DataDog
diff --git a/‎.generator/schemas/v2/openapi.yaml‎
Lines changed: 258 additions & 0 deletions b/‎.generator/schemas/v2/openapi.yaml‎
Lines changed: 258 additions & 0 deletions
diff --git a/‎examples/v2/dataset-restrictions/ListDatasetRestrictions.rb‎
Lines changed: 8 additions & 0 deletions b/‎examples/v2/dataset-restrictions/ListDatasetRestrictions.rb‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎examples/v2/dataset-restrictions/UpdateDatasetRestriction.rb‎
Lines changed: 19 additions & 0 deletions b/‎examples/v2/dataset-restrictions/UpdateDatasetRestriction.rb‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎features/scenarios_model_mapping.rb‎
Lines changed: 4 additions & 0 deletions b/‎features/scenarios_model_mapping.rb‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎features/v2/dataset_restrictions.feature‎
Lines changed: 51 additions & 0 deletions b/‎features/v2/dataset_restrictions.feature‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎features/v2/undo.json‎
Lines changed: 13 additions & 0 deletions b/‎features/v2/undo.json‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎lib/datadog_api_client/configuration.rb‎
Lines changed: 2 additions & 0 deletions b/‎lib/datadog_api_client/configuration.rb‎
Lines changed: 2 additions & 0 deletions
@@ -21475,6 +21475,142 @@ components:
         data:
           $ref: "#/components/schemas/DatasetResponse"
       type: object
+    DatasetRestrictionOwnershipMode:
+      description: Controls how dataset ownership is determined. `disabled` turns off ownership-based access entirely. `team_tag_based` assigns dataset ownership based on the team tags applied to the data, allowing team members to see their own team's datasets.
+      enum:
+        - disabled
+        - team_tag_based
+      example: "team_tag_based"
+      type: string
+      x-enum-varnames:
+        - DISABLED
+        - TEAM_TAG_BASED
+    DatasetRestrictionPrincipal:
+      description: A user or role that is exempt from dataset restrictions and retains unrestricted access to all datasets for the product type.
+      properties:
+        id:
+          description: The unique identifier of the principal (a user UUID or role ID).
+          example: "abc123"
+          type: string
+        name:
+          description: The human-readable display name of the principal as shown in the Datadog UI.
+          example: "Datadog Admin Role"
+          type: string
+        type:
+          description: The kind of principal, such as `user` for an individual user account or `role` for a Datadog role.
+          example: "role"
+          type: string
+      required:
+        - type
+        - id
+        - name
+      type: object
+    DatasetRestrictionResponse:
+      description: Response containing the updated dataset restriction.
+      properties:
+        data:
+          $ref: "#/components/schemas/DatasetRestrictionResponseData"
+      required:
+        - data
+      type: object
+    DatasetRestrictionResponseAttributes:
+      description: The current configuration of a dataset restriction, including restriction mode, ownership mode, and exempt principals.
+      properties:
+        ownership_mode:
+          $ref: "#/components/schemas/DatasetRestrictionOwnershipMode"
+        restriction_key:
+          description: Internal key used by the restriction enforcement system to identify this restriction rule.
+          type: string
+        restriction_mode:
+          $ref: "#/components/schemas/DatasetRestrictionRestrictionMode"
+        unrestricted_principals:
+          description: Principals (users or roles) that are exempt from this restriction and retain full data access regardless of the restriction mode.
+          items:
+            $ref: "#/components/schemas/DatasetRestrictionPrincipal"
+          type: array
+      required:
+        - restriction_mode
+      type: object
+    DatasetRestrictionResponseData:
+      description: A single dataset restriction configuration for one product type.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/DatasetRestrictionResponseAttributes"
+        id:
+          description: The Datadog product type this restriction applies to (for example, `rum`, `apm`, or `logs`).
+          example: "rum"
+          type: string
+        type:
+          $ref: "#/components/schemas/DatasetRestrictionsType"
+      required:
+        - type
+        - id
+        - attributes
+      type: object
+    DatasetRestrictionRestrictionMode:
+      description: Controls the default data visibility for the product type. `standard` makes data visible to all users with appropriate product access. `default_hide` hides data by default and requires explicit grants for each dataset.
+      enum:
+        - standard
+        - default_hide
+      example: "default_hide"
+      type: string
+      x-enum-varnames:
+        - STANDARD
+        - DEFAULT_HIDE
+    DatasetRestrictionUpdateRequest:
+      description: Payload for updating a dataset restriction configuration.
+      properties:
+        data:
+          $ref: "#/components/schemas/DatasetRestrictionUpdateRequestData"
+      required:
+        - data
+      type: object
+    DatasetRestrictionUpdateRequestAttributes:
+      description: Editable attributes of a dataset restriction. Only `restriction_mode` is required; omitted optional fields retain their current values.
+      properties:
+        ownership_mode:
+          $ref: "#/components/schemas/DatasetRestrictionOwnershipMode"
+        restriction_mode:
+          $ref: "#/components/schemas/DatasetRestrictionRestrictionMode"
+        unrestricted_principals:
+          description: Principal identifiers (users or roles) that are exempt from the restriction and can always access all datasets for this product type.
+          items:
+            description: A unique identifier of a user or role principal.
+            type: string
+          type: array
+      required:
+        - restriction_mode
+      type: object
+    DatasetRestrictionUpdateRequestData:
+      description: Data object for a dataset restriction update.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/DatasetRestrictionUpdateRequestAttributes"
+        type:
+          $ref: "#/components/schemas/DatasetRestrictionsType"
+      required:
+        - type
+        - attributes
+      type: object
+    DatasetRestrictionsListResponse:
+      description: Response containing the list of all dataset restriction configurations for the organization, one per product type.
+      properties:
+        data:
+          description: An array of dataset restriction objects, one for each configured product type.
+          items:
+            $ref: "#/components/schemas/DatasetRestrictionResponseData"
+          type: array
+      required:
+        - data
+      type: object
+    DatasetRestrictionsType:
+      description: JSON:API resource type for dataset restrictions.
+      enum:
+        - dataset_restrictions
+      example: "dataset_restrictions"
+      type: string
+      x-enum-varnames:
+        - DATASET_RESTRICTIONS
     DatasetType:
       default: dataset
       description: Resource type, always set to `dataset`.
@@ -97293,6 +97429,126 @@ paths:
       x-unstable: |-
         **Note**: This endpoint is in preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/dataset_restrictions:
+    get:
+      description: |-
+        Retrieve all dataset restriction configurations for the organization.
+        Returns one restriction object per configured product type (for example, RUM, APM, or Logs),
+        including the current restriction mode, ownership mode, and any unrestricted principals.
+        Requires the `user_access_read` permission.
+      operationId: ListDatasetRestrictions
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      - attributes:
+                          restriction_mode: "standard"
+                        id: "rum"
+                        type: "dataset_restrictions"
+                      - attributes:
+                          ownership_mode: "team_tag_based"
+                          restriction_mode: "default_hide"
+                        id: "apm"
+                        type: "dataset_restrictions"
+              schema:
+                $ref: "#/components/schemas/DatasetRestrictionsListResponse"
+          description: OK
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Not Found
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      summary: List dataset restrictions
+      tags:
+        - Dataset Restrictions
+      x-unstable: |-
+        **Note**: This endpoint is in preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/dataset_restrictions/{product_type}:
+    post:
+      description: |-
+        Update the dataset restriction configuration for a specific product type.
+        Sets the restriction mode, optional ownership mode, and the list of principals
+        that are exempt from restrictions. Requires the `user_access_manage` permission.
+        Changes are audited and take effect immediately.
+      operationId: UpdateDatasetRestriction
+      parameters:
+        - description: The Datadog product type to configure restrictions for (for example, `rum`, `apm`, or `logs`).
+          example: "rum"
+          in: path
+          name: product_type
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            examples:
+              default:
+                value:
+                  data:
+                    attributes:
+                      ownership_mode: "team_tag_based"
+                      restriction_mode: "default_hide"
+                    type: "dataset_restrictions"
+            schema:
+              $ref: "#/components/schemas/DatasetRestrictionUpdateRequest"
+        required: true
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      attributes:
+                        ownership_mode: "team_tag_based"
+                        restriction_mode: "default_hide"
+                      id: "rum"
+                      type: "dataset_restrictions"
+              schema:
+                $ref: "#/components/schemas/DatasetRestrictionResponse"
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Bad Request
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/JSONAPIErrorResponse"
+          description: Not Found
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      summary: Update a dataset restriction
+      tags:
+        - Dataset Restrictions
+      x-unstable: |-
+        **Note**: This endpoint is in preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/datasets:
     get:
       description: Get all datasets that have been configured for an organization.
@@ -145632,6 +145888,8 @@ tags:
   - description: |-
       The Data Deletion API allows the user to target and delete data from the allowed products. It's currently enabled for Logs and RUM and depends on `logs_delete_data` and `rum_delete_data` permissions respectively.
     name: Data Deletion
+  - description: Configure dataset-level access restrictions per Datadog product type. Dataset restrictions control whether data is visible by default or hidden until explicitly granted, and how ownership-based access is determined.
+    name: Dataset Restrictions
   - description: |-
       Data Access Controls in Datadog is a feature that allows administrators and access managers to regulate
       access to sensitive data. By defining Restricted Datasets, you can ensure that only specific teams or roles can
 
@@ -0,0 +1,8 @@
+# List dataset restrictions returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.list_dataset_restrictions".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::DatasetRestrictionsAPI.new
+p api_instance.list_dataset_restrictions()
@@ -0,0 +1,19 @@
+# Update a dataset restriction returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.update_dataset_restriction".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::DatasetRestrictionsAPI.new
+
+body = DatadogAPIClient::V2::DatasetRestrictionUpdateRequest.new({
+  data: DatadogAPIClient::V2::DatasetRestrictionUpdateRequestData.new({
+    attributes: DatadogAPIClient::V2::DatasetRestrictionUpdateRequestAttributes.new({
+      ownership_mode: DatadogAPIClient::V2::DatasetRestrictionOwnershipMode::TEAM_TAG_BASED,
+      restriction_mode: DatadogAPIClient::V2::DatasetRestrictionRestrictionMode::DEFAULT_HIDE,
+      unrestricted_principals: [],
+    }),
+    type: DatadogAPIClient::V2::DatasetRestrictionsType::DATASET_RESTRICTIONS,
+  }),
+})
+p api_instance.update_dataset_restriction("product_type", body)
@@ -2305,6 +2305,10 @@
             "token" => "String",
             "body" => "SecureEmbedUpdateRequest",
     },
+    "v2.UpdateDatasetRestriction" => {
+            "product_type" => "String",
+            "body" => "DatasetRestrictionUpdateRequest",
+    },
     "v2.CreateDataset" => {
             "body" => "DatasetCreateRequest",
     },
 
@@ -0,0 +1,51 @@
+@endpoint(dataset-restrictions) @endpoint(dataset-restrictions-v2)
+Feature: Dataset Restrictions
+  Configure dataset-level access restrictions per Datadog product type.
+  Dataset restrictions control whether data is visible by default or hidden
+  until explicitly granted, and how ownership-based access is determined.
+
+  Background:
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "DatasetRestrictions" API
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: List dataset restrictions returns "Not Found" response
+    Given operation "ListDatasetRestrictions" enabled
+    And new "ListDatasetRestrictions" request
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: List dataset restrictions returns "OK" response
+    Given operation "ListDatasetRestrictions" enabled
+    And new "ListDatasetRestrictions" request
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "Bad Request" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "Not Found" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/access-policies-lifecycle
+  Scenario: Update a dataset restriction returns "OK" response
+    Given operation "UpdateDatasetRestriction" enabled
+    And new "UpdateDatasetRestriction" request
+    And request contains "product_type" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"ownership_mode": "team_tag_based", "restriction_mode": "default_hide", "unrestricted_principals": []}, "type": "dataset_restrictions"}}
+    When the request is sent
+    Then the response status is 200 OK
@@ -1602,6 +1602,19 @@
       "type": "idempotent"
     }
   },
+  "ListDatasetRestrictions": {
+    "tag": "Dataset Restrictions",
+    "undo": {
+      "type": "safe"
+    }
+  },
+  "UpdateDatasetRestriction": {
+    "tag": "Dataset Restrictions",
+    "undo": {
+      "operationId": "UpdateDatasetRestriction",
+      "type": "idempotent"
+    }
+  },
   "GetAllDatasets": {
     "tag": "Datasets",
     "undo": {
 
@@ -297,6 +297,8 @@ def initialize
             "v2.delete_dashboard_secure_embed": false,
             "v2.get_dashboard_secure_embed": false,
             "v2.update_dashboard_secure_embed": false,
+            "v2.list_dataset_restrictions": false,
+            "v2.update_dataset_restriction": false,
             "v2.create_dataset": false,
             "v2.delete_dataset": false,
             "v2.get_all_datasets": false,