Datadog ロールのアクセス許可

概要

権限は、ユーザーが特定のリソースに対して持つアクセスの種類を定義します。通常、権限はユーザーにオブジェクトの読み取り、編集、削除の権利を与えます。権限は、すぐに使える 3 つのロールとカスタムロールを含むすべてのロールのアクセス権の基盤です。

すぐに使えるロール

By default, existing users are associated with one of the three managed roles:

  • Datadog 管理者
  • Datadog 標準
  • Datadog 読み取り専用

これらのロールのいずれかを持つユーザーは、個別に読み取りが制限されているリソースを除き、すべてのデータタイプを読み取ることができます。Admin および Standard ユーザーは、アセットに対する書き込み権限を持ちます。Admin ユーザーには、ユーザー管理、組織管理、請求、および使用に関する機密アセットに対する追加の読み取りおよび書き込み権限があります。

カスタムロール

新しいロールに権限をまとめるには、カスタムロールを作成します。カスタムロールを使用すると、例えば請求管理者などの役割を定義し、そのロールに適切な権限を割り当てることができます。ロールを作成した後、Datadog でロールを更新するか、Datadog Permission API を使用して、このロールに直接権限を割り当てたり、削除したりします。

: 新しいカスタムロールをユーザーに追加する場合、そのユーザーに関連するすぐに使える Datadog ロールを削除して、新しいロールの権限を適用してください。

権限リスト

以下の表は、Datadog で利用可能なすべての権限の名前、説明、およびデフォルトロールの一覧です。各アセットタイプには、対応する読み取り権限と書き込み権限があります。

すぐに使える各ロールは、権限の少ないロールからすべての権限を継承します。したがって、Datadog Standard ロールは、Datadog Read Only をデフォルトロールとして、表に記載されているすべての権限を持ちます。さらに、Datadog Admin ロールには、Datadog Standard と Datadog Read Only の両方の権限が含まれています。

API and Application Keys

Find below the list of permissions for the api and application keys assets:

NameDescriptionDefault Role
user_app_keysView and manage Application Keys owned by the user.Datadog Standard Role
org_app_keys_readView Application Keys owned by all users in the organization.Datadog Standard Role
org_app_keys_writeManage Application Keys owned by all users in the organization.Datadog Admin Role
api_keys_readList and retrieve the key values of all API Keys in your organization.Datadog Standard Role
api_keys_writeCreate and rename API Keys for your organization.Datadog Admin Role
client_tokens_readRead Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.Datadog Read Only Role
client_tokens_writeCreate and edit Client Tokens. Unlike API keys, client tokens may be exposed client-side in JavaScript code for web browsers and other clients to send data to Datadog.Datadog Standard Role
api_keys_deleteDelete API Keys for your organization.Datadog Admin Role

APM

Find below the list of permissions for the apm assets:

NameDescriptionDefault Role
apm_readRead and query APM and Trace Analytics.Datadog Read Only Role
apm_retention_filter_readRead trace retention filters. A user with this permission can view the retention filters page, list of filters, their statistics, and creation info.Datadog Read Only Role
apm_retention_filter_writeCreate, edit, and delete trace retention filters. A user with this permission can create new retention filters, and update or delete to existing retention filters.Datadog Admin Role
apm_service_ingest_readAccess service ingestion pages. A user with this permission can view the service ingestion page, list of root services, their statistics, and creation info.Datadog Read Only Role
apm_service_ingest_writeEdit service ingestion pages' root services. A user with this permission can edit the root service ingestion and generate a code snippet to increase ingestion per service.Datadog Admin Role
apm_apdex_manage_writeSet Apdex T value on any service. A user with this permission can set the T value from the Apdex graph on the service page.Datadog Admin Role
apm_tag_management_writeEdit second primary tag selection. A user with this permission can modify the second primary tag dropdown in the APM settings page.Datadog Admin Role
apm_primary_operation_writeEdit the operation name value selection. A user with this permission can modify the operation name list in the APM settings page and the operation name controller on the service page.Datadog Standard Role
debugger_writeEdit Dynamic Instrumentation configuration. Create or modify Dynamic Instrumentation probes that do not capture function state.Datadog Admin Role
debugger_readView Dynamic Instrumentation configuration.Datadog Read Only Role
apm_generate_metricsCreate custom metrics from spans.Datadog Standard Role
apm_pipelines_writeAdd and change APM pipeline configurations.Datadog Admin Role
apm_pipelines_readView APM pipeline configurations.Datadog Read Only Role
apm_service_catalog_writeAdd, modify, and delete service catalog definitions when those definitions are maintained by Datadog.Datadog Standard Role
apm_service_catalog_readView service catalog and service definitions.Datadog Read Only Role
apm_remote_configuration_writeEdit APM Remote Configuration.Datadog Admin Role
apm_remote_configuration_readView APM Remote Configuration.Datadog Standard Role
continuous_profiler_readView data in Continuous Profiler.Datadog Read Only Role
debugger_capture_variablesCreate or modify Dynamic Instrumentation probes that capture function state: local variables, method arguments, fields, and return value or thrown exception.Datadog Admin Role
apm_api_catalog_writeAdd, modify, and delete API catalog definitions.Datadog Standard Role
apm_api_catalog_readView API catalog and API definitions.Datadog Read Only Role
continuous_profiler_pgo_readRead and query Continuous Profiler data for Profile-Guided Optimization (PGO).Datadog Read Only Role

Access Management

Find below the list of permissions for the access management assets:

NameDescriptionDefault Role
user_access_inviteInvite other users to your organization.Datadog Standard Role
user_access_manageDisable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.Datadog Admin Role
service_account_writeCreate, disable, and use Service Accounts in your organization.Datadog Admin Role
org_managementEdit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.Datadog Admin Role
org_connections_writeControl which organizations can query your organization's data.Datadog Admin Role
org_connections_readView which organizations can query data from your organization. Query data from other organizations.Datadog Read Only Role

App Builder & Workflow Automation

Find below the list of permissions for the app builder & workflow automation assets:

NameDescriptionDefault Role
workflows_readView workflows.Datadog Read Only Role
workflows_writeCreate, edit, and delete workflows.Datadog Standard Role
workflows_runRun workflows.Datadog Standard Role
connections_readList and view available connections. Connections contain secrets that cannot be revealed.Datadog Read Only Role
connections_writeCreate and delete connections.Datadog Standard Role
connections_resolveResolve connections.Datadog Standard Role
apps_runView and run Apps in App Builder.Datadog Standard Role
apps_writeCreate, edit, and delete Apps in App Builder.Datadog Standard Role
on_prem_runner_readView and search Private Action Runners for Workflow Automation and App Builder.Datadog Read Only Role
on_prem_runner_useAttach a Private Action Runner to a connection.Datadog Standard Role
on_prem_runner_writeCreate and edit Private Action Runners for Workflow Automation and App Builder.Datadog Admin Role
apps_datastore_readAllows read access to the data within the Apps Datastore.Datadog Read Only Role
apps_datastore_writeAllows modification of data within the Apps Datastore, including adding, editing, and deleting records.Datadog Standard Role
apps_datastore_manageAllows management of the Apps Datastore, including creating, updating, and deleting the datastore itself.Datadog Standard Role
connection_groups_writeCreate, delete and update connection groups.Datadog Standard Role
connection_groups_readRead and use connection groups.Datadog Read Only Role

Billing and Usage

Find below the list of permissions for the billing and usage assets:

NameDescriptionDefault Role
billing_readView your organization's subscription and payment method but not make edits.Datadog Admin Role
billing_editManage your organization's subscription and payment method.Datadog Admin Role
usage_readView your organization's usage and usage attribution.Datadog Admin Role
usage_editManage your organization's usage attribution set-up.Datadog Admin Role
usage_notifications_readReceive notifications and view currently configured notification settings.Datadog Admin Role
usage_notifications_writeReceive notifications and configure notification settings.Datadog Admin Role

Case and Incident Management

Find below the list of permissions for the case and incident management assets:

NameDescriptionDefault Role
incident_readView incidents in Datadog.Datadog Read Only Role
incident_writeCreate, view, and manage incidents in Datadog.Datadog Standard Role
incident_settings_readView Incident Settings.Datadog Standard Role
incident_settings_writeConfigure Incident Settings.Datadog Standard Role
incidents_private_global_accessAccess all private incidents in Datadog, even when not added as a responder.None
cases_readView Cases.Datadog Read Only Role
cases_writeCreate and update cases.Datadog Standard Role
incident_notification_settings_readView Incidents Notification settings.Datadog Standard Role
incident_notification_settings_writeConfigure Incidents Notification settings.Datadog Standard Role

Cloud Cost Management

Find below the list of permissions for the cloud cost management assets:

NameDescriptionDefault Role
cloud_cost_management_readView Cloud Cost pages. This does not restrict access to the cloud cost data source in dashboards and notebooks.Datadog Read Only Role
cloud_cost_management_writeConfigure cloud cost accounts and global customizations.Datadog Standard Role

Cloud Security Platform

Find below the list of permissions for the cloud security platform assets:

NameDescriptionDefault Role
security_monitoring_rules_readRead Detection Rules.Datadog Read Only Role
security_monitoring_rules_writeCreate and edit Detection Rules.Datadog Standard Role
security_monitoring_signals_readView Security Signals.Datadog Read Only Role
security_monitoring_signals_writeModify Security Signals.Datadog Standard Role
security_monitoring_filters_readRead Security Filters.Datadog Read Only Role
security_monitoring_filters_writeCreate, edit, and delete Security Filters.Datadog Admin Role
appsec_event_rule_readView Application Security Management Event Rules.Datadog Read Only Role
appsec_event_rule_writeEdit Application Security Management Event Rules.Datadog Standard Role
security_monitoring_notification_profiles_readRead Notification Rules.Datadog Read Only Role
security_monitoring_notification_profiles_writeCreate, edit, and delete Notification Rules.Datadog Standard Role
security_monitoring_cws_agent_rules_readRead Cloud Workload Security Agent Rules.Datadog Read Only Role
security_monitoring_cws_agent_rules_writeCreate, edit, and delete Cloud Workload Security Agent Rules.Datadog Standard Role
appsec_protect_readView blocked attackers.Datadog Read Only Role
appsec_protect_writeManage blocked attackers.Datadog Standard Role
appsec_activation_readView whether Application Security Management has been enabled or disabled on services via 1-click enablement with Remote Configuration.Datadog Read Only Role
appsec_activation_writeEnable or disable Application Security Management on services via 1-click enablement.Datadog Standard Role
security_monitoring_findings_readView CSPM Findings.Datadog Standard Role
security_monitoring_findings_writeMute CSPM Findings.Datadog Standard Role
appsec_vm_writeUpdate status or assignee of vulnerabilities.Datadog Standard Role
security_monitoring_suppressions_readRead Rule Suppressions.Datadog Read Only Role
security_monitoring_suppressions_writeWrite Rule Suppressions.Datadog Standard Role
appsec_vm_readView vulnerabilities. This does not restrict access to the vulnerability data source through the API or inventory SQL.Datadog Read Only Role
security_pipelines_readView Security Pipelines.Datadog Read Only Role
security_pipelines_writeCreate, edit, and delete Security Pipelines.Datadog Standard Role
security_monitoring_cws_agent_rules_actionsManaging actions on Cloud Workload Security Agent Rules.Datadog Admin Role

Compliance

Find below the list of permissions for the compliance assets:

NameDescriptionDefault Role
audit_logs_readView Audit Trail in your organization.Datadog Admin Role
audit_logs_writeConfigure Audit Trail in your organization.Datadog Admin Role
data_scanner_readView Sensitive Data Scanner configurations and scanning results.Datadog Admin Role
data_scanner_writeEdit Sensitive Data Scanner configurations.Datadog Admin Role

Containers

Find below the list of permissions for the containers assets:

NameDescriptionDefault Role
containers_generate_image_metricsCreate or edit trend metrics from container images.Datadog Standard Role

Cross-Product Features

Find below the list of permissions for the cross-product features assets:

NameDescriptionDefault Role
saved_views_writeModify Saved Views across all Datadog products.Datadog Standard Role
facets_writeManage facets for products other than Log Management, such as APM Traces. To modify Log Facets, use Logs Write Facets.Datadog Standard Role

Dashboards

Find below the list of permissions for the dashboards assets:

NameDescriptionDefault Role
dashboards_readView dashboards.Datadog Read Only Role
dashboards_writeCreate and change dashboards.Datadog Standard Role
dashboards_public_shareGenerate public and authenticated links to share dashboards or embeddable graphs externally.Datadog Standard Role
generate_dashboard_reportsSchedule PDF reports from a dashboard.Datadog Standard Role

Error Tracking

Find below the list of permissions for the error tracking assets:

NameDescriptionDefault Role
error_tracking_writeEdit Error Tracking issues.Datadog Standard Role
error_tracking_settings_writeDisable Error Tracking, edit inclusion filters, and edit rate limit.Datadog Admin Role
error_tracking_exclusion_filters_writeAdd or change Error Tracking exclusion filters.Datadog Admin Role

Events

Find below the list of permissions for the events assets:

NameDescriptionDefault Role
event_correlation_config_readRead Event Correlation Configuration data such as Correlation Rules and Settings.Datadog Standard Role
event_correlation_config_writeManage Event Correlation Configuration such as Correlation Rules and Settings.Datadog Standard Role
event_config_writeManage general event configuration such as API Emails.Datadog Standard Role

Fleet Automation

Find below the list of permissions for the fleet automation assets:

NameDescriptionDefault Role
agent_flare_collectionCollect an Agent flare with Fleet Automation.Datadog Standard Role
agent_upgrade_writeUpgrade Datadog Agents with Fleet Automation.Datadog Admin Role
fleet_policies_writeCreate Fleet Automation Policies.Datadog Admin Role

Integrations

Find below the list of permissions for the integrations assets:

NameDescriptionDefault Role
aws_configurations_manageAdd or remove but not edit AWS integration configurations.Datadog Standard Role
azure_configurations_manageAdd or remove but not edit Azure integration configurations.Datadog Standard Role
gcp_configurations_manageAdd or remove but not edit GCP integration configurations.Datadog Standard Role
manage_integrationsInstall, uninstall, and configure integrations.Datadog Standard Role
integrations_readView integrations and their configurations.Datadog Standard Role
oci_configurations_manageAdd or remove but not edit Oracle Cloud integration configurations.Datadog Standard Role
aws_configuration_readView but not add, remove, or edit AWS integration configurations.Datadog Standard Role
azure_configuration_readView but not add, remove, or edit Azure integration configurations.Datadog Standard Role
gcp_configuration_readView but not add, remove, or edit GCP integration configurations.Datadog Standard Role
oci_configuration_readView but not add, remove, or edit Oracle Cloud integration configurations.Datadog Standard Role
aws_configuration_editEdit but not add or remove AWS integration configurations.Datadog Standard Role
azure_configuration_editEdit but not add or remove Azure integration configurations.Datadog Standard Role
gcp_configuration_editEdit but not add or remove GCP integration configurations.Datadog Standard Role
oci_configuration_editEdit but not add or remove Oracle Cloud integration configurations.Datadog Standard Role

LLM Observability

Find below the list of permissions for the llm observability assets:

NameDescriptionDefault Role
llm_observability_readView LLM Observability.Datadog Read Only Role
llm_observability_writeCreate, Update, and Delete LLM Observability resources including User Defined Evaluations, OOTB Evaluations, and User Defined Topics.Datadog Admin Role

Log Management

Find below the list of permissions for the log configuration assets and log data, along with the typical category of user you’d assign this permission to. See the recommendations on how to assign permissions to team members in the Logs RBAC guide.

NameDescriptionDefault Role
logs_modify_indexesRead and modify all indexes in your account. This includes the ability to grant the Logs Read Index Data and Logs Write Exclusion Filters permission to other roles, for some or all indexes.Datadog Standard Role
logs_write_exclusion_filtersAdd and change exclusion filters for all or some log indexes. Can be granted in a limited capacity per index to specific roles via the Logs interface or API. If granted from the Roles interface or API, the permission has global scope.Datadog Standard Role
logs_write_pipelinesAdd and change log pipeline configurations, including the ability to grant the Logs Write Processors permission to other roles, for some or all pipelines.Datadog Standard Role
logs_write_processorsAdd and change some or all log processor configurations. Can be granted in a limited capacity per pipeline to specific roles via the Logs interface or API. If granted via the Roles interface or API the permission has global scope.Datadog Standard Role
logs_write_archivesAdd and edit Log Archives.Datadog Admin Role
logs_generate_metricsCreate custom metrics from logs.Datadog Standard Role
logs_read_dataRead log data. In order to read log data, a user must have both this permission and Logs Read Index Data. This permission can be restricted with restriction queries. Restrictions are limited to the Log Management product.Datadog Read Only Role
logs_read_archivesRead Log Archives location and use it for rehydration.Datadog Read Only Role
logs_write_historical_viewRehydrate logs from Archives.Datadog Standard Role
logs_write_facetsCreate or edit Log Facets.Datadog Standard Role
logs_delete_dataDelete data from your Logs, including entire indexes.Datadog Admin Role
logs_write_forwarding_rulesAdd and edit forwarding destinations and rules for logs.Datadog Admin Role
flex_logs_config_writeManage your organization's flex logs configuration.Datadog Admin Role

Log Management RBAC also includes two legacy permissions, superseded by finer-grained and more extensive logs_read_data permission:

NameDescriptionDefault Role
logs_live_tailAccess the live tail featureDatadog Read Only Role
logs_read_index_dataRead a subset log data (index based)Datadog Read Only Role

Metrics

Find below the list of permissions for the metrics assets:

NameDescriptionDefault Role
metric_tags_writeEdit and save tag configurations for custom metrics.Datadog Standard Role
host_tags_writeAdd and change tags on hosts.Datadog Standard Role
metrics_metadata_writeEdit metadata on metrics.Datadog Standard Role

Monitors

Find below the list of permissions for the monitors assets:

NameDescriptionDefault Role
monitors_readView monitors.Datadog Read Only Role
monitors_writeEdit and delete individual monitors.Datadog Standard Role
monitors_downtimeSet downtimes to suppress alerts from any monitor in an organization. Mute and unmute monitors. The ability to write monitors is not required to set downtimes.Datadog Standard Role
monitor_config_policy_writeCreate, update, and delete monitor configuration policies.Datadog Admin Role

Network Device Monitoring

Find below the list of permissions for the network device monitoring assets:

NameDescriptionDefault Role
ndm_netflow_port_mappings_writeWrite NDM Netflow port mappings.Datadog Standard Role

Notebooks

Find below the list of permissions for the notebooks assets:

NameDescriptionDefault Role
notebooks_readView notebooks.Datadog Read Only Role
notebooks_writeCreate and change notebooks.Datadog Standard Role

Observability Pipelines

Find below the list of permissions for the observability pipelines assets:

NameDescriptionDefault Role
observability_pipelines_readView pipelines in your organization.Datadog Read Only Role
observability_pipelines_writeEdit pipelines in your organization.Datadog Standard Role
observability_pipelines_deleteDelete pipelines from your organization.Datadog Admin Role
observability_pipelines_deployDeploy pipelines in your organization.Datadog Admin Role

Orchestration

Find below the list of permissions for the orchestration assets:

NameDescriptionDefault Role
orchestration_custom_resource_definitions_writeEnable, disable and update custom resource indexing.Datadog Standard Role
orchestration_workload_scaling_writeEnable, disable, and configure workload autoscaling. Apply workload scaling recommendations.Datadog Admin Role

Processes

Find below the list of permissions for the processes assets:

NameDescriptionDefault Role
processes_generate_metricsCreate custom metrics from processes.Datadog Standard Role

Real User Monitoring

Find below the list of permissions for the real user monitoring assets:

NameDescriptionDefault Role
rum_apps_writeCreate, edit, and delete RUM applications. Creating a RUM application automatically generates a Client Token. In order to create Client Tokens directly, a user needs the Client Tokens Write permission.Datadog Standard Role
rum_apps_readView RUM Applications data.Datadog Read Only Role
rum_session_replay_readView Session Replays.Datadog Read Only Role
rum_generate_metricsCreate custom metrics from RUM events.Datadog Standard Role
rum_delete_dataDelete data from RUM.Datadog Admin Role
rum_playlist_writeCreate, update, and delete RUM playlists. Add and remove sessions from RUM playlists.Datadog Standard Role
rum_extend_retentionExtend the retention of Session Replays.Datadog Admin Role
rum_retention_filters_readView RUM Retention filters data.Datadog Read Only Role
rum_retention_filters_writeWrite RUM Retention filters.Datadog Standard Role

Reference Tables

Find below the list of permissions for the reference tables assets:

NameDescriptionDefault Role
reference_tables_writeCreate or modify Reference Tables.Datadog Standard Role
reference_tables_readView Reference Tables.Datadog Read Only Role

Service Level Objectives

Find below the list of permissions for the service level objectives assets:

NameDescriptionDefault Role
slos_readView SLOs and status corrections.Datadog Read Only Role
slos_writeCreate, edit, and delete SLOs.Datadog Standard Role
slos_correctionsApply, edit, and delete SLO status corrections. A user with this permission can make status corrections, even if they do not have permission to edit those SLOs.Datadog Standard Role

Software Delivery

Find below the list of permissions for the software delivery assets:

NameDescriptionDefault Role
ci_visibility_readView CI Visibility.Datadog Read Only Role
ci_visibility_writeEdit flaky tests and delete Test Services.Datadog Standard Role
ci_provider_settings_writeEdit CI Provider settings. Manage GitHub accounts and repositories for enabling CI Visibility and job logs collection.Datadog Admin Role
ci_visibility_settings_writeConfigure CI Visibility settings. Set a repository default branch, enable GitHub comments, and delete test services.Datadog Standard Role
intelligent_test_runner_activation_writeEnable or disable Intelligent Test Runner.Datadog Admin Role
intelligent_test_runner_settings_writeEdit Intelligent Test Runner settings, such as modifying ITR excluded branch list.Datadog Standard Role
ci_ingestion_control_writeEdit CI Ingestion Control exclusion filters.Datadog Admin Role
ci_visibility_pipelines_writeCreate CI Visibility pipeline spans using the API.Datadog Standard Role
quality_gate_rules_readView Quality Gate Rules.Datadog Read Only Role
quality_gate_rules_writeEdit Quality Gate Rules.Datadog Admin Role
static_analysis_settings_writeEdit Static Analysis settings.Datadog Admin Role
cd_visibility_readView CD Visibility.Datadog Read Only Role
dora_settings_writeEdit the settings for DORA.Datadog Standard Role
code_analysis_readView Code Analysis.Datadog Read Only Role
quality_gates_evaluations_readAllow quality gates evaluations.Datadog Read Only Role

Synthetic Monitoring

Find below the list of permissions for the synthetic monitoring assets:

NameDescriptionDefault Role
synthetics_private_location_readView, search, and use Synthetics private locations.Datadog Standard Role
synthetics_private_location_writeCreate and delete private locations in addition to having access to the associated installation guidelines.Datadog Admin Role
synthetics_global_variable_readView, search, and use Synthetics global variables.Datadog Standard Role
synthetics_global_variable_writeCreate, edit, and delete global variables for Synthetics.Datadog Standard Role
synthetics_readList and view configured Synthetic tests and test results.Datadog Read Only Role
synthetics_writeCreate, edit, and delete Synthetic tests.Datadog Standard Role
synthetics_default_settings_readView the default settings for Synthetic Monitoring.Datadog Standard Role
synthetics_default_settings_writeEdit the default settings for Synthetic Monitoring.Datadog Standard Role

Teams

Find below the list of permissions for the teams assets:

NameDescriptionDefault Role
teams_manageManage Teams. Create, delete, rename, and edit metadata of all Teams. To control Team membership across all Teams, use the User Access Manage permission.Datadog Standard Role

Watchdog

Find below the list of permissions for the watchdog assets:

NameDescriptionDefault Role
watchdog_alerts_writeManage Watchdog Alerts.Datadog Standard Role

参考資料


*Log Rehydration は Datadog, Inc. の商標です
PREVIEWING: rtrieu/product-analytics-ui-changes