Datadog 역할 권한 허용

개요

권한은 사용자가 특정 리소스에 대해 갖는 액세스 유형을 정의합니다. 일반적으로 권한은 사용자에게 개체를 읽고, 편집하고, 삭제할 수 있는 권한을 부여합니다. 권한은 세 가지 기본 역할과 커스텀 역할을 포함하여 모든 역할의 액세스 권한의 기초가 됩니다.

기본 역할

기본적으로 기존 사용자는 세 가지 기본 제공 역할 중 하나에 연결됩니다:

Datadog 관리자
Datadog 표준
Datadog 읽기 전용

이러한 역할 중 하나를 가진 모든 사용자는 개별적으로 읽기 제한 리소스를 제외한 모든 데이터 유형을 읽을 수 있습니다. 관리자 및 표준 사용자는 애셋에 대한 쓰기 권한이 있습니다. 관리자 사용자는 사용자 관리, 조직 관리, 청구 및 사용량과 관련된 중요한 애셋에 대해 추가적인 읽기 및 쓰기 권한을 가집니다.

커스텀 역할

커스텀 역할을 만들어 권한을 새 역할에 결합합니다. 커스텀 역할을 사용하면 청구 관리자와 같은 페르소나를 정의한 다음 해당 역할에 적절한 권한을 할당할 수 있습니다. 역할을 생성한 후, Datadog에서 역할 업데이트를 통해 직접 또는 Datadog 권한 API를 통해 이 역할에 권한을 할당하거나 제거합니다.

참고: 사용자에게 새 커스텀 역할을 추가할 때, 새 역할 권한을 적용하려면 해당 사용자와 연결된 기본 제공 Datadog 역할을 제거해야 합니다.

권한 목록

다음 표에는 Datadog에서 사용 가능한 모든 권한의 이름, 설명 및 기본 역할이 나와 있습니다. 각 애셋 유형에는 해당 읽기 및 쓰기 권한이 있습니다.

각 기본 제공 역할은 덜 강력한 역할로부터 모든 권한을 상속받습니다. 따라서 Datadog 표준 역할은 기본 역할로 Datadog 읽기 전용과 함께 표에 나열된 모든 권한을 갖습니다. 또한 Datadog 관리자 역할에는 Datadog 표준 역할과 Datadog 읽기 전용 역할의 모든 권한이 포함됩니다.

API and Application Keys

Find below the list of permissions for the api and application keys assets:

Name	Description	Default Role
`user_app_keys`	View and manage Application Keys owned by the user.	Datadog Standard Role
`org_app_keys_read`	View Application Keys owned by all users in the organization.	Datadog Standard Role
`org_app_keys_write`	Manage Application Keys owned by all users in the organization.	Datadog Admin Role
`api_keys_read`	List and retrieve the key values of all API Keys in your organization.	Datadog Standard Role
`api_keys_write`	Create and rename API Keys for your organization.	Datadog Admin Role
`client_tokens_read`	Read Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.	Datadog Read Only Role
`client_tokens_write`	Create and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.	Datadog Standard Role
`api_keys_delete`	Delete API Keys for your organization.	Datadog Admin Role

APM

Find below the list of permissions for the apm assets:

Name	Description	Default Role
`apm_read`	Read and query APM and Trace Analytics.	Datadog Read Only Role
`apm_retention_filter_read`	Read trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.	Datadog Read Only Role
`apm_retention_filter_write`	Create, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.	Datadog Admin Role
`apm_service_ingest_read`	Access service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.	Datadog Read Only Role
`apm_service_ingest_write`	Edit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.	Datadog Admin Role
`apm_apdex_manage_write`	Set Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.	Datadog Admin Role
`apm_tag_management_write`	Edit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.	Datadog Admin Role
`apm_primary_operation_write`	Edit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.	Datadog Standard Role
`debugger_write`	Edit Dynamic Instrumentation configuration. Create or modify Dynamic Instrumentation probes that do not capture function state.	Datadog Admin Role
`debugger_read`	View Dynamic Instrumentation configuration.	Datadog Read Only Role
`apm_generate_metrics`	Create custom metrics from spans.	Datadog Standard Role
`apm_pipelines_write`	Add and change APM pipeline configurations.	Datadog Admin Role
`apm_pipelines_read`	View APM pipeline configurations.	Datadog Read Only Role
`apm_service_catalog_write`	Add, modify, and delete service catalog definitions when those definitions are maintained by Datadog.	Datadog Standard Role
`apm_service_catalog_read`	View service catalog and service definitions.	Datadog Read Only Role
`apm_remote_configuration_write`	Edit APM Remote Configuration.	Datadog Admin Role
`apm_remote_configuration_read`	View APM Remote Configuration.	Datadog Standard Role
`continuous_profiler_read`	View data in Continuous Profiler.	Datadog Read Only Role
`debugger_capture_variables`	Create or modify Dynamic Instrumentation probes that capture function state: local variables, method arguments, fields, and return value or thrown exception.	Datadog Admin Role
`apm_api_catalog_write`	Add, modify, and delete API catalog definitions.	Datadog Standard Role
`apm_api_catalog_read`	View API catalog and API definitions.	Datadog Read Only Role
`continuous_profiler_pgo_read`	Read and query Continuous Profiler data for Profile-Guided Optimization (PGO).	Datadog Read Only Role

Access Management

Find below the list of permissions for the access management assets:

Name	Description	Default Role
`user_access_invite`	Invite other users to your organization.	Datadog Standard Role
`user_access_manage`	Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.	Datadog Admin Role
`service_account_write`	Create, disable, and use Service Accounts in your organization.	Datadog Admin Role
`org_management`	Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.	Datadog Admin Role
`org_connections_write`	Control which organizations can query your organization's data.	Datadog Admin Role
`org_connections_read`	View which organizations can query data from your organization. Query data from other organizations.	Datadog Read Only Role

App Builder & Workflow Automation

Find below the list of permissions for the app builder & workflow automation assets:

Name	Description	Default Role
`workflows_read`	View workflows.	Datadog Read Only Role
`workflows_write`	Create, edit, and delete workflows.	Datadog Standard Role
`workflows_run`	Run workflows.	Datadog Standard Role
`connections_read`	List and view available connections. Connections contain secrets that cannot be revealed.	Datadog Read Only Role
`connections_write`	Create and delete connections.	Datadog Standard Role
`connections_resolve`	Resolve connections.	Datadog Standard Role
`apps_run`	View and run Apps in App Builder.	Datadog Standard Role
`apps_write`	Create, edit, and delete Apps in App Builder.	Datadog Standard Role
`on_prem_runner_read`	View and search Private Action Runners for Workflow Automation and App Builder.	Datadog Read Only Role
`on_prem_runner_use`	Attach a Private Action Runner to a connection.	Datadog Standard Role
`on_prem_runner_write`	Create and edit Private Action Runners for Workflow Automation and App Builder.	Datadog Admin Role

Billing and Usage

Find below the list of permissions for the billing and usage assets:

Name	Description	Default Role
`billing_read`	View your organization's subscription and payment method but not make edits.	Datadog Admin Role
`billing_edit`	Manage your organization's subscription and payment method.	Datadog Admin Role
`usage_read`	View your organization's usage and usage attribution.	Datadog Admin Role
`usage_edit`	Manage your organization's usage attribution set-up.	Datadog Admin Role
`usage_notifications_read`	Receive notifications and view currently configured notification settings.	Datadog Admin Role
`usage_notifications_write`	Receive notifications and configure notification settings.	Datadog Admin Role

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

Name	Description	Default Role
`incident_read`	View incidents in Datadog.	Datadog Read Only Role
`incident_write`	Create, view, and manage incidents in Datadog.	Datadog Standard Role
`incident_settings_read`	View Incident Settings.	Datadog Standard Role
`incident_settings_write`	Configure Incident Settings.	Datadog Standard Role
`incidents_private_global_access`	Access all private incidents in Datadog, even when not added as a responder.	None
`cases_read`	View Cases.	Datadog Read Only Role
`cases_write`	Create and update cases.	Datadog Standard Role
`incident_notification_settings_read`	View Incidents Notification settings.	Datadog Standard Role
`incident_notification_settings_write`	Configure Incidents Notification settings.	Datadog Standard Role

Cloud Cost Management

Find below the list of permissions for the cloud cost management assets:

Name	Description	Default Role
`cloud_cost_management_read`	View Cloud Cost pages. This does not restrict access to the cloud cost data source in dashboards and notebooks.	Datadog Read Only Role
`cloud_cost_management_write`	Configure cloud cost accounts and global customizations.	Datadog Standard Role

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

Name	Description	Default Role
`security_monitoring_rules_read`	Read Detection Rules.	Datadog Read Only Role
`security_monitoring_rules_write`	Create and edit Detection Rules.	Datadog Standard Role
`security_monitoring_signals_read`	View Security Signals.	Datadog Read Only Role
`security_monitoring_signals_write`	Modify Security Signals.	Datadog Standard Role
`security_monitoring_filters_read`	Read Security Filters.	Datadog Read Only Role
`security_monitoring_filters_write`	Create, edit, and delete Security Filters.	Datadog Admin Role
`appsec_event_rule_read`	View Application Security Management Event Rules.	Datadog Read Only Role
`appsec_event_rule_write`	Edit Application Security Management Event Rules.	Datadog Standard Role
`security_monitoring_notification_profiles_read`	Read Notification Rules.	Datadog Read Only Role
`security_monitoring_notification_profiles_write`	Create, edit, and delete Notification Rules.	Datadog Standard Role
`security_monitoring_cws_agent_rules_read`	Read Cloud Workload Security Agent Rules.	Datadog Read Only Role
`security_monitoring_cws_agent_rules_write`	Create, edit, and delete Cloud Workload Security Agent Rules.	Datadog Standard Role
`appsec_protect_read`	View blocked attackers.	Datadog Read Only Role
`appsec_protect_write`	Manage blocked attackers.	Datadog Standard Role
`appsec_activation_read`	View whether Application Security Management has been enabled or disabled on services via 1-click enablement with Remote Configuration.	Datadog Read Only Role
`appsec_activation_write`	Enable or disable Application Security Management on services via 1-click enablement.	Datadog Standard Role
`security_monitoring_findings_read`	View CSPM Findings.	Datadog Standard Role
`security_monitoring_findings_write`	Mute CSPM Findings.	Datadog Standard Role
`appsec_vm_write`	Update status or assignee of vulnerabilities.	Datadog Standard Role
`security_monitoring_suppressions_read`	Read Rule Suppressions.	Datadog Read Only Role
`security_monitoring_suppressions_write`	Write Rule Suppressions.	Datadog Standard Role
`appsec_vm_read`	View vulnerabilities. This does not restrict access to the vulnerability data source through the API or inventory SQL.	Datadog Read Only Role

Compliance

Find below the list of permissions for the compliance assets:

Name	Description	Default Role
`audit_logs_read`	View Audit Trail in your organization.	Datadog Admin Role
`audit_logs_write`	Configure Audit Trail in your organization.	Datadog Admin Role
`data_scanner_read`	View Sensitive Data Scanner configurations and scanning results.	Datadog Admin Role
`data_scanner_write`	Edit Sensitive Data Scanner configurations.	Datadog Admin Role

Containers

Find below the list of permissions for the containers assets:

Name	Description	Default Role
`containers_generate_image_metrics`	Create or edit trend metrics from container images.	Datadog Standard Role

Cross-Product Features

Find below the list of permissions for the cross-product features assets:

Name	Description	Default Role
`saved_views_write`	Modify Saved Views across all Datadog products.	Datadog Standard Role
`facets_write`	Manage facets for products other than Log Management, such as APM Traces. To modify Log Facets, use Logs Write Facets.	Datadog Standard Role

Dashboards

Find below the list of permissions for the dashboards assets:

Name	Description	Default Role
`dashboards_read`	View dashboards.	Datadog Read Only Role
`dashboards_write`	Create and change dashboards.	Datadog Standard Role
`dashboards_public_share`	Generate public and authenticated links to share dashboards or embeddable graphs externally.	Datadog Standard Role
`generate_dashboard_reports`	Schedule PDF reports from a dashboard.	Datadog Standard Role

Error Tracking

Find below the list of permissions for the error tracking assets:

Name	Description	Default Role
`error_tracking_write`	Edit Error Tracking issues.	Datadog Standard Role
`error_tracking_settings_write`	Disable Error Tracking, edit inclusion filters, and edit rate limit.	Datadog Admin Role
`error_tracking_exclusion_filters_write`	Add or change Error Tracking exclusion filters.	Datadog Admin Role

Events

Find below the list of permissions for the events assets:

Name	Description	Default Role
`event_correlation_config_read`	Read Event Correlation Configuration data such as Correlation Rules and Settings.	Datadog Standard Role
`event_correlation_config_write`	Manage Event Correlation Configuration such as Correlation Rules and Settings.	Datadog Standard Role
`event_config_write`	Manage general event configuration such as API Emails.	Datadog Standard Role

Fleet Automation

Find below the list of permissions for the fleet automation assets:

Name	Description	Default Role
`agent_flare_collection`	Collect an Agent flare with Fleet Automation.	Datadog Standard Role
`agent_upgrade_write`	Upgrade Datadog Agents with Fleet Automation.	Datadog Admin Role
`fleet_policies_write`	Create Fleet Automation Policies.	Datadog Admin Role

Integrations

Find below the list of permissions for the integrations assets:

Name	Description	Default Role
`manage_integrations`	Install, uninstall, and configure integrations.	Datadog Standard Role
`integrations_read`	View integrations and their configurations.	Datadog Standard Role

LLM Observability

Find below the list of permissions for the llm observability assets:

Name	Description	Default Role
`llm_observability_read`	View LLM Observability.	Datadog Read Only Role

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

Name	Description	Default Role
`logs_modify_indexes`	Read and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.	Datadog Standard Role
`logs_write_exclusion_filters`	Add and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.	Datadog Standard Role
`logs_write_pipelines`	Add and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.	Datadog Standard Role
`logs_write_processors`	Add and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.	Datadog Standard Role
`logs_write_archives`	Add and edit Log Archives.	Datadog Admin Role
`logs_generate_metrics`	Create custom metrics from logs.	Datadog Standard Role
`logs_read_data`	Read log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.	Datadog Read Only Role
`logs_read_archives`	Read Log Archives location and use it for rehydration.	Datadog Read Only Role
`logs_write_historical_view`	Rehydrate logs from Archives.	Datadog Standard Role
`logs_write_facets`	Create or edit Log Facets.	Datadog Standard Role
`logs_delete_data`	Delete data from your Logs, including entire indexes.	Datadog Admin Role
`logs_write_forwarding_rules`	Add and edit forwarding destinations and rules for logs.	Datadog Admin Role
`flex_logs_config_write`	Manage your organization's flex logs configuration.	Datadog Admin Role

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

Name	Description	Default Role
`logs_live_tail`	Access the live tail feature	Datadog Read Only Role
`logs_read_index_data`	Read a subset log data (index based)	Datadog Read Only Role

Metrics

Find below the list of permissions for the metrics assets:

Name	Description	Default Role
`metric_tags_write`	Edit and save tag configurations for custom metrics.	Datadog Standard Role
`host_tags_write`	Add and change tags on hosts.	Datadog Standard Role
`metrics_metadata_write`	Edit metadata on metrics.	Datadog Standard Role

Monitors

Find below the list of permissions for the monitors assets:

Name	Description	Default Role
`monitors_read`	View monitors.	Datadog Read Only Role
`monitors_write`	Edit and delete individual monitors.	Datadog Standard Role
`monitors_downtime`	Set downtimes to suppress alerts from any monitor in an organization. Mute and unmute monitors. The ability to write monitors is not required to set downtimes.	Datadog Standard Role
`monitor_config_policy_write`	Create, update, and delete monitor configuration policies.	Datadog Admin Role

Network Device Monitoring

Find below the list of permissions for the network device monitoring assets:

Name	Description	Default Role
`ndm_netflow_port_mappings_write`	Write NDM Netflow port mappings.	Datadog Standard Role

Notebooks

Find below the list of permissions for the notebooks assets:

Name	Description	Default Role
`notebooks_read`	View notebooks.	Datadog Read Only Role
`notebooks_write`	Create and change notebooks.	Datadog Standard Role

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

Name	Description	Default Role
`observability_pipelines_read`	View pipelines in your organization.	Datadog Read Only Role
`observability_pipelines_write`	Edit pipelines in your organization.	Datadog Standard Role
`observability_pipelines_delete`	Delete pipelines from your organization.	Datadog Admin Role
`observability_pipelines_deploy`	Deploy pipelines in your organization.	Datadog Admin Role

Orchestration

Find below the list of permissions for the orchestration assets:

Name	Description	Default Role
`orchestration_custom_resource_definitions_write`	Enable, disable and update custom resource indexing.	Datadog Standard Role
`orchestration_workload_scaling_write`	Enable, disable, and configure workload autoscaling. Apply workload scaling recommendations.	Datadog Admin Role

Processes

Find below the list of permissions for the processes assets:

Name	Description	Default Role
`processes_generate_metrics`	Create custom metrics from processes.	Datadog Standard Role

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

Name	Description	Default Role
`rum_apps_write`	Create, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.	Datadog Standard Role
`rum_apps_read`	View RUM Applications data.	Datadog Read Only Role
`rum_session_replay_read`	View Session Replays.	Datadog Read Only Role
`rum_generate_metrics`	Create custom metrics from RUM events.	Datadog Standard Role
`rum_delete_data`	Delete data from RUM.	Datadog Admin Role
`rum_playlist_write`	Create, update, and delete RUM playlists. Add and remove sessions from RUM playlists.	Datadog Standard Role
`rum_extend_retention`	Extend the retention of Session Replays.	Datadog Admin Role

Reference Tables

Find below the list of permissions for the reference tables assets:

Name	Description	Default Role
`reference_tables_write`	Create or modify Reference Tables.	Datadog Standard Role
`reference_tables_read`	View Reference Tables.	Datadog Read Only Role

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

Name	Description	Default Role
`slos_read`	View SLOs and status corrections.	Datadog Read Only Role
`slos_write`	Create, edit, and delete SLOs.	Datadog Standard Role
`slos_corrections`	Apply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.	Datadog Standard Role

Software Delivery

Find below the list of permissions for the software delivery assets:

Name	Description	Default Role
`ci_visibility_read`	View CI Visibility.	Datadog Read Only Role
`ci_visibility_write`	Edit flaky tests and delete Test Services.	Datadog Standard Role
`ci_provider_settings_write`	Edit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.	Datadog Admin Role
`ci_visibility_settings_write`	Configure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.	Datadog Standard Role
`intelligent_test_runner_activation_write`	Enable or disable Intelligent Test Runner.	Datadog Admin Role
`intelligent_test_runner_settings_write`	Edit Intelligent Test Runner settings, such as modifying ITR excluded branch list.	Datadog Standard Role
`ci_ingestion_control_write`	Edit CI Ingestion Control exclusion filters.	Datadog Admin Role
`ci_visibility_pipelines_write`	Create CI Visibility pipeline spans using the API.	Datadog Standard Role
`quality_gate_rules_read`	View Quality Gate Rules.	Datadog Read Only Role
`quality_gate_rules_write`	Edit Quality Gate Rules.	Datadog Admin Role
`static_analysis_settings_write`	Edit Static Analysis settings.	Datadog Admin Role
`cd_visibility_read`	View CD Visibility.	Datadog Read Only Role
`dora_settings_write`	Edit the settings for DORA.	Datadog Standard Role
`code_analysis_read`	View Code Analysis.	Datadog Read Only Role

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

Name	Description	Default Role
`synthetics_private_location_read`	View, search, and use Synthetics private locations.	Datadog Standard Role
`synthetics_private_location_write`	Create and delete private locations in addition to having access to the associated installation guidelines.	Datadog Admin Role
`synthetics_global_variable_read`	View, search, and use Synthetics global variables.	Datadog Standard Role
`synthetics_global_variable_write`	Create, edit, and delete global variables for Synthetics.	Datadog Standard Role
`synthetics_read`	List and view configured Synthetic tests and test results.	Datadog Read Only Role
`synthetics_write`	Create, edit, and delete Synthetic tests.	Datadog Standard Role
`synthetics_default_settings_read`	View the default settings for Synthetic Monitoring.	Datadog Standard Role
`synthetics_default_settings_write`	Edit the default settings for Synthetic Monitoring.	Datadog Standard Role

Teams

Find below the list of permissions for the teams assets:

Name	Description	Default Role
`teams_manage`	Manage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.	Datadog Standard Role