--- title: How to set up RBAC for Monitors description: >- Configure Role-Based Access Control (RBAC) for monitors to restrict editing permissions to specific roles and prevent unauthorized changes. breadcrumbs: Docs > Monitors > Monitor Guides > How to set up RBAC for Monitors --- # How to set up RBAC for Monitors ## Overview{% #overview %} Monitors alert your teams to potential issues with your systems. Making sure only authorized users can edit your monitors prevents accidental changes in your monitors' configurations. Safely manage your monitors by restricting edit permissions for each individual monitor to specific roles. ## Set up roles{% #set-up-roles %} For more information about default and custom roles, how to create custom roles, assign permissions to roles, and assign roles to users, see [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/). ## Restrict access to monitors{% #restrict-access-to-monitors %} {% tab title="UI" %} 1. Navigate to the monitor editing page by creating a new monitor or editing an existing one. 1. At the bottom of the form, specify which roles, in addition to the creator, are allowed to edit the monitor. {% image source="https://datadog-docs.imgix.net/images/monitors/guide/monitor_rbac_restricted.56ceba552f21694f6241dfcb82677f13.jpg?auto=format" alt="RBAC Restricted Monitor" /%} For more information, see [Monitors Permissions](https://docs.datadoghq.com/monitors/configuration/#permissions). {% /tab %} {% tab title="API" %} Use the [List Roles API endpoint](https://docs.datadoghq.com/api/latest/roles/#list-roles) to get the list of roles and their ids. ```bash curl --request GET 'https://api.datadoghq.com/api/v2/roles' \ --header 'DD-API-KEY: ' \ --header 'DD-APPLICATION-KEY: ' ``` ```bash { "meta": { "page": { "total_filtered_count": 4, "total_count": 4 } }, "data": [ { "type": "roles", "id": "89f5dh86-e470-11f8-e26f-4h656a27d9cc", "attributes": { "name": "Corp IT Eng - User Onboarding", "created_at": "2018-11-05T21:19:54.105604+00:00", "modified_at": "2018-11-05T21:19:54.105604+00:00", "user_count": 4 }, "relationships": { "permissions": { "data": [ { "type": "permissions", "id": "984d2rt4-d5b4-13e8-a5yf-a7f560d33029" }, ... ] } } }, ... ] } ``` Use the [Create](https://docs.datadoghq.com/api/latest/monitors/#create-a-monitor) or [Edit a monitor](https://docs.datadoghq.com/api/latest/monitors/#edit-a-monitor) API endpoint and the `restricted_roles` parameter to restrict monitor editing to a specific set of roles and to the monitor's creator. **Note:** You can specify one or multiple role UUIDs. Setting `restricted_roles` to `null` allows monitor editing for all users with [Monitor Write permissions](https://docs.datadoghq.com/account_management/rbac/permissions/#monitors). ```bash curl --location --request POST 'https://api.datadoghq.com/api/v1/monitor' \ --header 'Content-Type: application/json' \ --header 'DD-API-KEY: ' \ --header 'DD-APPLICATION-KEY: ' \ --data-raw '{ "message": "You may need to add web hosts if this is consistently high.", "name": "Bytes received on host0", "options": { "no_data_timeframe": 20, "notify_no_data": true }, "query": "avg(last_5m):sum:system.net.bytes_rcvd{host:host0} \u003e 100", "tags": [ "app:webserver", "frontend" ], "type": "query alert", "restricted_roles": ["89f5dh86-e470-11f8-e26f-4h656a27d9cc"] }' ``` For more information, see [Roles](https://docs.datadoghq.com/api/latest/roles/) and [Monitors API Reference](https://docs.datadoghq.com/api/latest/monitors/) . {% /tab %} ## Restricted roles{% #restricted-roles %} Datadog allows restriction of monitor editing to specific roles through the role restriction option. This gives you the flexibility to define which users are allowed to edit monitors. ### API{% #api %} You can update the definition of monitors that are managed through API or Terraform by using the `restricted_roles` parameter. You can also use the [Restriction Policies](https://docs.datadoghq.com/api/latest/restriction-policies/) endpoint to define the access control rules for a monitor, mapping a set of relations (such as editor and viewer) to a set of allowed principals (such as roles, teams, or users). The restriction policy determines who is authorized to perform what actions on the monitor. For more information, see [Edit a monitor API endpoint](https://docs.datadoghq.com/api/latest/monitors/#edit-a-monitor) and [Restriction Policies API](https://docs.datadoghq.com/api/latest/restriction-policies/). ### UI{% #ui %} All new monitors created from the UI use the `restricted_roles` parameter. All monitors also display the role restriction option regardless of the underlying mechanism: {% image source="https://datadog-docs.imgix.net/images/monitors/guide/monitor_rbac_non_restricted.72dbbf62481a657393f242c0a9653250.jpg?auto=format" alt="RBAC Non Restricted Monitor" /%} ## Further reading{% #further-reading %} - [Learn more about RBAC permissions for Monitors](https://docs.datadoghq.com/account_management/rbac/permissions/#monitors) - [Learn more about creating restricted monitors via API](https://docs.datadoghq.com/api/latest/monitors/#create-a-monitor) - [Learn more about creating restricted monitors via the UI](https://docs.datadoghq.com/monitors/configuration/#permissions)