diff --git a/content/en/bits_ai/mcp_server/_index.md b/content/en/bits_ai/mcp_server/_index.md
index d92651abba8..d50214c5574 100644
--- a/content/en/bits_ai/mcp_server/_index.md
+++ b/content/en/bits_ai/mcp_server/_index.md
@@ -41,13 +41,6 @@ This demo shows the Datadog MCP Server being used in Cursor and Claude Code (unm
 - The Datadog MCP Server is not GovCloud compatible.
 - Datadog collects certain information about your usage of the Remote Datadog MCP Server, including how you interact with it, whether errors occurred while using it, what caused those errors, and user identifiers in accordance with the <a href="https://www.datadoghq.com/legal/privacy/" target="_blank">Datadog Privacy Policy</a> and Datadog's <a href="https://www.datadoghq.com/legal/eula/" target="_blank">EULA</a>. This data is used to help improve the server's performance and features, including transitions to and from the server and the applicable Datadog login page for accessing the Services, and context (for example, user prompts) leading to the use of MCP tools. The data is stored for 120 days.
 
-
-## Requirements
-
-Datadog users must have the `MCP Read` [permission][18] to use the MCP Server for read access, and the `MCP Write` [permission][18] for write access.
-
-For setup instructions, see [Set Up the Datadog MCP Server][27].
-
 ## Monitoring the Datadog MCP Server usage
 
 You can track Datadog MCP Server usage for your organization using Datadog metrics and Audit Trail.
diff --git a/content/en/bits_ai/mcp_server/setup.md b/content/en/bits_ai/mcp_server/setup.md
index 4a4e8ba61ee..0f6702e9f75 100644
--- a/content/en/bits_ai/mcp_server/setup.md
+++ b/content/en/bits_ai/mcp_server/setup.md
@@ -31,6 +31,7 @@ Datadog's [Cursor and VS Code extension][1] includes built-in access to the mana
 1. **Restart the IDE.**
 1. Confirm the Datadog MCP Server is available and the [tools][3] are listed: Go to **Cursor Settings** (`Shift` + `Cmd/Ctrl` + `J`), select the **Tools & MCP** tab, and expand the extension's tools list.
 1. If you previously installed the Datadog MCP Server manually, remove it from the IDE's configuration to avoid conflicts.
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
 
 [2]: /ide_plugins/vscode/?tab=cursor#installation
 [3]: /bits_ai/mcp_server#available-tools
@@ -67,6 +68,10 @@ Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-pa
 
    <pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
 
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
+
+<div class="alert alert-info">If remote authentication is not available, use <a href="#local-binary-authentication">local binary authentication</a> instead.</div>
+
 [1]: /getting_started/site/
 [2]: /bits_ai/mcp_server#toolsets
 {{< /site-region >}}
@@ -77,8 +82,6 @@ Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-pa
 
 {{< /site-region >}}
 
-<div class="alert alert-info">If remote authentication is not available, use <a href="#local-binary-authentication">local binary authentication</a> instead.</div>
-
 [1]: /getting_started/site/
 {{% /tab %}}
 
@@ -98,6 +101,8 @@ Connect Claude (including Claude Cowork) to the Datadog MCP Server by adding it
 
 1. Complete the OAuth login flow when prompted.
 
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
+
 [1]: https://support.claude.com/en/articles/11175166-get-started-with-custom-connectors-using-remote-mcp
 [2]: /getting_started/site/
 [3]: /bits_ai/mcp_server#toolsets
@@ -126,7 +131,7 @@ Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-pa
 
    <pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
 
-2. Log in to the Datadog MCP Server:
+1. Log in to the Datadog MCP Server:
 
    ```shell
    codex mcp login datadog
@@ -134,6 +139,8 @@ Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-pa
 
    This opens your browser to complete the OAuth flow. Codex stores the resulting credentials so you don't need to log in again until the token expires.
 
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
+
 [2]: /bits_ai/mcp_server#toolsets
 {{< /site-region >}}
 
@@ -159,6 +166,7 @@ Datadog's [Cursor and VS Code extension][1] includes built-in access to the mana
 1. Confirm the Datadog MCP Server is available and the [tools][3] are listed: Open the chat panel, select agent mode, and click the **Configure Tools** button.
    {{< img src="bits_ai/mcp_server/vscode_configure_tools_button.png" alt="Configure Tools button in VS Code" style="width:70%;" >}}
 1. If you previously installed the Datadog MCP Server manually, remove it from the IDE's configuration to avoid conflicts. Open the command palette (`Shift` + `Cmd/Ctrl` + `P`) and run `MCP: Open User Configuration`.
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
 
 [2]: /ide_plugins/vscode/?tab=vscode#installation
 [3]: /bits_ai/mcp_server#available-tools
@@ -181,48 +189,52 @@ Point your plugin to the MCP Server endpoint for your regional [Datadog site][3]
 Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-param key="mcp_server_endpoint" >}}</code>.
 
 {{% collapse-content title="Junie" level="h4" expanded=false id="jetbrains-junie" %}}
-Go to **Tools** > **Junie** > **MCP Settings** and add the following block:
+1. Go to **Tools** > **Junie** > **MCP Settings** and add the following block:
 
-<pre><code>{
-  "mcpServers": {
-    "datadog": {
-      "type": "http",
-      "url": "{{< region-param key="mcp_server_endpoint" >}}"
+    <pre><code>{
+      "mcpServers": {
+        "datadog": {
+          "type": "http",
+          "url": "{{< region-param key="mcp_server_endpoint" >}}"
+        }
+      }
     }
-  }
-}
-</code></pre>
+    </code></pre>
+
+1. To enable [product-specific tools][1], include the `toolsets` query parameter at the end of the endpoint URL. For example, this URL enables _only_ APM and LLM Observability tools: 
 
-To enable [product-specific tools][1], include the `toolsets` query parameter at the end of the endpoint URL. For example, this URL enables _only_ APM and LLM Observability tools: 
+    <pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
 
-<pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
+1. You are prompted to login through OAuth. The status indicator in the settings displays a green tick when the connection is successful.
 
-You are prompted to login through OAuth. The status indicator in the settings displays a green tick when the connection is successful.
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
 
 [1]: /bits_ai/mcp_server#toolsets
 {{% /collapse-content %}}
 
 {{% collapse-content title="JetBrains AI Assistant" level="h4" expanded=false id="jetbrains-ai-assistant" %}}
-Go to **Tools** > **AI Assistant** > **Model Context Protocol (MCP)** and add the following block:
+1. Go to **Tools** > **AI Assistant** > **Model Context Protocol (MCP)** and add the following block:
 
-<pre><code>{
-  "mcpServers": {
-    "datadog": {
-      "url": "{{< region-param key="mcp_server_endpoint" >}}"
-      "headers": {
-        "DD_API_KEY": "&lt;YOUR_API_KEY&gt;",
-        "DD_APPLICATION_KEY": "&lt;YOUR_APP_KEY&gt;"
+    <pre><code>{
+      "mcpServers": {
+        "datadog": {
+          "url": "{{< region-param key="mcp_server_endpoint" >}}"
+          "headers": {
+            "DD_API_KEY": "&lt;YOUR_API_KEY&gt;",
+            "DD_APPLICATION_KEY": "&lt;YOUR_APP_KEY&gt;"
+          }
+        }
       }
     }
-  }
-}
-</code></pre>
+    </code></pre>
+
+1. To enable [product-specific tools][1], include the `toolsets` query parameter at the end of the endpoint URL. For example, this URL enables _only_ APM and LLM Observability tools: 
 
-To enable [product-specific tools][1], include the `toolsets` query parameter at the end of the endpoint URL. For example, this URL enables _only_ APM and LLM Observability tools: 
+    <pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
 
-<pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
+1. The status indicator in the settings displays a green tick when the connection is successful.
 
-The status indicator in the settings displays a green tick when the connection is successful.
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
 
 [1]: /bits_ai/mcp_server#toolsets
 {{% /collapse-content %}}
@@ -273,6 +285,8 @@ Selected endpoint ({{< region-param key="dd_site_name" >}}): <code>{{< region-pa
 
     <pre><code>{{< region-param key="mcp_server_endpoint" >}}?toolsets=apm,llmobs</code></pre>
 
+1. Verify that you have the required [permissions](#required-permissions) for the Datadog resources you want to access.
+
 Example configuration file locations:
 
 | Client | Configuration file |
@@ -306,6 +320,26 @@ Example configuration file locations:
 
 <div class="alert alert-info">The Datadog MCP Server is under significant development, and additional supported clients may become available.</div>
 
+## Required permissions
+
+MCP Server tools require the following [Datadog user role permissions][22]:
+
+| Permission | Required for |
+|------------|-------------|
+| <code style="white-space:nowrap">mcp_read</code> | Tools that read data from Datadog (for example, querying monitors, searching logs, retrieving dashboards) |
+| <code style="white-space:nowrap">mcp_write</code> | Tools that create or modify resources in Datadog (for example, creating monitors, muting hosts) |
+
+In addition to `mcp_read` or `mcp_write`, users need the standard Datadog permissions for the underlying resource. For example, using an MCP tool that reads monitors requires both `mcp_read` and the [Monitors Read][24] permission. See [Datadog Role Permissions][25] for the full list of resource-level permissions.
+
+Users with the **Datadog Standard Role** have both MCP Server permissions by default. If your organization uses [custom roles][23], add the permissions manually:
+1. Go to [**Organization Settings > Roles**][26] as an administrator, and click the role you want to update.
+1. Click **Edit Role** (pencil icon).
+1. Under the permissions list, select the **MCP Read** and **MCP Write** checkboxes.
+1. Select any other resource-level permissions you need for the role.
+1. Click **Save**.
+
+Organization administrators can manage global MCP access and write capabilities from [Organization Settings][27].
+
 ## Authentication
 
 The MCP Server uses OAuth 2.0 for [authentication][14]. If you cannot go through the OAuth flow (for example, on a server), you can provide a Datadog [API key and application key][1] as `DD_API_KEY` and `DD_APPLICATION_KEY` HTTP headers.
@@ -409,3 +443,9 @@ Local authentication is recommended for Cline and when remote authentication is
 [19]: https://claude.ai
 [20]: https://coterm.datadoghq.com/mcp-cli/datadog_mcp_cli.exe
 [21]: /getting_started/site/
+[22]: /account_management/rbac/permissions/#mcp
+[23]: /account_management/rbac/?tab=datadogapplication#custom-roles
+[24]: /account_management/rbac/permissions/#monitors
+[25]: /account_management/rbac/permissions/
+[26]: https://app.datadoghq.com/organization-settings/roles
+[27]: https://app.datadoghq.com/organization-settings/preferences