--- title: Logs RBAC Permissions description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Log Management > Logs Guides > Logs RBAC Permissions --- # Logs RBAC Permissions ## Overview{% #overview %} Once you've created [RBAC roles for logs](https://docs.datadoghq.com/logs/guide/logs-rbac.md), assign or remove [permissions](https://docs.datadoghq.com/account_management/rbac/permissions.md) to the role. {% tab title="UI" %} Assign or remove permission to a role directly by [updating the role on the Datadog site](https://app.datadoghq.com/access/roles). {% /tab %} {% tab title="API" %} Assign or remove permission to a role directly through the [Datadog Permission API](https://docs.datadoghq.com/api/v2/roles.md). {% /tab %} More details about individual permissions below. ## Log configuration access{% #log-configuration-access %} ### `logs_generate_metrics`{% #logs_generate_metrics %} Grants a role the ability to use the [Generate Metrics](https://docs.datadoghq.com/logs/logs_to_metrics.md) feature. This permission is global and enables both the creation of new metrics, and the edition or deletion of existing ones. ### `logs_write_facets`{% #logs_write_facets %} Grants a role the ability to use the [Create, Edit, and Delete facets](https://docs.datadoghq.com/logs/explorer/facets.md#overview). This permission is global and enables both the creation of new facets, and the edition or deletion of existing ones. ### `logs_modify_indexes`{% #logs_modify_indexes %} Grants a role the ability to create and modify [log indexes](https://docs.datadoghq.com/logs/indexes.md). This includes: - Setting [indexes filters](https://docs.datadoghq.com/logs/indexes.md#indexes-filters) for which logs should be routed into an index. - Setting [log retention](https://docs.datadoghq.com/logs/indexes.md#update-log-retention) for an index. - Granting another role the Logs Read Index Data and Logs Write Exclusion Filters permissions, scoped for a specific index. This permission is global and enables both the creation of new indexes, and the edition of existing ones. ### `logs_write_exclusion_filters`{% #logs_write_exclusion_filters %} Grants a role the ability to create or modify [exclusion filters](https://docs.datadoghq.com/logs/indexes.md#exclusion-filters) within an index. This permission can be assigned either globally or restricted to a subset of indexes. **Subset of indexes**: {% tab title="UI" %} 1. Remove the global permission on the role. 1. Grant this permission to the role in [the Index page on the Datadog site](https://docs.datadoghq.com/logs/log_configuration/indexes.md) by editing an index and adding a role to the "Grant editing Exclusion Filters of this index to" field. {% /tab %} {% tab title="API" %} This configuration is only supported through the UI. {% /tab %} ### `logs_write_pipelines`{% #logs_write_pipelines %} Grants a role the ability to create and modify [log processing pipelines](https://docs.datadoghq.com/logs/log_configuration/pipelines.md). This includes: - Setting the name of the pipeline - Setting pipelines filters for what logs should enter the processing pipeline - Reorder pipelines - Managing [standard attributes](https://docs.datadoghq.com/logs/log_configuration/attributes_naming_convention.md#standard-attributes) or [aliasing facets](https://docs.datadoghq.com/logs/explorer/facets.md#alias-facets) ### `logs_write_archives`{% #logs_write_archives %} Grants the ability to create, edit, or delete [Log Archives](https://docs.datadoghq.com/logs/archives.md). This includes: - Setting archives filters for what logs should be routed to the archive - Setting the name of the archive - Reordering archives - Restricting the Logs Read Archives permission to a subset of roles. This permission is global and enables creating new archives, and editing and deleting existing ones. ### `logs_read_archives`{% #logs_read_archives %} Grants the ability to access the details of the archive configuration. In conjunction with Logs Write Historical Views, this permission also grants the ability to trigger a [Rehydration](https://docs.datadoghq.com/logs/archives/rehydrating.md) from Archives. This permission can be scoped to a subset of archives. An archive with no restrictions is accessible to anyone who belongs to a role with the `logs_read_archives` permission. An archive with restrictions is only accessible to the users who belong to one of the registered roles, provided theses roles have the `logs_read_archives` permission. In the following example, assuming all roles but `Guest` have the `logs_read_archive` permission: - Staging is accessible to all users, except users that **only** belong to the `Guest` role. - Prod is accessible to all users belonging to `Customer Support`. - Security-Audit is not accessible to users who belong to `Customer Support`, unless they also belong to `Audit & Security`. {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_archives_list.d451d9e888324244f42fd60519ceabde.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_archives_list.d451d9e888324244f42fd60519ceabde.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Create a custom Role" /%} {% tab title="UI" %} Proceed to archive creation, or update at any moment while editing the archive. {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_archive_restriction.97887efc54a801539b31152361d43825.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_archive_restriction.97887efc54a801539b31152361d43825.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Create a custom Role" /%} {% /tab %} {% tab title="API" %} Use the Logs Archive API either to [assign](https://docs.datadoghq.com/api/v2/logs-archives.md#grant-role-to-an-archive) or [revoke](https://docs.datadoghq.com/api/v2/logs-archives.md#revoke-role-from-an-archive) a role from a given Archive. {% /tab %} ### `logs_write_historical_views`{% #logs_write_historical_views %} Grants the ability to write historical views, meaning to trigger a [Log Rehydration*](https://docs.datadoghq.com/logs/archives/rehydrating.md). This permission is global. It enables users to trigger a rehydration for archives on which they have Logs Read Archive permission. {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_hv_roles_combination.4ff188f8915a9df2e81a1946a7aae7fb.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_hv_roles_combination.4ff188f8915a9df2e81a1946a7aae7fb.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Write Historical View" /%} In the example above: - `ADMIN` Role members **can** rehydrate from the `Audit Archive`, as they have the Write Historical View (Rehydrate) permission, as well as the Read Archive permission on that archive. - `AUDIT` Role members **cannot** rehydrate from the `Audit Archive`, as they do not have the Write Historical View (Rehydrate) permission. - `PROD` Role members **cannot** rehydrate from the `Audit Archive`, as they do not have the Read Archive permission. When assigning `team:audit` tags on all logs rehydrated from the `Audit Archive`, make sure that `Audit` role members who are restricted to read `team:audit`logs can only access rehydrated content. For more details on how to add tags and rehydration, see the [Log Archive Setup section](https://docs.datadoghq.com/logs/archives.md). For `service:ci-cd` logs that are rehydrated from the `Prod Archive`, note the following: - If you **do not** use the Log Read Index Data legacy permission, these logs are accessible for `CI-CD` role members. - If you **do** use the Log Read Index Data legacy permission, these logs are not accessible for `CI-CD` role members, as the resulting historical view is restricted to `PROD` and `ADMIN` role members. ### Removed: `logs_public_config_api`{% #removed-logs_public_config_api %} Datadog has removed the `logs_public_config_api` permission. Five separate permissions control the ability to view, create, or modify log configuration through the Datadog API: - `logs_generate_metrics` - `logs_modify_indexes` - `logs_write_archives` - `logs_write_pipelines` - [`user_access_manage`](https://docs.datadoghq.com/account_management/rbac/permissions.md#access-management) ## Log data access{% #log-data-access %} Grant the following permissions to manage read access on subsets of log data: - Logs Read Data (Recommended) offers finer grained access control by restricting a role's access to logs matching a log restriction queries. - Logs Read Index Data is the legacy approach to restrict data access to indexed log data on a per-index basis (it is still required to have this permission enabled to access indexed data). ### `logs_read_data`{% #logs_read_data %} Read access to log data. If granted, other restrictions then apply such as `logs_read_index_data` or with [restriction query](https://docs.datadoghq.com/api/v2/logs-restriction-queries.md). Roles are additive. If a user belongs to multiple roles, the data they have access to is the union of all the permissions from each of the roles. **Example**: - If a user belongs to a role with log read data and also belongs to a role without log read data, then they have the permission to read data. - If a user is restricted to `service:sandbox` through one role, and is restricted to `env:prod` through another role, then the user can access all `env:prod` and `service:sandbox` logs. {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_rq_roles_combination.f91496bb5a840fc20c6271a488e16134.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_rq_roles_combination.f91496bb5a840fc20c6271a488e16134.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Read Data Access" /%} {% tab title="UI" %} To restrict users so they see no more than logs matching a restriction query, use the [Data Access page](https://app.datadoghq.com/logs/pipelines/data-access): 1. Create a restriction query. 1. Assign one or multiple roles to that restriction query. 1. Check what roles and users are assigned to which restriction queries. This view lists: - **`Restricted Access` section**: all the restriction queries, and what role(s) are attached to them, - **`Unrestricted Access` section**: all roles that have `log_read_data` permission with no further restrictions, - **`No Access` section**: all roles that does not have the `log_read_data` permission. ## Create a restriction query{% #create-a-restriction-query %} Create a new restriction query defining its query filter. The new query appears in the list of restrictions with no role attached to it. {% video url="https://docs.dd-static.net/images/account_management/rbac/logs_rq-create.mp4" /%} ### Assign a role to a restriction query{% #assign-a-role-to-a-restriction-query %} Pick the role wherever it stands, and assign it to the intended restriction query. **Note**: Keep in mind that a role can be assigned no more than one restriction query. Meaning, when you assign a role to a restriction query, it loses connection to the restriction query it was already attached to. {% video url="https://docs.dd-static.net/images/account_management/rbac/logs_rq-assign_roles.mp4" /%} Likewise, use the same "Move" interaction to grant `Unrestricted Access` to a Role, or conversely to turn it into a `No Access` role. ### Check restriction queries{% #check-restriction-queries %} The Data Access page displays a maximum of 50 restriction queries, and 50 roles per section. If you have more roles and restriction queries than the page can display, use the filters to scope this view down: - with the restriction query filter: {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_rq-filter.60502e8a1ff55f03851fa107585a4043.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_rq-filter.60502e8a1ff55f03851fa107585a4043.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Filter Restriction Queries" /%} - with the role filter: {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_rq-view_as_role.01f693558944b1906e07a6e835ceaa9f.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_rq-view_as_role.01f693558944b1906e07a6e835ceaa9f.png?auto=format&fit=max&w=850&dpr=2 2x" alt="View as Roles" /%} - with the user filter, which is a convenient way to see what a specific user belonging to multiple roles actually has access to: {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_rq-view_as_user.9579179e0fccf33d135e7e4e58ccf4f0.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_rq-view_as_user.9579179e0fccf33d135e7e4e58ccf4f0.png?auto=format&fit=max&w=850&dpr=2 2x" alt="View as Roles" /%} {% /tab %} {% tab title="API" %} Revoke or grant this permission from a role with [the Roles API](https://docs.datadoghq.com/api.md#roles). Use [Restriction Queries](https://docs.datadoghq.com/api.md?lang=bash#roles-restriction-queries-for-logs) to scope the permission to a subset of Log Data. {% /tab %} ## Legacy permissions{% #legacy-permissions %} These permissions are either globally enabled by default for all users, or only available to users who were previously granted access (grandfathered in). Logs Read Data permission comes on top of these legacy permissions. For instance, say a user is restricted to the query `service:api`. - If this user has scoped Read Index Data permission on `audit` and `errors` indexes, this user only sees `service:api` logs within these indexes. - If this user has livetail permission, this user only sees `service:api` logs in the livetail. {% collapsible-section %} #### logs_read_index_data Grants a role read access on some number of log indexes. Can be set either globally or limited to a subset of log indexes. To scope this permission to a subset of indexes, first remove the `logs_read_index_data` and `logs_modify_indexes` permissions on the role. Then: {% tab title="UI" %} Grant this role access to the index in [Configuration page](https://app.datadoghq.com/logs/pipelines/indexes). {% image source="https://docs.dd-static.net/images/account_management/rbac/logs_read_index_data.8208e2d496bf57375ea9c21525ba6f5d.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/rbac/logs_read_index_data.8208e2d496bf57375ea9c21525ba6f5d.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Grant read access for indexes to specific roles" /%} {% /tab %} {% tab title="API" %} - [Get the Roles ID](https://docs.datadoghq.com/api/v2/roles.md#list-roles) of the role you want to assign to specific pipelines. - [Get the Permission ID](https://docs.datadoghq.com/api/v2/roles.md#list-permissions) for the `logs_write_processors` permission API for your region. - Grant permission to that role with the following call: ```bash curl -X POST \ https://app.datadoghq.com/api/v2/roles//permissions \ -H "Content-Type: application/json" \ -H "DD-API-KEY: " \ -H "DD-APPLICATION-KEY: " \ -d '{ "id": "", "type": "permissions" }' ``` {% /tab %} {% /collapsible-section %} {% collapsible-section %} #### logs_live_tail Grants a role the ability to use the [Live Tail](https://docs.datadoghq.com/logs/explorer/live_tail.md) feature. This permission is global, and grants access to the livetail regardless of Log Read Index Data permission. {% /collapsible-section %} {% collapsible-section %} #### logs_write_processors This permission is only available to users who were previously granted access (grandfathered in). Grants a role the ability to create, edit, or delete processors and nested pipelines. This permission can be assigned either globally or restricted to a subset of pipelines. {% tab title="UI" %} Assign the role(s) in the `Edit` modal of a specific pipeline. {% /tab %} {% tab title="API" %} 1. [Get the Roles ID](https://docs.datadoghq.com/api/v2/roles.md#list-roles) of the role you want to assign to specific pipelines. 1. [Get the Permission ID](https://docs.datadoghq.com/api/v2/roles.md#list-permissions) for the `logs_write_processors` permission API for your region. 1. Grant permission to that role with the following call: ```sh curl -X POST \ https://app.datadoghq.com/api/v2/roles//permissions \ -H "Content-Type: application/json" \ -H "DD-API-KEY: " \ -H "DD-APPLICATION-KEY: " \ -d '{ "id": "", "type": "permissions" }' ``` {% /tab %} {% /collapsible-section %} ## Further reading{% #further-reading %} - [How to set up RBAC for Logs](https://docs.datadoghq.com/logs/guide/logs-rbac.md) - [Learn more about RBAC permissions](https://docs.datadoghq.com/account_management/rbac/permissions.md) \*Log Rehydration is a trademark of Datadog, Inc.