This permission is global and enables creating new archives, and editing and deleting existing ones.
Grants the ability to access the details of the archive configuration. In conjunction with Logs Write Historical Views, this permission also grants the ability to trigger a Rehydration from Archives.
This permission can be scoped to a subset of archives. An archive with no restrictions is accessible to anyone who belongs to a role with the logs_read_archives permission. An archive with restrictions is only accessible to the users who belong to one of the registered roles, provided theses roles have the logs_read_archives permission.
In the following example, assuming all roles but Guest have the logs_read_archive permission:
Staging is accessible to all users, except users that only belong to the Guest role.
Prod is accessible to all users belonging to Customer Support.
Security-Audit is not accessible to users who belong to Customer Support, unless they also belong to Audit & Security.
Proceed to archive creation, or update at any moment while editing the archive.
Use the Logs Archive API either to assign or revoke a role from a given Archive.
Grants the ability to write historical views, meaning to trigger a Log Rehydration*.
This permission is global. It enables users to trigger a rehydration for archives on which they have Logs Read Archive permission.
In the example above:
ADMIN Role members can rehydrate from the Audit Archive, as they have the Write Historical View (Rehydrate) permission, as well as the Read Archive permission on that archive.
AUDIT Role members cannot rehydrate from the Audit Archive, as they do not have the Write Historical View (Rehydrate) permission.
PROD Role members cannot rehydrate from the Audit Archive, as they do not have the Read Archive permission.
When assigning team:audit tags on all logs rehydrated from the Audit Archive, make sure that Audit role members who are restricted to read team:auditlogs can only access rehydrated content. For more details on how to add tags and rehydration, see the Log Archive Setup section.
For service:ci-cd logs that are rehydrated from the Prod Archive, note the following:
If you do not use the Log Read Index Data legacy permission, these logs are accessible for CI-CD role members.
If you do use the Log Read Index Data legacy permission, these logs are not accessible for CI-CD role members, as the resulting historical view is restricted to PROD and ADMIN role members.
Datadog has removed the logs_public_config_api permission.
Five separate permissions control the ability to view, create, or modify log configuration through the Datadog API:
Assign one or multiple roles to that restriction query.
Check what roles and users are assigned to which restriction queries.
This view lists:
Restricted Access section: all the restriction queries, and what role(s) are attached to them,
Unrestricted Access section: all roles that have log_read_data permission with no further restrictions,
No Access section: all roles that does not have the log_read_data permission.
Create a restriction query
Create a new restriction query defining its query filter. The new query appears in the list of restrictions with no role attached to it.
Assign a role to a restriction query
Pick the role wherever it stands, and assign it to the intended restriction query.
Note: Keep in mind that a role can be assigned no more than one restriction query. Meaning, when you assign a role to a restriction query, it loses connection to the restriction query it was already attached to.
Likewise, use the same “Move” interaction to grant Unrestricted Access to a Role, or conversely to turn it into a No Access role.
Check restriction queries
The Data Access page displays a maximum of 50 restriction queries, and 50 roles per section. If you have more roles and restriction queries than the page can display, use the filters to scope this view down:
with the restriction query filter:
with the role filter:
with the user filter, which is a convenient way to see what a specific user belonging to multiple roles actually has access to: