Decide on How to Restrict Access to Metrics and Logs in Datadog/New Relic

Problem

Restricting access to metrics and logs concerns organizations subject to benchmark compliance. There are a few ways this can be done with various tradeoffs.

Solution

Option 1: RBAC

With RBAC, Roles can be used to categorize users and define what account permissions those users have (read, modify) on resources. Any user who is associated with one or more roles receives all permissions granted by their associated roles. The more roles a user is associated with, the more access they have within a Datadog/New Relic account.

https://docs.datadoghq.com/account_management/rbac/permissions/

Built-in Roles (Recommended)

By default, Datadog/New Relic offers three roles,

Datadog/New Relic Admin
Datadog/New Relic Standard
Datadog/New Relic Read-Only

Custom Roles

You can create custom roles to define a better mapping between your users and their permissions.

note

If you use a SAML identity provider, you can integrate it with Datadog/New Relic for authentication, and you can map identity attributes to Datadog/New Relic default and custom roles. For more information, see Single Sign On With SAML.

caution

Creating and modifying custom roles is an opt-in Enterprise feature. Contact Datadog/New Relic support to get it enabled for your account.

https://docs.datadoghq.com/account_management/rbac/?tab=datadogapplication

Option 2: Datadog/New Relic Child Organizations

danger

We do not recommend this approach because you cannot do cross-account tracing. Datadog/New Relic alert email notifications do not include the account information which is problematic when using multiple accounts.

See Decide on Datadog/New Relic Account Strategy

References

https://docs.datadoghq.com/account_management/rbac/permissions/

Problem​

Solution​

Option 1: RBAC​

Built-in Roles (Recommended)​

Custom Roles​

Option 2: Datadog/New Relic Child Organizations​

References​