updating custom rules howto with RBAC (DataDog#25125)

michaelcretzman · alai97 · web-flow · commit 52308398e6fa · 2024-09-09T13:59:27.000-07:00
* updating custom rules howto with RBAC

DOCS-8922

* Apply suggestions from code review

Co-authored-by: Austin Lai &lt;76412946+alai97@users.noreply.github.com&gt;

---------

Co-authored-by: Austin Lai &lt;76412946+alai97@users.noreply.github.com&gt;
diff --git a/content/en/security/threats/workload_security_rules/custom_rules.md b/content/en/security/threats/workload_security_rules/custom_rules.md
@@ -19,6 +19,14 @@ This topic explains how to create custom Datadog Agent and detection rules for [
 
 In addition to the out of the box (OOTB) [default Agent and detection rules][7], you can write custom Agent and detection rules. Custom rules help to detect events Datadog is not detecting with its OOTB rules.
 
+## RBAC for custom rule management
+
+To prevent users with the [Datadog Standard out-of-the-box role][11] from creating, updating, disabling, and deploying a changed rule using remote configuration:
+
+1. A user within the Datadog Admin role must create a role containing the `security_monitoring_cws_agent_rules_write` permission. 
+2. Add only those users that manage Agent rules to this role.
+
+
 ## Custom detection rules summary
 
 Custom detection rules depend on Agent rules. They are composed of existing, deployed Agent rules and additional expression parameters. 
@@ -196,3 +204,4 @@ To disable a default Agent rule, navigate to the [**Agent Configuration**][6] pa
 [8]: /security/threats/
 [9]: /security/cloud_siem/log_detection_rules/?tab=threshold#set-a-rule-case
 [10]: https://app.datadoghq.com/notebook/list?type=runbook
+[11]: /account_management/rbac/permissions/
