DataDog · api-clients-generation-pipeline · May 8, 2026
@@ -21475,6 +21475,162 @@ components:
         data:
           $ref: "#/components/schemas/DatasetResponse"
       type: object
+    DatasetRestrictionOwnershipMode:
+      description: |-
+        Controls how dataset ownership is determined. `disabled` turns off ownership-based access
+        entirely. `team_tag_based` assigns dataset ownership based on the team tags applied to the
+        data, allowing team members to see their own team's datasets.
+      enum:
+        - disabled
+        - team_tag_based
+      example: "team_tag_based"
+      type: string
+      x-enum-varnames:
+        - DISABLED
+        - TEAM_TAG_BASED
+    DatasetRestrictionPrincipal:
+      description: |-
+        A user or role that is exempt from dataset restrictions and retains unrestricted
+        access to all datasets for the product type.
+      properties:
+        id:
+          description: The unique identifier of the principal (a user UUID or role ID).
+          example: "abc123"
+          type: string
+        name:
+          description: The human-readable display name of the principal as shown in the Datadog UI.
+          example: "Datadog Admin Role"
+          type: string
+        type:
+          description: |-
+            The kind of principal, such as `user` for an individual user account or `role`
+            for a Datadog role.
+          example: "role"
+          type: string
+      required:
+        - type
+        - id
+        - name
+      type: object
+    DatasetRestrictionResponse:
+      description: Response containing the updated dataset restriction.
+      properties:
+        data:
+          $ref: "#/components/schemas/DatasetRestrictionResponseData"
+      required:
+        - data
+      type: object
+    DatasetRestrictionResponseAttributes:
+      description: |-
+        The current configuration of a dataset restriction, including restriction mode,
+        ownership mode, and exempt principals.
+      properties:
+        ownership_mode:
+          $ref: "#/components/schemas/DatasetRestrictionOwnershipMode"
+        restriction_key:
+          description: Internal key used by the restriction enforcement system to identify this restriction rule.
+          type: string
+        restriction_mode:
+          $ref: "#/components/schemas/DatasetRestrictionRestrictionMode"
+        unrestricted_principals:
+          description: |-
+            Principals (users or roles) that are exempt from this restriction and retain
+            full data access regardless of the restriction mode.
+          items:
+            $ref: "#/components/schemas/DatasetRestrictionPrincipal"
+          type: array
+      required:
+        - restriction_mode
+      type: object
+    DatasetRestrictionResponseData:
+      description: A single dataset restriction configuration for one product type.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/DatasetRestrictionResponseAttributes"
+        id:
+          description: The Datadog product type this restriction applies to (for example, `rum`, `apm`, or `logs`).
+          example: "rum"
+          type: string
+        type:
+          $ref: "#/components/schemas/DatasetRestrictionsType"
+      required:
+        - type
+        - id
+        - attributes
+      type: object
+    DatasetRestrictionRestrictionMode:
+      description: |-
+        Controls the default data visibility for the product type. `standard` makes data visible
+        to all users with appropriate product access. `default_hide` hides data by default and
+        requires explicit grants for each dataset.
+      enum:
+        - standard
+        - default_hide
+      example: "default_hide"
+      type: string
+      x-enum-varnames:
+        - STANDARD
+        - DEFAULT_HIDE
+    DatasetRestrictionUpdateRequest:
+      description: Payload for updating a dataset restriction configuration.
+      properties:
+        data:
+          $ref: "#/components/schemas/DatasetRestrictionUpdateRequestData"
+      required:
+        - data
+      type: object
+    DatasetRestrictionUpdateRequestAttributes:
+      description: |-
+        Editable attributes of a dataset restriction. Only `restriction_mode` is required;
+        omitted optional fields retain their current values.
+      properties:
+        ownership_mode:
+          $ref: "#/components/schemas/DatasetRestrictionOwnershipMode"
+        restriction_mode:
+          $ref: "#/components/schemas/DatasetRestrictionRestrictionMode"
+        unrestricted_principals:
+          description: |-
+            Principal identifiers (users or roles) that are exempt from the restriction and
+            can always access all datasets for this product type.
+          items:
+            description: A unique identifier of a user or role principal.
+            type: string
+          type: array
+      required:
+        - restriction_mode
+      type: object
+    DatasetRestrictionUpdateRequestData:
+      description: Data object for a dataset restriction update.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/DatasetRestrictionUpdateRequestAttributes"
+        type:
+          $ref: "#/components/schemas/DatasetRestrictionsType"
+      required:
+        - type
+        - attributes
+      type: object
+    DatasetRestrictionsListResponse:
+      description: |-
+        Response containing the list of all dataset restriction configurations for the
+        organization, one per product type.
+      properties:
+        data:
+          description: An array of dataset restriction objects, one for each configured product type.
+          items:
+            $ref: "#/components/schemas/DatasetRestrictionResponseData"
+          type: array
+      required:
+        - data
+      type: object
+    DatasetRestrictionsType:
+      description: JSON:API resource type for dataset restrictions.
+      enum:
+        - dataset_restrictions
+      example: "dataset_restrictions"
+      type: string
+      x-enum-varnames:
+        - DATASET_RESTRICTIONS
     DatasetType:
       default: dataset
       description: Resource type, always set to `dataset`.
@@ -97608,6 +97764,126 @@ paths:
       x-unstable: |-
         **Note**: This endpoint is in preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/dataset_restrictions:
+    get:
+      description: |-
+        Retrieve all dataset restriction configurations for the organization.
+        Returns one restriction object per configured product type (for example, RUM, APM, or Logs),
+        including the current restriction mode, ownership mode, and any unrestricted principals.
+        Requires the `user_access_read` permission.
+      operationId: ListDatasetRestrictions
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      - attributes:
+                          restriction_mode: "standard"
+                        id: "rum"
+                        type: "dataset_restrictions"
+                      - attributes:
+                          ownership_mode: "team_tag_based"
+                          restriction_mode: "default_hide"
+                        id: "apm"
+                        type: "dataset_restrictions"
+              schema:
+                $ref: "#/components/schemas/DatasetRestrictionsListResponse"
+          description: OK
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Not Found
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      summary: List dataset restrictions
+      tags:
+        - Dataset Restrictions
+      x-unstable: |-
+        **Note**: This endpoint is in preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/dataset_restrictions/{product_type}:
+    post:
+      description: |-
+        Update the dataset restriction configuration for a specific product type.
+        Sets the restriction mode, optional ownership mode, and the list of principals
+        that are exempt from restrictions. Requires the `user_access_manage` permission.
+        Changes are audited and take effect immediately.
+      operationId: UpdateDatasetRestriction
+      parameters:
+        - description: The Datadog product type to configure restrictions for (for example, `rum`, `apm`, or `logs`).
+          example: "rum"
+          in: path
+          name: product_type
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            examples:
+              default:
+                value:
+                  data:
+                    attributes:
+                      ownership_mode: "team_tag_based"
+                      restriction_mode: "default_hide"
+                    type: "dataset_restrictions"
+            schema:
+              $ref: "#/components/schemas/DatasetRestrictionUpdateRequest"
+        required: true
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      attributes:
+                        ownership_mode: "team_tag_based"
+                        restriction_mode: "default_hide"
+                      id: "rum"
+                      type: "dataset_restrictions"
+              schema:
+                $ref: "#/components/schemas/DatasetRestrictionResponse"
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Bad Request
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Not Found
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      summary: Update a dataset restriction
+      tags:
+        - Dataset Restrictions
+      x-unstable: |-
+        **Note**: This endpoint is in preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/datasets:
     get:
       description: Get all datasets that have been configured for an organization.
@@ -146011,6 +146287,11 @@ tags:
   - description: |-
       The Data Deletion API allows the user to target and delete data from the allowed products. It's currently enabled for Logs and RUM and depends on `logs_delete_data` and `rum_delete_data` permissions respectively.
     name: Data Deletion
+  - description: |-
+      Configure dataset-level access restrictions per Datadog product type. Dataset restrictions
+      control whether data is visible by default or hidden until explicitly granted, and how
+      ownership-based access is determined.
+    name: Dataset Restrictions
   - description: |-
       Data Access Controls in Datadog is a feature that allows administrators and access managers to regulate
       access to sensitive data. By defining Restricted Datasets, you can ensure that only specific teams or roles can

@@ -0,0 +1,8 @@
+# List dataset restrictions returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.list_dataset_restrictions".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::DatasetRestrictionsAPI.new
+p api_instance.list_dataset_restrictions()
@@ -0,0 +1,19 @@
+# Update a dataset restriction returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.update_dataset_restriction".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::DatasetRestrictionsAPI.new
+
+body = DatadogAPIClient::V2::DatasetRestrictionUpdateRequest.new({
+  data: DatadogAPIClient::V2::DatasetRestrictionUpdateRequestData.new({
+    attributes: DatadogAPIClient::V2::DatasetRestrictionUpdateRequestAttributes.new({
+      ownership_mode: DatadogAPIClient::V2::DatasetRestrictionOwnershipMode::TEAM_TAG_BASED,
+      restriction_mode: DatadogAPIClient::V2::DatasetRestrictionRestrictionMode::DEFAULT_HIDE,
+      unrestricted_principals: [],
+    }),
+    type: DatadogAPIClient::V2::DatasetRestrictionsType::DATASET_RESTRICTIONS,
+  }),
+})
+p api_instance.update_dataset_restriction("product_type", body)
@@ -2305,6 +2305,10 @@
             "token" => "String",
             "body" => "SecureEmbedUpdateRequest",
     },
+    "v2.UpdateDatasetRestriction" => {
+            "product_type" => "String",
+            "body" => "DatasetRestrictionUpdateRequest",
+    },
     "v2.CreateDataset" => {
             "body" => "DatasetCreateRequest",
     },

@@ -0,0 +1,51 @@
+@endpoint(dataset-restrictions) @endpoint(dataset-restrictions-v2)
+Feature: Dataset Restrictions
+  Configure dataset-level access restrictions per Datadog product type.
+  Dataset restrictions control whether data is visible by default or hidden
+  until explicitly granted, and how ownership-based access is determined.
+
+  Background:
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "DatasetRestrictions" API
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: List dataset restrictions returns "Not Found" response
+    Given operation "ListDatasetRestrictions" enabled
+    And new "ListDatasetRestrictions" request
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: List dataset restrictions returns "OK" response
+    Given operation "ListDatasetRestrictions" enabled
+    And new "ListDatasetRestrictions" request
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "Bad Request" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "Not Found" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "OK" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 200 OK