Add receives_permissions_from field to Roles API (#3179)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit bc0c1034cfc9 · 2026-02-19T17:26:45.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -49931,6 +49931,18 @@ components:
           description: The name of the role. The name is neither unique nor a stable
             identifier of the role.
           type: string
+        receives_permissions_from:
+          description: 'The managed role from which this role automatically inherits
+            new permissions.
+
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard
+            Role", or "Datadog Read Only Role".
+
+            If empty or not specified, the role does not automatically inherit permissions
+            from any managed role.'
+          items:
+            type: string
+          type: array
         user_count:
           description: Number of users with that role.
           format: int64
@@ -49956,6 +49968,18 @@ components:
           description: Name of the new role that is cloned.
           example: cloned-role
           type: string
+        receives_permissions_from:
+          description: 'The managed role from which this role automatically inherits
+            new permissions.
+
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard
+            Role", or "Datadog Read Only Role".
+
+            If empty or not specified, the role does not automatically inherit permissions
+            from any managed role.'
+          items:
+            type: string
+          type: array
       required:
       - name
       type: object
@@ -49984,6 +50008,18 @@ components:
           description: Name of the role.
           example: developers
           type: string
+        receives_permissions_from:
+          description: 'The managed role from which this role automatically inherits
+            new permissions.
+
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard
+            Role", or "Datadog Read Only Role".
+
+            If empty or not specified, the role does not automatically inherit permissions
+            from any managed role.'
+          items:
+            type: string
+          type: array
       required:
       - name
       type: object
@@ -50105,6 +50141,18 @@ components:
         name:
           description: Name of the role.
           type: string
+        receives_permissions_from:
+          description: 'The managed role from which this role automatically inherits
+            new permissions.
+
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard
+            Role", or "Datadog Read Only Role".
+
+            If empty or not specified, the role does not automatically inherit permissions
+            from any managed role.'
+          items:
+            type: string
+          type: array
         user_count:
           description: The user count.
           format: int32
@@ -105571,7 +105619,12 @@ tags:
 
     read access on a specific log index to a role can be done in Datadog from the
 
-    [Pipelines page](https://app.datadoghq.com/logs/pipelines).'
+    [Pipelines page](https://app.datadoghq.com/logs/pipelines).
+
+
+    Roles can also be managed in bulk through the Datadog UI, which provides
+
+    the capability to assign a single permission to multiple roles simultaneously.'
   name: Roles
 - description: Auto-generated tag Rum Audience Management
   name: Rum Audience Management
diff --git a/examples/v2/roles/CreateRole.py b/examples/v2/roles/CreateRole.py
@@ -17,6 +17,7 @@
     data=RoleCreateData(
         attributes=RoleCreateAttributes(
             name="developers",
+            receives_permissions_from=[],
         ),
         relationships=RoleRelationships(
             permissions=RelationshipToPermissions(
diff --git a/src/datadog_api_client/v2/api/roles_api.py b/src/datadog_api_client/v2/api/roles_api.py
@@ -36,6 +36,9 @@ class RolesApi:
     in the Datadog application without using this API. For example, granting
     read access on a specific log index to a role can be done in Datadog from the
     `Pipelines page <https://app.datadoghq.com/logs/pipelines>`_.
+
+    Roles can also be managed in bulk through the Datadog UI, which provides
+    the capability to assign a single permission to multiple roles simultaneously.
     """
 
     def __init__(self, api_client=None):
diff --git a/src/datadog_api_client/v2/model/role_attributes.py b/src/datadog_api_client/v2/model/role_attributes.py
@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union
+from typing import List, Union
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -21,13 +21,15 @@ def openapi_types(_):
             "created_at": (datetime,),
             "modified_at": (datetime,),
             "name": (str,),
+            "receives_permissions_from": ([str],),
             "user_count": (int,),
         }
 
     attribute_map = {
         "created_at": "created_at",
         "modified_at": "modified_at",
         "name": "name",
+        "receives_permissions_from": "receives_permissions_from",
         "user_count": "user_count",
     }
     read_only_vars = {
@@ -41,6 +43,7 @@ def __init__(
         created_at: Union[datetime, UnsetType] = unset,
         modified_at: Union[datetime, UnsetType] = unset,
         name: Union[str, UnsetType] = unset,
+        receives_permissions_from: Union[List[str], UnsetType] = unset,
         user_count: Union[int, UnsetType] = unset,
         **kwargs,
     ):
@@ -56,6 +59,11 @@ def __init__(
         :param name: The name of the role. The name is neither unique nor a stable identifier of the role.
         :type name: str, optional
 
+        :param receives_permissions_from: The managed role from which this role automatically inherits new permissions.
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard Role", or "Datadog Read Only Role".
+            If empty or not specified, the role does not automatically inherit permissions from any managed role.
+        :type receives_permissions_from: [str], optional
+
         :param user_count: Number of users with that role.
         :type user_count: int, optional
         """
@@ -65,6 +73,8 @@ def __init__(
             kwargs["modified_at"] = modified_at
         if name is not unset:
             kwargs["name"] = name
+        if receives_permissions_from is not unset:
+            kwargs["receives_permissions_from"] = receives_permissions_from
         if user_count is not unset:
             kwargs["user_count"] = user_count
         super().__init__(kwargs)
diff --git a/src/datadog_api_client/v2/model/role_clone_attributes.py b/src/datadog_api_client/v2/model/role_clone_attributes.py
@@ -3,10 +3,13 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
+from typing import List, Union
 
 from datadog_api_client.model_utils import (
     ModelNormal,
     cached_property,
+    unset,
+    UnsetType,
 )
 
 
@@ -15,19 +18,28 @@ class RoleCloneAttributes(ModelNormal):
     def openapi_types(_):
         return {
             "name": (str,),
+            "receives_permissions_from": ([str],),
         }
 
     attribute_map = {
         "name": "name",
+        "receives_permissions_from": "receives_permissions_from",
     }
 
-    def __init__(self_, name: str, **kwargs):
+    def __init__(self_, name: str, receives_permissions_from: Union[List[str], UnsetType] = unset, **kwargs):
         """
         Attributes required to create a new role by cloning an existing one.
 
         :param name: Name of the new role that is cloned.
         :type name: str
+
+        :param receives_permissions_from: The managed role from which this role automatically inherits new permissions.
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard Role", or "Datadog Read Only Role".
+            If empty or not specified, the role does not automatically inherit permissions from any managed role.
+        :type receives_permissions_from: [str], optional
         """
+        if receives_permissions_from is not unset:
+            kwargs["receives_permissions_from"] = receives_permissions_from
         super().__init__(kwargs)
 
         self_.name = name
diff --git a/src/datadog_api_client/v2/model/role_create_attributes.py b/src/datadog_api_client/v2/model/role_create_attributes.py
@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union
+from typing import List, Union
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -21,12 +21,14 @@ def openapi_types(_):
             "created_at": (datetime,),
             "modified_at": (datetime,),
             "name": (str,),
+            "receives_permissions_from": ([str],),
         }
 
     attribute_map = {
         "created_at": "created_at",
         "modified_at": "modified_at",
         "name": "name",
+        "receives_permissions_from": "receives_permissions_from",
     }
     read_only_vars = {
         "created_at",
@@ -38,6 +40,7 @@ def __init__(
         name: str,
         created_at: Union[datetime, UnsetType] = unset,
         modified_at: Union[datetime, UnsetType] = unset,
+        receives_permissions_from: Union[List[str], UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -51,11 +54,18 @@ def __init__(
 
         :param name: Name of the role.
         :type name: str
+
+        :param receives_permissions_from: The managed role from which this role automatically inherits new permissions.
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard Role", or "Datadog Read Only Role".
+            If empty or not specified, the role does not automatically inherit permissions from any managed role.
+        :type receives_permissions_from: [str], optional
         """
         if created_at is not unset:
             kwargs["created_at"] = created_at
         if modified_at is not unset:
             kwargs["modified_at"] = modified_at
+        if receives_permissions_from is not unset:
+            kwargs["receives_permissions_from"] = receives_permissions_from
         super().__init__(kwargs)
 
         self_.name = name
diff --git a/src/datadog_api_client/v2/model/role_update_attributes.py b/src/datadog_api_client/v2/model/role_update_attributes.py
@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union
+from typing import List, Union
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -27,13 +27,15 @@ def openapi_types(_):
             "created_at": (datetime,),
             "modified_at": (datetime,),
             "name": (str,),
+            "receives_permissions_from": ([str],),
             "user_count": (int,),
         }
 
     attribute_map = {
         "created_at": "created_at",
         "modified_at": "modified_at",
         "name": "name",
+        "receives_permissions_from": "receives_permissions_from",
         "user_count": "user_count",
     }
     read_only_vars = {
@@ -46,6 +48,7 @@ def __init__(
         created_at: Union[datetime, UnsetType] = unset,
         modified_at: Union[datetime, UnsetType] = unset,
         name: Union[str, UnsetType] = unset,
+        receives_permissions_from: Union[List[str], UnsetType] = unset,
         user_count: Union[int, UnsetType] = unset,
         **kwargs,
     ):
@@ -61,6 +64,11 @@ def __init__(
         :param name: Name of the role.
         :type name: str, optional
 
+        :param receives_permissions_from: The managed role from which this role automatically inherits new permissions.
+            Specify one of the following: "Datadog Admin Role", "Datadog Standard Role", or "Datadog Read Only Role".
+            If empty or not specified, the role does not automatically inherit permissions from any managed role.
+        :type receives_permissions_from: [str], optional
+
         :param user_count: The user count.
         :type user_count: int, optional
         """
@@ -70,6 +78,8 @@ def __init__(
             kwargs["modified_at"] = modified_at
         if name is not unset:
             kwargs["name"] = name
+        if receives_permissions_from is not unset:
+            kwargs["receives_permissions_from"] = receives_permissions_from
         if user_count is not unset:
             kwargs["user_count"] = user_count
         super().__init__(kwargs)
diff --git a/tests/v2/features/roles.feature b/tests/v2/features/roles.feature
@@ -6,7 +6,9 @@ Feature: Roles
   account assets can be granted to roles in the Datadog application without
   using this API. For example, granting read access on a specific log index
   to a role can be done in Datadog from the [Pipelines
-  page](https://app.datadoghq.com/logs/pipelines).
+  page](https://app.datadoghq.com/logs/pipelines).  Roles can also be
+  managed in bulk through the Datadog UI, which provides the capability to
+  assign a single permission to multiple roles simultaneously.
 
   Background:
     Given a valid "apiKeyAuth" key in the system
@@ -64,7 +66,7 @@ Feature: Roles
   Scenario: Create a new role by cloning an existing role returns "Not found" response
     Given new "CloneRole" request
     And request contains "role_id" parameter from "REPLACE.ME"
-    And body with value {"data": {"attributes": {"name": "cloned-role"}, "type": "roles"}}
+    And body with value {"data": {"attributes": {"name": "cloned-role", "receives_permissions_from": []}, "type": "roles"}}
     When the request is sent
     Then the response status is 404 Not found
 
@@ -81,14 +83,14 @@ Feature: Roles
   @generated @skip @team:DataDog/aaa-core-access
   Scenario: Create role returns "Bad Request" response
     Given new "CreateRole" request
-    And body with value {"data": {"attributes": {"name": "developers"}, "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
+    And body with value {"data": {"attributes": {"name": "developers", "receives_permissions_from": []}, "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
     When the request is sent
     Then the response status is 400 Bad Request
 
   @generated @skip @team:DataDog/aaa-core-access
   Scenario: Create role returns "OK" response
     Given new "CreateRole" request
-    And body with value {"data": {"attributes": {"name": "developers"}, "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
+    And body with value {"data": {"attributes": {"name": "developers", "receives_permissions_from": []}, "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
     When the request is sent
     Then the response status is 200 OK
 
@@ -335,6 +337,6 @@ Feature: Roles
   Scenario: Update a role returns "Unprocessable Entity" response
     Given new "UpdateRole" request
     And request contains "role_id" parameter from "REPLACE.ME"
-    And body with value {"data": {"attributes": {}, "id": "00000000-0000-1111-0000-000000000000", "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
+    And body with value {"data": {"attributes": {"receives_permissions_from": []}, "id": "00000000-0000-1111-0000-000000000000", "relationships": {"permissions": {"data": [{"type": "permissions"}]}}, "type": "roles"}}
     When the request is sent
     Then the response status is 422 Unprocessable Entity
