--- title: How to Set Up RBAC for Logs description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Log Management > Logs Guides > How to Set Up RBAC for Logs --- # How to Set Up RBAC for Logs ## Overview{% #overview %} In many organizations, logs may contain sensitive information that requires [scrubbing](https://docs.datadoghq.com/agent/logs/advanced_log_collection/?tab=configurationfile#scrub-sensitive-data-from-your-logs) or restricted access to ensure compliance and privacy. Role-Based Access Control (RBAC) enables you to manage user access permissions efficiently, allowing only authorized personnel access to specific logs and features. This guide details how to set up RBAC for logs in Datadog, focusing on creating custom roles and assigning appropriate permissions. This guide covers the following topics: 1. **Prerequisites for Admins**: Details the necessary prerequisites. 1. **Setting Up Roles for the ACME Team**: Instructions on creating roles and assigning team members. 1. **Limiting Access to Logs**: How to employ restriction queries to control log access. 1. **Configuring Permissions on Log Assets**: Guidelines for setting permissions on pipelines, indexes, and archives. ## Managing multiple teams{% #managing-multiple-teams %} Consider an organization with multiple teams, such as the ACME team, which handles ACME logs for troubleshooting and auditing. Within the ACME team, there are two primary user categories: - **ACME Admin:** These users manage ACME log collection, pipelines, and exclusion filters. - **ACME User:** These users access ACME logs and create monitors or dashboards based on these logs. You can customize this setup to fit your organizational needs, either by consolidating permissions into a single role or creating multiple roles for more detailed access control. The principles outlined here can be adapted to other teams within your organization. In Datadog, permissions are additive; users belonging to multiple teams benefit from combined permissions across all assigned roles. ## The role of Datadog Admin{% #the-role-of-datadog-admin %} As a Datadog Admin, you can configure a secure environment for ACME team members to manage their logs without affecting logs from other teams. This guide explains the steps for setting up roles and permissions to restrict log access to ACME Users specifically. You can also adapt the setup to make ACME Admins serve as Datadog Admins if needed. ## Prerequisites{% #prerequisites %} ### Tagging incoming logs{% #tagging-incoming-logs %} First, tag incoming ACME logs with a `team:acme` tag, which helps in categorizing logs as they pass through Datadog. For instance, when collecting Docker logs, apply the `team:acme` tag using [Docker labels as tags](https://docs.datadoghq.com/agent/docker/tag/?tab=containerizedagent#extract-labels-as-tags). For a comprehensive overview of tagging, see [Getting Started with Tags](https://docs.datadoghq.com/getting_started/tagging/). {% image source="https://datadog-docs.imgix.net/images/logs/guide/rbac/team_tag.e4a2b72635f5c08f64e0b0113063aefb.png?auto=format" alt="Apply a team tag to your logs" /%} ### Logging in as a Datadog Admin{% #logging-in-as-a-datadog-admin %} To perform the actions in this guide, you must have Datadog Admin permissions. Ensure your user account can create roles, assign users, and manage Log Pipelines, Log Indexes, and Log Archives. For more information on permissions, see [Datadog Role Permissions](https://docs.datadoghq.com/account_management/rbac/permissions/#log-management) Navigate to the [Users list](https://app.datadoghq.com/organization-settings/users) to verify that you have all these permissions. If these permissions are missing, request them from a current Datadog Admin. ### Get an API key and an app key{% #get-an-api-key-and-an-app-key %} If you plan to use the Datadog API, you need an API key and an app key from an Admin user. API keys and app keys can be generated in your [organization settings](https://app.datadoghq.com/organization-settings/api-keys). Ensure the app key is associated with a user who has the necessary permissions. For more information, see [API and app keys](https://docs.datadoghq.com/account_management/api-app-keys/). In this guide, replace `` and `` with your Datadog API key and application key, respectively. A terminal with `CURL` is also required. ### Obtaining permission IDs{% #obtaining-permission-ids %} **Note**: This section is only required if you intend on using the Datadog API to set up RBAC. If you plan to use the Datadog API, use the [Permissions API](https://docs.datadoghq.com/api/v2/roles/#list-permissions) to get all existing permissions. You need the permission ID for actions such as granting roles specific permissions. **Note**: The permission IDs change depending on your selected Datadog site (). ```bash curl -X GET "https://app.datadoghq.com/api/v2/permissions" -H "Content-Type: application/json" -H "DD-API-KEY: " -H "DD-APPLICATION-KEY: " ``` ## Setting up roles{% #setting-up-roles %} This section guides you through creating two roles, `ACME Admin` and `ACME User`, granting them basic log permissions, and assigning users to these roles. ### Creating a role{% #creating-a-role %} {% tab title="UI" %} 1. Navigate to the [Roles section](https://app.datadoghq.com/access/roles) in the Datadog Organization Settings. 1. Click **New Role** to create `ACME Admin` and `ACME User`roles. 1. Assign Standard Access and basic permissions, such as Logs Read Index Data and Logs Live Tail. {% image source="https://datadog-docs.imgix.net/images/logs/guide/rbac/add_role.c0094b58c6542f1819e20f2a28881c86.png?auto=format" alt="Add a new role" /%} For more information on creating roles, see [Access Control](https://docs.datadoghq.com/account_management/rbac/?tab=datadogapplication#create-a-custom-role). {% /tab %} {% tab title="API" %} 1. Create `ACME Admin` and `ACME User` roles using the [Role Creation API](https://docs.datadoghq.com/api/v2/roles/#create-role). In the following example, `dcf7c550-99cb-11ea-93e6-376cebac897c` is the role ID. ```bash curl -X POST "https://app.datadoghq.com/api/v2/roles" -H "Content-Type: application/json" -H "DD-API-KEY: " -H "DD-APPLICATION-KEY: " -d '{"data": {"type": "roles","attributes": {"name": "ACME Admin"}}}' ``` ```json [...] "type": "roles", "id": "dcf7c550-99cb-11ea-93e6-376cebac897c", "attributes": { "name": "ACME Admin", [...] } [...] ``` 1. Assign the necessary permissions using the [Grant Permissions API](https://docs.datadoghq.com/api/v2/roles/#grant-permission-to-a-role). {% /tab %} ### Assigning users to roles{% #assigning-users-to-roles %} {% tab title="UI" %} 1. In the [Users Section](https://app.datadoghq.com/access/users) of Datadog, select a user and assign them either the `ACME Admin` or `ACME User` role. {% image source="https://datadog-docs.imgix.net/images/logs/guide/rbac/assign_user2.74edd082bc6db7fe7b88797936ce1aee.png?auto=format" alt="Assigning roles to a user in the edit user screen" /%} {% /tab %} {% tab title="API" %} 1. Retrieve user IDs using the [List Users API](https://docs.datadoghq.com/api/v2/users/#list-all-users). 1. Assign users to roles with the [Assign Role API](https://docs.datadoghq.com/api/v2/roles/#add-a-user-to-a-role). {% /tab %} ## Restrict access to logs{% #restrict-access-to-logs %} Grant ACME Team members access to `team:acme` logs exclusively by using the [`logs_read_data`](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_read_data) permission with Restriction Queries. For best practices, avoid extending ACME Users' permissions to access additional logs. Also, avoid applying the same `team:acme` restriction query to other roles. Instead, assign users to multiple roles based on their individual access needs. This section details how to: 1. Create a `team:acme` restriction query. 1. Attach that restriction query to ACME roles. **Note**: Each role can have only one restriction query attached. Attaching a new restriction query to a role replaces any existing query for that role. ### Defining a restriction query{% #defining-a-restriction-query %} {% tab title="UI" %} 1. Navigate to the [Data Access page](https://app.datadoghq.com/logs/pipelines/data-access). 1. Create a `team:acme` restriction query and apply it to the ACME roles. {% image source="https://datadog-docs.imgix.net/images/logs/guide/rbac/restriction_queries.318113f0e91382549936f58523f38d61.png?auto=format" alt="Restrict access to logs" /%} {% /tab %} {% tab title="API" %} 1. Create a restriction query using the [Create Restriction Query API](https://docs.datadoghq.com/api/v2/logs-restriction-queries/#create-a-restriction-query). 1. Keep track of the restriction Query ID. 1. Attach the restriction query to ACME roles with the [Restriction Query API](https://docs.datadoghq.com/api/v2/logs-restriction-queries/#grant-role-to-a-restriction-query). 1. Enable the `logs_read_data` permissions on the role using the [Grant Permissions API](https://docs.datadoghq.com/api/v2/roles/#grant-permission-to-a-role). See the obtaining Permission IDs section to get the corresponding ID for this permission. 1. (Optional) Validate the setup: - Get the list of roles attached to the query with the [Get Roles API](https://docs.datadoghq.com/api/v2/logs-restriction-queries/#list-roles-for-a-restriction-query). You should see only `ACME Admin` and `ACME User` in the results. - Conversely, getting the restriction query attached to either role with the [Get Restriction Query API](https://docs.datadoghq.com/api/v2/logs-restriction-queries/#get-restriction-query-for-a-given-role). You should see the `team:acme` restriction query. {% /tab %} ## Restrict access to log assets{% #restrict-access-to-log-assets %} Grant the `ACME Admin` role permissions to manage Log Pipelines, Log Indexes, and Log Archives without impacting other teams. This ensures that: - `ACME Admin` members (and only `ACME Admin` members) can interact with ACME Log Assets. - Neither `ACME Admin` nor `ACME User` members can interfere with assets from other teams. - Neither `ACME Admin` nor `ACME User` members can interfere with higher level "Admin" configurations, such as which logs flow into their assets, budget limitations, or Log Access Restriction rules. ### Log pipelines{% #log-pipelines %} Create a [pipeline](https://docs.datadoghq.com/logs/log_configuration/pipelines) for `team:acme` logs. Grant the [`logs_write_processors`](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_write_processors) permission to the `ACME Admin` role. ### Log indexes{% #log-indexes %} Create [indexes](https://docs.datadoghq.com/logs/indexes/) for `team:acme` logs for detailed budget control. Grant the [`logs_write_exclusion_filters`](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_write_exclusion_filters) permission to the `ACME Admin` role. ### Log archives{% #log-archives %} Create one or multiple [archives](https://docs.datadoghq.com/logs/archives/) for `team:acme` logs. Assign the [`logs_read_archives`](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_read_archives) permission to `ACME Admin` members. For rehydration, assign the [`logs_write_historical_view`](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_write_historical_view) permission to `ACME Admin`. Create one or multiple [archives](https://docs.datadoghq.com/logs/archives/) for `team:acme` logs. Assign the [Read Archives](https://docs.datadoghq.com/account_management/rbac/permissions?tab=ui#logs_read_archives) permission to members of `ACME Admin`. ## Further reading{% #further-reading %} - [Learn more about RBAC permissions for Logs](https://docs.datadoghq.com/logs/guide/logs-rbac-permissions/) - [Logs Restriction Queries](https://docs.datadoghq.com/api/latest/logs-restriction-queries/) - [Datadog Role Permissions](https://docs.datadoghq.com/account_management/rbac/permissions/#log-management)