diff --git a/content/en/account_management/rbac/permissions.md b/content/en/account_management/rbac/permissions.md index 89a0da6c0ed62..48f526980eeec 100644 --- a/content/en/account_management/rbac/permissions.md +++ b/content/en/account_management/rbac/permissions.md @@ -48,11 +48,11 @@ Preview mode gives your organization's administrators the ability to opt into ce By default, existing users are associated with one of the three managed roles: -- Datadog Admin -- Datadog Standard -- Datadog Read Only +- Datadog Admin Role +- Datadog Standard Role +- Datadog Read Only Role -All users with one of these roles can read all data types, except for [individually read-restricted][1] resources. Admin and Standard users have write permissions on assets. Admin users have additional read and write permissions for sensitive assets relating to user management, org management, billing, and usage. +All users with one of these roles can read data, except for [individually read-restricted][1] resources. Admin and Standard users have write permissions on assets. Admin users have additional read and write permissions for sensitive assets relating to user management, org management, billing, and usage. Managed roles are created and maintained by Datadog. Their permissions may be automatically updated by Datadog as new features are added or permissions change. Users cannot modify managed roles directly, but they can clone them to create [custom roles](#custom-roles) with specific permissions. If necessary, users can delete managed roles from their account. @@ -60,6 +60,8 @@ Managed roles are created and maintained by Datadog. Their permissions may be au Create a custom role to combine permissions into new roles. A custom role gives you the ability to define a persona, for example, a billing administrator, and then assign the appropriate permissions for that role. After creating a role, assign or remove permissions to this role directly by [updating the role in Datadog][2], or through the [Datadog Permission API][3]. +Unlike Managed Roles, custom roles do not receive new permissions when Datadog releases new products and features. Custom roles only receive new permissions to maintain compatibility when Datadog releases a new permission gating existing functionality. + **Note**: When adding a new custom role to a user, make sure to remove the managed Datadog role associated with that user to enforce the new role permissions. ## Permissions list @@ -79,4 +81,4 @@ Each managed role inherits all of the permissions from the less powerful roles. [1]: /account_management/rbac/granular_access [2]: /account_management/users/#edit-a-user-s-roles -[3]: /api/latest/roles/#list-permissions \ No newline at end of file +[3]: /api/latest/roles/#list-permissions