Skip to main content

Decide on How to Restrict Access to Metrics and Logs in Datadog

Problem

Restricting access to metrics and logs concerns organizations subject to benchmark compliance. There are a few ways this can be done with various tradeoffs.

Solution

Option 1: RBAC

With RBAC, Roles can be used to categorize users and define what account permissions those users have (read, modify) on resources. Any user who is associated with one or more roles receives all permissions granted by their associated roles. The more roles a user is associated with, the more access they have within a Datadog account.

https://docs.datadoghq.com/account_management/rbac/permissions/

By default, Datadog offers three roles,

  • Datadog Admin

  • Datadog Standard

  • Datadog Read-Only

Custom Roles

You can create custom roles to define a better mapping between your users and their permissions.

note

If you use a SAML identity provider, you can integrate it with Datadog for authentication, and you can map identity attributes to Datadog default and custom roles. For more information, see Single Sign On With SAML.

caution

Creating and modifying custom roles is an opt-in Enterprise feature. Contact Datadog support to get it enabled for your account.

https://docs.datadoghq.com/account_management/rbac/?tab=datadogapplication

Option 2: Datadog Child Organizations

danger

We do not recommend this approach because you cannot do cross-account tracing. Datadog alert email notifications do not include the account information which is problematic when using multiple accounts.

See Decide on Datadog Account Strategy

References