permissions for the compliance assets:
| Name | Description | Default Role |
|---|
Audit Trail Read
(audit_logs_read) | View Audit Trail in your organization. | Datadog Admin Role |
Audit Trail Write
(audit_logs_write) | Configure Audit Trail in your organization. | Datadog Admin Role |
Data Scanner Read
(data_scanner_read) | View Sensitive Data Scanner configurations and scanning results. | Datadog Admin Role |
Data Scanner Write
(data_scanner_write) | Edit Sensitive Data Scanner configurations. | Datadog Admin Role |
Containers
Find below the list of permissions for the containers assets:
| Name | Description | Default Role |
|---|
Containers Write Image Trend Metrics
(containers_generate_image_metrics) | Create or edit trend metrics from container images. | Datadog Standard Role |
Cross-Product Features
Find below the list of permissions for the cross-product features assets:
| Name | Description | Default Role |
|---|
Saved Views Write
(saved_views_write) | Modify Saved Views across all Datadog products. | Datadog Standard Role |
Facets Write
(facets_write) | Manage facets for products other than Log Management, such as APM Traces. To modify Log Facets, use Logs Write Facets. | Datadog Standard Role |
DDSQL Editor
Find below the list of permissions for the ddsql editor assets:
| Name | Description | Default Role |
|---|
DDSQL Editor Read
(ddsql_editor_read) | View and use DDSQL Editor. | Datadog Read Only Role |
Dashboards
Find below the list of permissions for the dashboards assets:
| Name | Description | Default Role |
|---|
Dashboards Read
(dashboards_read) | View dashboards. | Datadog Read Only Role |
Dashboards Write
(dashboards_write) | Create and change dashboards. | Datadog Standard Role |
Shared Dashboards Public Write
(dashboards_public_share) | Create, modify and delete shared dashboards with share type 'Public'. These dashboards can be accessed by anyone on the internet. | Datadog Standard Role |
Dashboards Report Write
(generate_dashboard_reports) | Schedule PDF reports from a dashboard. | Datadog Standard Role |
Shared Dashboards Invite-only Write
(dashboards_invite_share) | Create, modify and delete shared dashboards with share type 'Invite-only'. These dashboards can only be accessed by user-specified email addresses. | Datadog Standard Role |
Shared Dashboards Embed Write
(dashboards_embed_share) | Create, modify and delete shared dashboards with share type 'Embed'. These dashboards can be embedded on user-specified domains. | Datadog Standard Role |
Shared Graphs Write
(embeddable_graphs_share) | Generate public links to share embeddable graphs externally. | Datadog Standard Role |
Disaster Recovery
Find below the list of permissions for the disaster recovery assets:
| Name | Description | Default Role |
|---|
Datadog Disaster Recovery Read
(disaster_recovery_status_read) | View the disaster recovery status. | Datadog Read Only Role |
Datadog Disaster Recovery Write
(disaster_recovery_status_write) | Update the disaster recovery status. | Datadog Admin Role |
Error Tracking
Find below the list of permissions for the error tracking assets:
| Name | Description | Default Role |
|---|
Error Tracking Issue Write
(error_tracking_write) | Edit Error Tracking issues. | Datadog Standard Role |
Error Tracking Settings Write
(error_tracking_settings_write) | Disable Error Tracking, edit inclusion filters, and edit rate limit. | Datadog Admin Role |
Error Tracking Exclusion Filters Write
(error_tracking_exclusion_filters_write) | Add or change Error Tracking exclusion filters. | Datadog Admin Role |
Error Tracking Read
(error_tracking_read) | View Error Tracking data. | Datadog Read Only Role |
Events
Find below the list of permissions for the events assets:
| Name | Description | Default Role |
|---|
Event Correlation Config Read
(event_correlation_config_read) | Read Event Correlation Configuration data such as Correlation Rules and Settings. | Datadog Standard Role |
Event Correlation Config Write
(event_correlation_config_write) | Manage Event Correlation Configuration such as Correlation Rules and Settings. | Datadog Standard Role |
Event Config Write
(event_config_write) | Manage general event configuration such as API Emails. | Datadog Standard Role |
Fleet Automation
Find below the list of permissions for the fleet automation assets:
| Name | Description | Default Role |
|---|
Agent Flare Collection
(agent_flare_collection) | Collect an Agent flare with Fleet Automation. | Datadog Standard Role |
Agent Upgrade
(agent_upgrade_write) | Upgrade Datadog Agents with Fleet Automation. | Datadog Admin Role |
Agent Configuration Management
(fleet_policies_write) | Create and deploy Agent configurations. | Datadog Admin Role |
Infrastructure
Find below the list of permissions for the infrastructure assets:
| Name | Description | Default Role |
|---|
Cloudcraft Read
(cloudcraft_read) | View infrastructure diagrams in the Cloudcraft product. | Datadog Read Only Role |
Integrations
Find below the list of permissions for the integrations assets:
| Name | Description | Default Role |
|---|
AWS Configurations Manage
(aws_configurations_manage) | Add or remove but not edit AWS integration configurations. | Datadog Standard Role |
Azure Configurations Manage
(azure_configurations_manage) | Add or remove but not edit Azure integration configurations. | Datadog Standard Role |
GCP Configurations Manage
(gcp_configurations_manage) | Add or remove but not edit GCP integration configurations. | Datadog Standard Role |
Integrations Manage
(manage_integrations) | Install, uninstall, and configure integrations. | Datadog Standard Role |
Integrations Read
(integrations_read) | View integrations and their configurations. | Datadog Standard Role |
OCI Configurations Manage
(oci_configurations_manage) | Add or remove but not edit Oracle Cloud integration configurations. | Datadog Standard Role |
AWS Configuration Read
(aws_configuration_read) | View but not add, remove, or edit AWS integration configurations. | Datadog Standard Role |
Azure Configuration Read
(azure_configuration_read) | View but not add, remove, or edit Azure integration configurations. | Datadog Standard Role |
GCP Configuration Read
(gcp_configuration_read) | View but not add, remove, or edit GCP integration configurations. | Datadog Standard Role |
OCI Configuration Read
(oci_configuration_read) | View but not add, remove, or edit Oracle Cloud integration configurations. | Datadog Standard Role |
AWS Configuration Edit
(aws_configuration_edit) | Edit but not add or remove AWS integration configurations. | Datadog Standard Role |
Azure Configuration Edit
(azure_configuration_edit) | Edit but not add or remove Azure integration configurations. | Datadog Standard Role |
GCP Configuration Edit
(gcp_configuration_edit) | Edit but not add or remove GCP integration configurations. | Datadog Standard Role |
OCI Configuration Edit
(oci_configuration_edit) | Edit but not add or remove Oracle Cloud integration configurations. | Datadog Standard Role |
LLM Observability
Find below the list of permissions for the llm observability assets:
| Name | Description | Default Role |
|---|
LLM Observability Read
(llm_observability_read) | View LLM Observability. | Datadog Read Only Role |
LLM Observability Write
(llm_observability_write) | Create, Update, and Delete LLM Observability resources including User Defined Evaluations, OOTB Evaluations, and User Defined Topics. | Datadog Admin Role |
Log Management
Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.
| Name | Description | Default Role |
|---|
Logs Modify Indexes
(logs_modify_indexes) | Read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes. | Datadog Standard Role |
Logs Write Exclusion Filters
(logs_write_exclusion_filters) | Add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope. | Datadog Standard Role |
Logs Write Pipelines
(logs_write_pipelines) | Add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines. | Datadog Standard Role |
Logs Write Processors
(logs_write_processors) | Add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope. | Datadog Standard Role |
Logs Write Archives
(logs_write_archives) | Add and edit Log Archives. | Datadog Admin Role |
Logs Generate Metrics
(logs_generate_metrics) | Create custom metrics from logs. | Datadog Standard Role |
Logs Read Data
(logs_read_data) | Read log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product. | Datadog Read Only Role |
Logs Read Archives
(logs_read_archives) | Read Log Archives location and use it for rehydration. | Datadog Read Only Role |
Logs Write Historical Views
(logs_write_historical_view) | Rehydrate logs from Archives. | Datadog Standard Role |
Logs Write Facets
(logs_write_facets) | Create or edit Log Facets. | Datadog Standard Role |
Logs Delete Data
(logs_delete_data) | Delete data from your Logs, including entire indexes. | Datadog Admin Role |
Logs Write Forwarding Rules
(logs_write_forwarding_rules) | Add and edit forwarding destinations and rules for logs. | Datadog Admin Role |
Flex Logs Configuration Write
(flex_logs_config_write) | Manage your organization's flex logs configuration. | Datadog Admin Role |
Read Logs Workspaces
(logs_read_workspaces) | View Logs Workspaces. | Datadog Read Only Role |
Write Logs Workspaces
(logs_write_workspaces) | Create, update, and delete Logs Workspaces. | Datadog Standard Role |
Logs Configuration Read
(logs_read_config) | Read logs configuration. | Datadog Read Only Role |
Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:
| Name | Description | Default Role |
|---|
Logs Live Tail
(logs_live_tail) | Access the live tail feature | Datadog Read Only Role |
Logs Read Index Data
(logs_read_index_data) | Read a subset log data (index based) | Datadog Read Only Role |
Metrics
Find below the list of permissions for the metrics assets:
| Name | Description | Default Role |
|---|
Metric Tags Write
(metric_tags_write) | Edit and save tag configurations for custom metrics. | Datadog Standard Role |
Host Tags Write
(host_tags_write) | Add and change tags on hosts. | Datadog Standard Role |
Metrics Metadata Write
(metrics_metadata_write) | Edit metadata on metrics. | Datadog Standard Role |
Monitors
Find below the list of permissions for the monitors assets:
| Name | Description | Default Role |
|---|
Monitors Read
(monitors_read) | View monitors. | Datadog Read Only Role |
Monitors Write
(monitors_write) | Edit and delete individual monitors. | Datadog Standard Role |
Manage Downtimes
(monitors_downtime) | Set downtimes to suppress alerts from any monitor in an organization. Mute and unmute monitors. The ability to write monitors is not required to set downtimes. | Datadog Standard Role |
Monitor Configuration Policy Write
(monitor_config_policy_write) | Create, update, and delete monitor configuration policies. | Datadog Admin Role |
Network Device Monitoring
Find below the list of permissions for the network device monitoring assets:
| Name | Description | Default Role |
|---|
NDM Netflow Port Mappings Write
(ndm_netflow_port_mappings_write) | Write NDM Netflow port mappings. | Datadog Standard Role |
NDM Device Profiles View
(ndm_device_profiles_view) | View NDM device profiles. | Datadog Standard Role |
NDM Device Profiles Edit
(ndm_device_profiles_edit) | Edit NDM device profiles. | Datadog Admin Role |
NDM Read (Preview)
(ndm_devices_read) | Read NDM data. Preview, Will begin enforcement on June 2, 2025. | Datadog Read Only Role |
NDM Device Tags Write (Preview)
(ndm_device_tags_write) | Write NDM device tags. Preview, Will begin enforcement on June 2, 2025. | Datadog Standard Role |
Notebooks
Find below the list of permissions for the notebooks assets:
| Name | Description | Default Role |
|---|
Notebooks Read
(notebooks_read) | View notebooks. | Datadog Read Only Role |
Notebooks Write
(notebooks_write) | Create and change notebooks. | Datadog Standard Role |
Observability Pipelines
Find below the list of permissions for the observability pipelines assets:
| Name | Description | Default Role |
|---|
Observability Pipelines Read
(observability_pipelines_read) | View pipelines in your organization. | Datadog Read Only Role |
Observability Pipelines Write
(observability_pipelines_write) | Edit pipelines in your organization. | Datadog Standard Role |
Observability Pipelines Delete
(observability_pipelines_delete) | Delete pipelines from your organization. | Datadog Admin Role |
Observability Pipelines Deploy
(observability_pipelines_deploy) | Deploy pipelines in your organization. | Datadog Admin Role |
Observability Pipelines Live Capture Read
(observability_pipelines_capture_read) | View captured events of pipelines in your organization. | Datadog Read Only Role |
Observability Pipelines Live Capture Write
(observability_pipelines_capture_write) | Capture live events of pipelines in your organization. | Datadog Standard Role |
On-Call
Find below the list of permissions for the on-call assets:
| Name | Description | Default Role |
|---|
On-Call Read
(on_call_read) | View On-Call teams, schedules, escalation policies and overrides. | Datadog Read Only Role |
On-Call Write
(on_call_write) | Create, update, and delete On-Call teams, schedules and escalation policies. | Datadog Standard Role |
On-Call Page
(on_call_page) | Page On-Call teams and users. | Datadog Standard Role |
On-Call Responder
(on_call_respond) | Acknowledge, resolve pages and edit overrides. Allow users to configure their On-Call profile. | Datadog Standard Role |
Orchestration
Find below the list of permissions for the orchestration assets:
| Name | Description | Default Role |
|---|
Custom Resource Definition Write
(orchestration_custom_resource_definitions_write) | Enable, disable and update custom resource indexing. | Datadog Standard Role |
Workload Scaling Write
(orchestration_workload_scaling_write) | Enable, disable, and configure workload autoscaling. Apply workload scaling recommendations. | Datadog Admin Role |
Workload Scaling Read (Preview)
(orchestration_workload_scaling_read) | View workload autoscaling objects and recommendations. Preview, Will begin enforcement on May 26, 2025. | Datadog Read Only Role |
Processes
Find below the list of permissions for the processes assets:
| Name | Description | Default Role |
|---|
Processes Generate Metrics
(processes_generate_metrics) | Create custom metrics from processes. | Datadog Standard Role |
Process Tags Read
(process_tags_read) | View Process Tag Rules. | Datadog Read Only Role |
Process Tags Write
(process_tags_write) | Create, edit and delete Process Tag Rules. | Datadog Standard Role |
Product Analytics
Find below the list of permissions for the product analytics assets:
| Name | Description | Default Role |
|---|
Profiles Read
(audience_management_read) | View Audience Management data. | Datadog Read Only Role |
Profiles Write
(audience_management_write) | Modify Audience Management data. | Datadog Standard Role |
Real User Monitoring
Find below the list of permissions for the real user monitoring assets:
| Name | Description | Default Role |
|---|
RUM Apps Write
(rum_apps_write) | Create, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission. | Datadog Standard Role |
RUM Apps Read
(rum_apps_read) | View RUM Applications data. | Datadog Read Only Role |
RUM Session Replay Read
(rum_session_replay_read) | View Session Replays. | Datadog Read Only Role |
RUM Generate Metrics
(rum_generate_metrics) | Create custom metrics from RUM events. | Datadog Standard Role |
RUM Delete Data
(rum_delete_data) | Delete data from RUM. | Datadog Admin Role |
RUM Playlist Write
(rum_playlist_write) | Create, update, and delete RUM playlists. Add and remove sessions from RUM playlists. | Datadog Standard Role |
RUM Session Replay Extend Retention
(rum_extend_retention) | Extend the retention of Session Replays. | Datadog Admin Role |
RUM Retention Filters Read
(rum_retention_filters_read) | View RUM Retention filters data. | Datadog Read Only Role |
RUM Retention Filters Write
(rum_retention_filters_write) | Write RUM Retention filters. | Datadog Standard Role |
RUM Settings Write
(rum_settings_write) | Write RUM Settings. | Datadog Admin Role |
Reference Tables
Find below the list of permissions for the reference tables assets:
| Name | Description | Default Role |
|---|
Reference Tables Write
(reference_tables_write) | Create or modify Reference Tables. | Datadog Standard Role |
Reference Tables Read
(reference_tables_read) | View Reference Tables. | Datadog Read Only Role |
Service Level Objectives
Find below the list of permissions for the service level objectives assets:
| Name | Description | Default Role |
|---|
SLOs Read
(slos_read) | View SLOs and status corrections. | Datadog Read Only Role |
SLOs Write
(slos_write) | Create, edit, and delete SLOs. | Datadog Standard Role |
SLOs Status Corrections
(slos_corrections) | Apply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs. | Datadog Standard Role |
Sheets
Find below the list of permissions for the sheets assets:
| Name | Description | Default Role |
|---|
Sheets Read (Preview)
(sheets_read) | View Sheets. Preview, Will begin enforcement on May 21, 2025. | Datadog Read Only Role |
Sheets Write (Preview)
(sheets_write) | Create and change Sheets. Preview, Will begin enforcement on May 21, 2025. | Datadog Standard Role |
Software Delivery
Find below the list of permissions for the software delivery assets:
| Name | Description | Default Role |
|---|
CI Visibility Read
(ci_visibility_read) | View CI Visibility. | Datadog Read Only Role |
CI Visibility Tests Write
(ci_visibility_write) | Edit flaky tests and delete Test Services. | Datadog Standard Role |
CI Provider Settings Write
(ci_provider_settings_write) | Edit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection. | Datadog Admin Role |
CI Visibility Settings Write
(ci_visibility_settings_write) | Configure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services. | Datadog Standard Role |
CI Visibility Ingestion Control Write
(ci_ingestion_control_write) | Edit CI Ingestion Control exclusion filters. | Datadog Admin Role |
CI Visibility Pipelines Write
(ci_visibility_pipelines_write) | Create CI Visibility pipeline spans using the API. | Datadog Standard Role |
Quality Gate Rules Read
(quality_gate_rules_read) | View Quality Gate Rules. | Datadog Read Only Role |
Quality Gate Rules Write
(quality_gate_rules_write) | Edit Quality Gate Rules. | Datadog Admin Role |
Static Analysis Settings Write
(static_analysis_settings_write) | Edit Static Analysis settings. | Datadog Admin Role |
CD Visibility Read
(cd_visibility_read) | View CD Visibility. | Datadog Read Only Role |
DORA Settings Write
(dora_settings_write) | Edit the settings for DORA. | Datadog Standard Role |
Code Analysis Read
(code_analysis_read) | View Code Analysis. | Datadog Read Only Role |
Quality Gates Evaluations
(quality_gates_evaluations_read) | Allow quality gates evaluations. | Datadog Read Only Role |
Test Optimization Read
(test_optimization_read) | View Test Optimization. | Datadog Read Only Role |
Test Optimization Write
(test_optimization_write) | Manage flaky tests for Test Optimization. | Datadog Standard Role |
Test Optimization Settings Write
(test_optimization_settings_write) | Create, delete and update Test Optimization settings. | Datadog Standard Role |
Synthetic Monitoring
Find below the list of permissions for the synthetic monitoring assets:
| Name | Description | Default Role |
|---|
Synthetics Private Locations Read
(synthetics_private_location_read) | View, search, and use Synthetics private locations. | Datadog Standard Role |
Synthetics Private Locations Write
(synthetics_private_location_write) | Create and delete private locations in addition to having access to the associated installation guidelines. | Datadog Admin Role |
Synthetics Global Variable Read
(synthetics_global_variable_read) | View, search, and use Synthetics global variables. | Datadog Standard Role |
Synthetics Global Variable Write
(synthetics_global_variable_write) | Create, edit, and delete global variables for Synthetics. | Datadog Standard Role |
Synthetics Read
(synthetics_read) | List and view configured Synthetic tests and test results. | Datadog Read Only Role |
Synthetics Write
(synthetics_write) | Create, edit, and delete Synthetic tests. | Datadog Standard Role |
Synthetics Default Settings Read
(synthetics_default_settings_read) | View the default settings for Synthetic Monitoring. | Datadog Standard Role |
Synthetics Default Settings Write
(synthetics_default_settings_write) | Edit the default settings for Synthetic Monitoring. | Datadog Standard Role |
Teams
Find below the list of permissions for the teams assets:
| Name | Description | Default Role |
|---|
Teams Manage
(teams_manage) | Manage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission. | Datadog Standard Role |
Watchdog
Find below the list of permissions for the watchdog assets:
| Name | Description | Default Role |
|---|
Watchdog Alerts Write
(watchdog_alerts_write) | Manage Watchdog Alerts. | Datadog Standard Role |
参考資料
*Log Rehydration は Datadog, Inc. の商標です
