From 10d706dccff98ff5504bd49094bf5004de88c365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Thu, 18 Oct 2018 14:34:25 +0200 Subject: [PATCH 01/23] wip: enterprise docs --- docs/sources/enterprise/index.md | 11 +++++++++++ docs/sources/whatsnew/index.md | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 docs/sources/enterprise/index.md diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md new file mode 100644 index 00000000000..a241d84b50e --- /dev/null +++ b/docs/sources/enterprise/index.md @@ -0,0 +1,11 @@ ++++ +title = "Grafana Enterprise" +description = "Grafana Enterprise overview" +type = "docs" +[menu.docs] +name = "Enterprise" +identifier = "enterprise" +weight = 4 ++++ + +### Grafana Enterprise diff --git a/docs/sources/whatsnew/index.md b/docs/sources/whatsnew/index.md index df472f07093..f4159643d72 100644 --- a/docs/sources/whatsnew/index.md +++ b/docs/sources/whatsnew/index.md @@ -3,7 +3,7 @@ title = "What's New in Grafana" [menu.docs] name = "What's New In Grafana" identifier = "whatsnew" -weight = 3 +weight = 5 +++ From a8e2840f15e9957b28cdde280530376f4552fa69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Tue, 30 Oct 2018 15:25:10 +0100 Subject: [PATCH 02/23] minor progress --- docs/sources/enterprise/index.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index a241d84b50e..3583064f9c3 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -3,9 +3,30 @@ title = "Grafana Enterprise" description = "Grafana Enterprise overview" type = "docs" [menu.docs] -name = "Enterprise" +name = "Grafana Enterprise" identifier = "enterprise" -weight = 4 +weight = 5 +++ -### Grafana Enterprise +# Grafana Enterprise + +Grafana Enterprise is a commercial edition of Grafana that includes additional features not found in the open source +version. + +## Enterprise features + +Grafana Enterprise includes all of the features found in the open source version. Below we list the additional features +that can only be found in the Enterprise edition. + +### Enhanced LDAP + +With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link). + +### Data source permissions + +Assign and restrict query permissions on Data Sources to specific teams or users. [Learn More](link). + +## Try Grafana Enterprise + +## Licence file mangement + From 621525d10fa636e51c932c364c6f08fcc96e5a32 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Tue, 30 Oct 2018 18:43:54 +0100 Subject: [PATCH 03/23] restructure administration/permissions page into a section with sub pages --- docs/sources/administration/permissions.md | 116 ------------------ docs/sources/enterprise/index.md | 4 +- .../dashboard_folder_permissions.md | 67 ++++++++++ .../permissions/datasource_permissions.md | 71 +++++++++++ docs/sources/permissions/index.md | 12 ++ .../sources/permissions/organization_roles.md | 38 ++++++ docs/sources/permissions/overview.md | 42 +++++++ 7 files changed, 232 insertions(+), 118 deletions(-) delete mode 100644 docs/sources/administration/permissions.md create mode 100644 docs/sources/permissions/dashboard_folder_permissions.md create mode 100644 docs/sources/permissions/datasource_permissions.md create mode 100644 docs/sources/permissions/index.md create mode 100644 docs/sources/permissions/organization_roles.md create mode 100644 docs/sources/permissions/overview.md diff --git a/docs/sources/administration/permissions.md b/docs/sources/administration/permissions.md deleted file mode 100644 index 0d374f03647..00000000000 --- a/docs/sources/administration/permissions.md +++ /dev/null @@ -1,116 +0,0 @@ -+++ -title = "Permissions" -description = "Grafana user permissions" -keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"] -type = "docs" -aliases = ["/reference/admin"] -[menu.docs] -name = "Permissions" -parent = "admin" -weight = 3 -+++ - -# Permissions - -Grafana users have permissions that are determined by their: - -- **Organization Role** (Admin, Editor, Viewer) -- Via **Team** memberships where the **Team** has been assigned specific permissions. -- Via permissions assigned directly to user (on folders or dashboards) -- The Grafana Admin (i.e. Super Admin) user flag. - -## Organization Roles - -Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do -in that organization. - -### Admin Role - -Can do everything scoped to the organization. For example: - -- Add & Edit data sources. -- Add & Edit organization users & teams. -- Configure App plugins & set org settings. - -### Editor Role - -- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards. -- **Cannot** create or edit data sources nor invite new users. - -### Viewer Role - -- View any dashboard. This can be disabled on specific folders and dashboards. -- **Cannot** create or edit dashboards nor data sources. - -This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users -with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards). -Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards. - -## Grafana Admin - -This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated. - -### Dashboard & Folder Permissions - -{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}} - -For dashboards and dashboard folders there is a **Permissions** page that make it possible to -remove the default role based permissions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**. - -You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**. - -Permission levels: - -- **Admin**: Can edit & create dashboards and edit permissions. -- **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions. -- **View**: Can only view existing dashboards/folders. - -#### Restricting Access - -The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL). - -- You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything. -- A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule. - -#### How Grafana Resolves Multiple Permissions - Examples - -##### Example 1 (`user1` has the Editor Role) - -Permissions for a dashboard: - -- `Everyone with Editor Role Can Edit` -- `user1 Can View` - -Result: `user1` has Edit permission as the highest permission always wins. - -##### Example 2 (`user1` has the Viewer Role and is a member of `team1`) - -Permissions for a dashboard: - -- `Everyone with Viewer Role Can View` -- `user1 Can Edit` -- `team1 Can Admin` - -Result: `user1` has Admin permission as the highest permission always wins. - -##### Example 3 - -Permissions for a dashboard: - -- `user1 Can Admin (inherited from parent folder)` -- `user1 Can Edit` - -Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins. - -- **View**: Can only view existing dashboards/folders. -- You cannot override permissions for users with **Org Admin Role** -- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule. - -### Data source permissions - -Permissions on dashboards and folders **do not** include permissions on data sources. A user with `Viewer` role -can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to. -We hope to add permissions on data sources in a future release. Until then **do not** view dashboard permissions as a secure -way to restrict user data access. Dashboard permissions only limits what dashboards & folders a user can view & edit not which -data sources a user can access nor what queries a user can issue. - diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 3583064f9c3..378de9d6371 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -22,9 +22,9 @@ that can only be found in the Enterprise edition. With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link). -### Data source permissions +### Datasource Permissions -Assign and restrict query permissions on Data Sources to specific teams or users. [Learn More](link). +Datasource permissions allows you to restrict access for users to query a datasource. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}). ## Try Grafana Enterprise diff --git a/docs/sources/permissions/dashboard_folder_permissions.md b/docs/sources/permissions/dashboard_folder_permissions.md new file mode 100644 index 00000000000..fb82f00d712 --- /dev/null +++ b/docs/sources/permissions/dashboard_folder_permissions.md @@ -0,0 +1,67 @@ ++++ +title = "Dashboard & Folder Permissions" +description = "Grafana Dashboard & Folder Permissions Guide " +keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"] +type = "docs" +[menu.docs] +name = "Dashboard & Folder Permissions" +identifier = "dashboard-folder-permissions" +parent = "permissions" +weight = 3 ++++ + +# Dashboard & Folder Permissions + +{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}} + +For dashboards and dashboard folders there is a **Permissions** page that make it possible to +remove the default role based permissions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**. + +You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**. + +Permission levels: + +- **Admin**: Can edit & create dashboards and edit permissions. +- **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions. +- **View**: Can only view existing dashboards/folders. + +## Restricting Access + +The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL). + +- You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything. +- A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule. + +### How Grafana Resolves Multiple Permissions - Examples + +#### Example 1 (`user1` has the Editor Role) + +Permissions for a dashboard: + +- `Everyone with Editor Role Can Edit` +- `user1 Can View` + +Result: `user1` has Edit permission as the highest permission always wins. + +#### Example 2 (`user1` has the Viewer Role and is a member of `team1`) + +Permissions for a dashboard: + +- `Everyone with Viewer Role Can View` +- `user1 Can Edit` +- `team1 Can Admin` + +Result: `user1` has Admin permission as the highest permission always wins. + +#### Example 3 + +Permissions for a dashboard: + +- `user1 Can Admin (inherited from parent folder)` +- `user1 Can Edit` + +Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins. + +- **View**: Can only view existing dashboards/folders. +- You cannot override permissions for users with **Org Admin Role** +- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule. diff --git a/docs/sources/permissions/datasource_permissions.md b/docs/sources/permissions/datasource_permissions.md new file mode 100644 index 00000000000..fd5405fd684 --- /dev/null +++ b/docs/sources/permissions/datasource_permissions.md @@ -0,0 +1,71 @@ ++++ +title = "Datasource Permissions" +description = "Grafana Datasource Permissions Guide " +keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams"] +type = "docs" +[menu.docs] +name = "Datasource Permissions" +identifier = "datasource-permissions" +parent = "permissions" +weight = 4 ++++ + +# Datasource Permissions + +> Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}). + +Datasource permissions allows you to restrict access for users to query a datasource. For each datasource there is +a permission page that makes it possible to enable permissions and add restrict query permissions to specific +**Users** and **Teams**. + +## Restricting Access - Enable Permissions + +{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}} + +By default, permissions are disabled for datasources and a datasource in an organization can be queried by any user in +that organization. For example a user with `Viewer` role can still issue any possible query to a datasource, not just +those queries that exist on dashboards he/she has access to. + +When permissions are enabled for a datasource in an organization you will restrict admin and query access for that +datasource to [admin users](/permissions/organization_roles/#admin-role) in that organization. + +**To enable permissions for a datasource:** + +1. Navigate to Configuration / Data Sources. +2. Select the datasource you want to enable permissions for. +3. Select the Permissions tab and click on the `Enable` button. + +
+ +## Allow users and teams to query a datasource + +{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}} + +After you have [enabled permissions](#restricting-access-enable-permissions) for a datasource you can assign query +permissions to users and teams which will allow access to query the datasource. + +**Assign query permission to users and teams:** + +1. Navigate to Configuration / Data Sources. +2. Select the datasource you want to assign query permissions for. +3. Select the Permissions tab. +4. click on the `Add Permission` button. +5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button. + +
+ +## Restore Default Access - Disable Permissions + +{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}} + +If you have enabled permissions for a datasource and want to revoke datasource permissions to the default, i.e. +datasource can be queried by any user in that organization, you can disable permissions with a click of a button. +Note that all existing permissions created for datasource will be deleted. + +**To disable permissions for a datasource:** + +1. Navigate to Configuration / Data Sources. +2. Select the datasource you want to disable permissions for. +3. Select the Permissions tab and click on the `Disable Permissions` button. + +
diff --git a/docs/sources/permissions/index.md b/docs/sources/permissions/index.md new file mode 100644 index 00000000000..42514f76baf --- /dev/null +++ b/docs/sources/permissions/index.md @@ -0,0 +1,12 @@ ++++ +title = "Permissions" +description = "Permissions" +type = "docs" +[menu.docs] +name = "Permissions" +identifier = "permissions" +parent = "admin" +weight = 3 ++++ + + diff --git a/docs/sources/permissions/organization_roles.md b/docs/sources/permissions/organization_roles.md new file mode 100644 index 00000000000..626d79fad87 --- /dev/null +++ b/docs/sources/permissions/organization_roles.md @@ -0,0 +1,38 @@ ++++ +title = "Organization Roles" +description = "Grafana Organization Roles Guide " +keywords = ["grafana", "configuration", "documentation", "organization", "roles", "permissions"] +type = "docs" +[menu.docs] +name = "Organization Roles" +identifier = "organization-roles" +parent = "permissions" +weight = 2 ++++ + +# Organization Roles + +Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do +in that organization. + +## Admin Role + +Can do everything scoped to the organization. For example: + +- Add & Edit data sources. +- Add & Edit organization users & teams. +- Configure App plugins & set org settings. + +## Editor Role + +- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards. +- **Cannot** create or edit data sources nor invite new users. + +## Viewer Role + +- View any dashboard. This can be disabled on specific folders and dashboards. +- **Cannot** create or edit dashboards nor data sources. + +This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users +with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards). +Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards. diff --git a/docs/sources/permissions/overview.md b/docs/sources/permissions/overview.md new file mode 100644 index 00000000000..cd3fc5417b6 --- /dev/null +++ b/docs/sources/permissions/overview.md @@ -0,0 +1,42 @@ ++++ +title = "Overview" +description = "Overview for permissions" +keywords = ["grafana", "configuration", "documentation", "admin", "users", "datasources", "permissions"] +type = "docs" +aliases = ["/reference/admin", "/administration/permissions/"] +[menu.docs] +name = "Overview" +identifier = "overview-permissions" +parent = "permissions" +weight = 1 ++++ + +# Permissions Overview + +Grafana users have permissions that are determined by their: + +- **Organization Role** (Admin, Editor, Viewer) +- Via **Team** memberships where the **Team** has been assigned specific permissions. +- Via permissions assigned directly to user (on folders, dashboards, datasources) +- The Grafana Admin (i.e. Super Admin) user flag. + +## Grafana Admin + +This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated. + +## Organization Roles + +Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do +in that organization. Learn more about [Organization Roles]({{< relref "permissions/organization_roles.md" >}}). + + +## Dashboard & Folder Permissions + +Dashboard and folder permissions allows you to remove the default role based permissions for Editors and Viewers and assign permissions to specific **Users** and **Teams**. Learn more about [Dashboard & Folder Permissions]({{< relref "permissions/dashboard_folder_permissions.md" >}}). + +## Datasource Permissions + +Per default, a datasource in an organization can be queried by any user in that organization. For example a user with `Viewer` role can still +issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to. + +Datasource permissions allows you to change the default permissions for datasources and restrict query permissions to specific **Users** and **Teams**. Read more about [Datasource Permissions]({{< relref "permissions/datasource_permissions.md" >}}). From fc6d7c9b6b041ffddb07df3cb6b02dc2fd299a0a Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Tue, 30 Oct 2018 19:02:12 +0100 Subject: [PATCH 04/23] datasource permission http api --- .../http_api/datasource_permissions.md | 249 ++++++++++++++++++ 1 file changed, 249 insertions(+) create mode 100644 docs/sources/http_api/datasource_permissions.md diff --git a/docs/sources/http_api/datasource_permissions.md b/docs/sources/http_api/datasource_permissions.md new file mode 100644 index 00000000000..aa4d498ef85 --- /dev/null +++ b/docs/sources/http_api/datasource_permissions.md @@ -0,0 +1,249 @@ ++++ +title = "Datasource Permissions HTTP API " +description = "Grafana Datasource Permissions HTTP API" +keywords = ["grafana", "http", "documentation", "api", "datasource", "permission", "permissions", "acl"] +aliases = ["/http_api/datasourcepermissions/"] +type = "docs" +[menu.docs] +name = "Datasource Permissions" +parent = "http_api" ++++ + +# Datasource Permissions API + +> Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}). + +This API can be used to enable, disable, list, add and remove permissions for a datasource. + +Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything. + +The permission levels for the permission field: + +- 1 = Query + +## Enable permissions for a datasource + +`POST /api/datasources/:id/enable-permissions` + +Enables permissions for the datasource with the given `id`. No one except Org Admins will be able to query the datasource until a permission have been added which permits certain users or teams to query the datasource. + +**Example request**: + +```http +POST /api/datasources/1/enable-permissions +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk + +{} +``` + +**Example response**: + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 35 + +{"message":"Datasource permissions enabled"} +``` + +Status Codes: + +- **200** - Ok +- **400** - Permissions cannot be enabled, see response body for details +- **401** - Unauthorized +- **403** - Access denied +- **404** - Datasource not found + +## Disable permissions for a datasource + +`POST /api/datasources/:id/disable-permissions` + +Disables permissions for the datasource with the given `id`. All existing permissions will be removed and anyone will be able to query the datasource. + +**Example request**: + +```http +POST /api/datasources/1/disable-permissions +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk + +{} +``` + +**Example response**: + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 35 + +{"message":"Datasource permissions disabled"} +``` + +Status Codes: + +- **200** - Ok +- **400** - Permissions cannot be disabled, see response body for details +- **401** - Unauthorized +- **403** - Access denied +- **404** - Datasource not found + +## Get permissions for a datasource + +`GET /api/datasources/:id/permissions` + +Gets all existing permissions for the datasource with the given `id`. + +**Example request**: + +```http +GET /api/datasources/1/permissions HTTP/1.1 +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk +``` + +**Example Response** + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 551 + +{ + "datasourceId": 1, + "enabled": true, + "permissions": + [ + { + "id": 1, + "datasourceId": 1, + "userId": 1, + "userLogin": "user", + "userEmail": "user@test.com", + "userAvatarUrl": "/avatar/46d229b033af06a191ff2267bca9ae56", + "permission": 1, + "permissionName": "Query", + "created": "2017-06-20T02:00:00+02:00", + "updated": "2017-06-20T02:00:00+02:00", + }, + { + "id": 2, + "datasourceId": 1, + "teamId": 1, + "team": "A Team", + "teamAvatarUrl": "/avatar/46d229b033af06a191ff2267bca9ae56", + "permission": 1, + "permissionName": "Query", + "created": "2017-06-20T02:00:00+02:00", + "updated": "2017-06-20T02:00:00+02:00", + } + ] +} +``` + +Status Codes: + +- **200** - Ok +- **401** - Unauthorized +- **403** - Access denied +- **404** - Datasource not found + +## Add permission for a datasource + +`POST /api/datasources/:id/permissions` + +Adds a user permission for the datasource with the given `id`. + +**Example request**: + +```http +POST /api/datasources/1/permissions +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk + +{ + "userId": 1, + "permission": 1 +} +``` + +**Example response**: + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 35 + +{"message":"Datasource permission added"} +``` + +Adds a team permission for the datasource with the given `id`. + +**Example request**: + +```http +POST /api/datasources/1/permissions +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk + +{ + "teamId": 1, + "permission": 1 +} +``` + +**Example response**: + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 35 + +{"message":"Datasource permission added"} +``` + +Status Codes: + +- **200** - Ok +- **400** - Permission cannot be added, see response body for details +- **401** - Unauthorized +- **403** - Access denied +- **404** - Datasource not found + +## Remove permission for a datasource + +`DELETE /api/datasources/:id/permissions/:permissionId` + +Removes the permission with the given `permissionId` for the datasource with the given `id`. + +**Example request**: + +```http +DELETE /api/datasources/1/permissions/2 +Accept: application/json +Content-Type: application/json +Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk +``` + +**Example response**: + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 +Content-Length: 35 + +{"message":"Datasource permission removed"} +``` + +Status Codes: + +- **200** - Ok +- **401** - Unauthorized +- **403** - Access denied +- **404** - Datasource not found or permission not found From 5495072c83ef872bbc3b797efb02d05811547b24 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Wed, 31 Oct 2018 17:17:19 +0100 Subject: [PATCH 05/23] docs: fix datasource permissions keywords --- docs/sources/http_api/datasource_permissions.md | 2 +- docs/sources/permissions/datasource_permissions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sources/http_api/datasource_permissions.md b/docs/sources/http_api/datasource_permissions.md index aa4d498ef85..bc193113b43 100644 --- a/docs/sources/http_api/datasource_permissions.md +++ b/docs/sources/http_api/datasource_permissions.md @@ -1,7 +1,7 @@ +++ title = "Datasource Permissions HTTP API " description = "Grafana Datasource Permissions HTTP API" -keywords = ["grafana", "http", "documentation", "api", "datasource", "permission", "permissions", "acl"] +keywords = ["grafana", "http", "documentation", "api", "datasource", "permission", "permissions", "acl", "enterprise"] aliases = ["/http_api/datasourcepermissions/"] type = "docs" [menu.docs] diff --git a/docs/sources/permissions/datasource_permissions.md b/docs/sources/permissions/datasource_permissions.md index fd5405fd684..f1cbd31b85f 100644 --- a/docs/sources/permissions/datasource_permissions.md +++ b/docs/sources/permissions/datasource_permissions.md @@ -1,7 +1,7 @@ +++ title = "Datasource Permissions" description = "Grafana Datasource Permissions Guide " -keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams"] +keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams", "enterprise"] type = "docs" [menu.docs] name = "Datasource Permissions" From 280c8631f924c570fe933c0f7293336732989e28 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Wed, 31 Oct 2018 18:01:30 +0100 Subject: [PATCH 06/23] docs: enhanced ldap --- docs/sources/auth/enhanced_ldap.md | 43 +++++++ docs/sources/enterprise/index.md | 7 +- docs/sources/http_api/external_group_sync.md | 111 +++++++++++++++++++ 3 files changed, 158 insertions(+), 3 deletions(-) create mode 100644 docs/sources/auth/enhanced_ldap.md create mode 100644 docs/sources/http_api/external_group_sync.md diff --git a/docs/sources/auth/enhanced_ldap.md b/docs/sources/auth/enhanced_ldap.md new file mode 100644 index 00000000000..8eec57b1429 --- /dev/null +++ b/docs/sources/auth/enhanced_ldap.md @@ -0,0 +1,43 @@ ++++ +title = "Enhanced LDAP Integration" +description = "Grafana Enhanced LDAP Integration Guide " +keywords = ["grafana", "configuration", "documentation", "ldap", "active directory", "enterprise"] +type = "docs" +[menu.docs] +name = "Enhanced LDAP" +identifier = "enhanced-ldap" +parent = "authentication" +weight = 3 ++++ + +# Enhanced LDAP Integration + +> Enhanced LDAP Integration is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}). + +The enhanced LDAP integration adds additional functionality on top of the [existing LDAP integration]({{< relref "auth/ldap.md" >}}). + +## LDAP Group Synchronization for Teams + +{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}} + +With the enhanced LDAP integration it's possible to setup synchronization between LDAP groups and teams. This enables LDAP users which are members +of certain LDAP groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every +time a user logs in, but an active background synchronization is currently being developed. + +Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized from LDAP in the team members list, see `LDAP` label in screenshot. +This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also enables you to manually add +a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships. + +
+ +### Enable LDAP group synchronization for a team + +{{< docs-imagebox img="/img/docs/enterprise/team_add_external_group.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}} + +1. Navigate to Configuration / Teams. +2. Select a team. +3. Select the External group sync tab and click on the `Add group` button. +4. Insert LDAP distinguished name (DN) of LDAP group you want to synchronize with the team. +5. Click on `Add group` button to save. + +
diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 378de9d6371..97a06f1ab47 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -1,6 +1,7 @@ +++ title = "Grafana Enterprise" description = "Grafana Enterprise overview" +keywords = ["grafana", "documentation", "datasource", "permissions", "ldap", "licensing", "enterprise"] type = "docs" [menu.docs] name = "Grafana Enterprise" @@ -18,9 +19,9 @@ version. Grafana Enterprise includes all of the features found in the open source version. Below we list the additional features that can only be found in the Enterprise edition. -### Enhanced LDAP +### Enhanced LDAP Integration -With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link). +With Grafana Enterprise you can setup synchronization between LDAP Groups and Teams. [Learn More]({{< relref "auth/enhanced_ldap.md" >}}). ### Datasource Permissions @@ -28,5 +29,5 @@ Datasource permissions allows you to restrict access for users to query a dataso ## Try Grafana Enterprise -## Licence file mangement +## Licence file management diff --git a/docs/sources/http_api/external_group_sync.md b/docs/sources/http_api/external_group_sync.md new file mode 100644 index 00000000000..2ce06c2c94e --- /dev/null +++ b/docs/sources/http_api/external_group_sync.md @@ -0,0 +1,111 @@ ++++ +title = "External Group Sync HTTP API " +description = "Grafana External Group Sync HTTP API" +keywords = ["grafana", "http", "documentation", "api", "team", "teams", "group", "member", "enterprise"] +aliases = ["/http_api/external_group_sync/"] +type = "docs" +[menu.docs] +name = "External Group Sync" +parent = "http_api" ++++ + +# External Group Synchronization API + +> External Group Synchronization is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}). + +## Get External Groups + +`GET /api/teams/:teamId/groups` + +**Example Request**: + +```http +GET /api/teams/1/groups HTTP/1.1 +Accept: application/json +Content-Type: application/json +Authorization: Basic YWRtaW46YWRtaW4= +``` + +**Example Response**: + +```http +HTTP/1.1 200 +Content-Type: application/json + +[ + { + "orgId": 1, + "teamId": 1, + "groupId": "cn=editors,ou=groups,dc=grafana,dc=org" + } +] +``` + +Status Codes: + +- **200** - Ok +- **401** - Unauthorized +- **403** - Permission denied + +## Add External Group + +`POST /api/teams/:teamId/groups` + +**Example Request**: + +```http +POST /api/teams/1/members HTTP/1.1 +Accept: application/json +Content-Type: application/json +Authorization: Basic YWRtaW46YWRtaW4= + +{ + "groupId": "cn=editors,ou=groups,dc=grafana,dc=org" +} +``` + +**Example Response**: + +```http +HTTP/1.1 200 +Content-Type: application/json + +{"message":"Group added to Team"} +``` + +Status Codes: + +- **200** - Ok +- **400** - Group is already added to this team +- **401** - Unauthorized +- **403** - Permission denied +- **404** - Team not found + +## Remove External Group + +`DELETE /api/teams/:teamId/groups/:groupId` + +**Example Request**: + +```http +DELETE /api/teams/1/groups/cn=editors,ou=groups,dc=grafana,dc=org HTTP/1.1 +Accept: application/json +Content-Type: application/json +Authorization: Basic YWRtaW46YWRtaW4= +``` + +**Example Response**: + +```http +HTTP/1.1 200 +Content-Type: application/json + +{"message":"Team Group removed"} +``` + +Status Codes: + +- **200** - Ok +- **401** - Unauthorized +- **403** - Permission denied +- **404** - Team not found/Group not found From a1b4ebc11516046b94b6b1bfed3a9fe4f834ba2b Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Thu, 1 Nov 2018 11:00:32 +0100 Subject: [PATCH 07/23] make permission sub items in sidemenu cleaner --- docs/sources/permissions/dashboard_folder_permissions.md | 2 +- docs/sources/permissions/datasource_permissions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sources/permissions/dashboard_folder_permissions.md b/docs/sources/permissions/dashboard_folder_permissions.md index fb82f00d712..aed0f91ee7c 100644 --- a/docs/sources/permissions/dashboard_folder_permissions.md +++ b/docs/sources/permissions/dashboard_folder_permissions.md @@ -4,7 +4,7 @@ description = "Grafana Dashboard & Folder Permissions Guide " keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"] type = "docs" [menu.docs] -name = "Dashboard & Folder Permissions" +name = "Dashboard & Folder" identifier = "dashboard-folder-permissions" parent = "permissions" weight = 3 diff --git a/docs/sources/permissions/datasource_permissions.md b/docs/sources/permissions/datasource_permissions.md index f1cbd31b85f..f94fc47c4d2 100644 --- a/docs/sources/permissions/datasource_permissions.md +++ b/docs/sources/permissions/datasource_permissions.md @@ -4,7 +4,7 @@ description = "Grafana Datasource Permissions Guide " keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams", "enterprise"] type = "docs" [menu.docs] -name = "Datasource Permissions" +name = "Datasource" identifier = "datasource-permissions" parent = "permissions" weight = 4 From 5a27df2dc96c76766a178627048a03d0a3b08365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Thu, 1 Nov 2018 12:17:04 +0100 Subject: [PATCH 08/23] updated enterprise page --- docs/sources/enterprise/index.md | 39 +++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 97a06f1ab47..d0e7798d3d8 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -14,7 +14,8 @@ weight = 5 Grafana Enterprise is a commercial edition of Grafana that includes additional features not found in the open source version. -## Enterprise features +Building on everything you already know and love about Grafana, Grafana Enterprise layers on [premium data sources](https://grafana.com/plugins?premium=1), + advanced authentication options, **Data Source** permissions and 24x7x365 support and training from the core Grafana team. Grafana Enterprise includes all of the features found in the open source version. Below we list the additional features that can only be found in the Enterprise edition. @@ -25,9 +26,41 @@ With Grafana Enterprise you can setup synchronization between LDAP Groups and Te ### Datasource Permissions -Datasource permissions allows you to restrict access for users to query a datasource. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}). +Datasource permissions allows you to restrict query access to only specific Teams and Users. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}). + +### Premium Plugins + +With a Grafana Enterprise licence you will get access to these premium plugins. + +* [Splunk](https://grafana.com/plugins/grafana-splunk-datasource) +* [AppDynamics](https://grafana.com/plugins/dlopes7-appdynamics-datasource) +* [DataDog](https://grafana.com/plugins/grafana-datadog-datasource) +* [Dynatrace](https://grafana.com/plugins/grafana-dynatrace-datasource) +* [New Relic](https://grafana.com/plugins/grafana-newrelic-datasource) ## Try Grafana Enterprise -## Licence file management +You can learn more about Grafana Enterprise [here](https://grafana.com/enterprise). To purchase or obtain a trial license contact +the Grafana Labs [Sales Team](https://grafana.com/contact?about=support&topic=Grafana%20Enterprise). + +## License file management + +To download your Grafana Enterprise license login to you [Grafana.com](https://grafana.com) account and go to your **Org +Profile**. In the side menu there is a section for Grafana Enterprise licenses. At the bottom of the license +details page there is **Download Token** link that will download the *license.jwt* file containing your license. + +Place the *license.jwt* file in Grafana's data folder. This is usually located at `/var/lib/grafana/data` on linux systems. + +You can also configure a custom location for the license file via the ini setting: + +```bash +[enterprise] +license_path = /company/secrets/license.jwt +``` + +This setting can also be set via ENV variable. Which is useful if your running Grafana via docker and have a custom +volume where you have placed the license file. In this case set the ENV variable `GF_ENTERPRISE_LICENSE_PATH` to point +to the location of your license file. + + From 4c070bc781662064e4702c674f6f40d841f88ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Thu, 1 Nov 2018 12:35:51 +0100 Subject: [PATCH 09/23] minor doc tweaks --- docs/sources/enterprise/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index d0e7798d3d8..6d5f77ab6c8 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -14,11 +14,11 @@ weight = 5 Grafana Enterprise is a commercial edition of Grafana that includes additional features not found in the open source version. -Building on everything you already know and love about Grafana, Grafana Enterprise layers on [premium data sources](https://grafana.com/plugins?premium=1), - advanced authentication options, **Data Source** permissions and 24x7x365 support and training from the core Grafana team. +Building on everything you already know and love about Grafana, Grafana Enterprise layers on premium data sources. +advanced authentication options, more permissions controls and 24x7x365 support and training from the core Grafana team. -Grafana Enterprise includes all of the features found in the open source version. Below we list the additional features -that can only be found in the Enterprise edition. +Grafana Enterprise includes all of the features found in the open source edition. Below we list the additional features +that can only be found in the Grafana Enterprise. ### Enhanced LDAP Integration From 044505a2130dbe942de68d322871b02b36b7e16a Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:53:49 +0100 Subject: [PATCH 10/23] minor change Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 6d5f77ab6c8..8d44f731b3c 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -15,7 +15,7 @@ Grafana Enterprise is a commercial edition of Grafana that includes additional f version. Building on everything you already know and love about Grafana, Grafana Enterprise layers on premium data sources. -advanced authentication options, more permissions controls and 24x7x365 support and training from the core Grafana team. +advanced authentication options, more permission controls, 24x7x365 support, and training from the core Grafana team. Grafana Enterprise includes all of the features found in the open source edition. Below we list the additional features that can only be found in the Grafana Enterprise. From 881c73fb9399077805e5541df405277b3aa78b71 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:54:25 +0100 Subject: [PATCH 11/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 8d44f731b3c..862c2ddb9a4 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -14,7 +14,7 @@ weight = 5 Grafana Enterprise is a commercial edition of Grafana that includes additional features not found in the open source version. -Building on everything you already know and love about Grafana, Grafana Enterprise layers on premium data sources. +Building on everything you already know and love about Grafana, Grafana Enterprise adds premium data sources, advanced authentication options, more permission controls, 24x7x365 support, and training from the core Grafana team. Grafana Enterprise includes all of the features found in the open source edition. Below we list the additional features From 32e001dba489415be71373f62119e4f9de1e299d Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:54:53 +0100 Subject: [PATCH 12/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 862c2ddb9a4..f6dc9a02e12 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -22,7 +22,7 @@ that can only be found in the Grafana Enterprise. ### Enhanced LDAP Integration -With Grafana Enterprise you can setup synchronization between LDAP Groups and Teams. [Learn More]({{< relref "auth/enhanced_ldap.md" >}}). +With Grafana Enterprise you can set up synchronization between LDAP Groups and Teams. [Learn More]({{< relref "auth/enhanced_ldap.md" >}}). ### Datasource Permissions From 5cdd53c5e7f9d03d0b50927cbc8eaa7f2038ac58 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:55:05 +0100 Subject: [PATCH 13/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index f6dc9a02e12..24b1a8234d7 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -26,7 +26,7 @@ With Grafana Enterprise you can set up synchronization between LDAP Groups and T ### Datasource Permissions -Datasource permissions allows you to restrict query access to only specific Teams and Users. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}). +Datasource permissions allow you to restrict query access to only specific Teams and Users. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}). ### Premium Plugins From 803b36a0593921e3d42b51b5a58cddfcf4c34e37 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:55:28 +0100 Subject: [PATCH 14/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 24b1a8234d7..402e7253339 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -30,7 +30,7 @@ Datasource permissions allow you to restrict query access to only specific Teams ### Premium Plugins -With a Grafana Enterprise licence you will get access to these premium plugins. +With a Grafana Enterprise licence you will get access to premium plugins, including: * [Splunk](https://grafana.com/plugins/grafana-splunk-datasource) * [AppDynamics](https://grafana.com/plugins/dlopes7-appdynamics-datasource) From d44b8968d26dad33ba082416b4404b8cc1c15bfb Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:55:42 +0100 Subject: [PATCH 15/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 402e7253339..cdd9ed3817c 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -45,7 +45,7 @@ the Grafana Labs [Sales Team](https://grafana.com/contact?about=support&topic=Gr ## License file management -To download your Grafana Enterprise license login to you [Grafana.com](https://grafana.com) account and go to your **Org +To download your Grafana Enterprise license log in to your [Grafana.com](https://grafana.com) account and go to your **Org Profile**. In the side menu there is a section for Grafana Enterprise licenses. At the bottom of the license details page there is **Download Token** link that will download the *license.jwt* file containing your license. From 8a52cb7714e14ff19ab492fc657282e73e61c2ab Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:55:53 +0100 Subject: [PATCH 16/23] Update docs/sources/enterprise/index.md Co-Authored-By: marefr --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index cdd9ed3817c..fba31641d8b 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -58,7 +58,7 @@ You can also configure a custom location for the license file via the ini settin license_path = /company/secrets/license.jwt ``` -This setting can also be set via ENV variable. Which is useful if your running Grafana via docker and have a custom +This setting can also be set via ENV variable which is useful if you're running Grafana via docker and have a custom volume where you have placed the license file. In this case set the ENV variable `GF_ENTERPRISE_LICENSE_PATH` to point to the location of your license file. From 1bc3f0af07ae2ca7f85f056715d519d0fc40bc73 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:56:12 +0100 Subject: [PATCH 17/23] Update docs/sources/http_api/datasource_permissions.md Co-Authored-By: marefr --- docs/sources/http_api/datasource_permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/http_api/datasource_permissions.md b/docs/sources/http_api/datasource_permissions.md index bc193113b43..226beac3728 100644 --- a/docs/sources/http_api/datasource_permissions.md +++ b/docs/sources/http_api/datasource_permissions.md @@ -25,7 +25,7 @@ The permission levels for the permission field: `POST /api/datasources/:id/enable-permissions` -Enables permissions for the datasource with the given `id`. No one except Org Admins will be able to query the datasource until a permission have been added which permits certain users or teams to query the datasource. +Enables permissions for the datasource with the given `id`. No one except Org Admins will be able to query the datasource until permissions have been added which permit certain users or teams to query the datasource. **Example request**: From 4ef770fe9881f2b544d383efdb1dd57bfb9be184 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:56:32 +0100 Subject: [PATCH 18/23] Update docs/sources/permissions/dashboard_folder_permissions.md Co-Authored-By: marefr --- docs/sources/permissions/dashboard_folder_permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/permissions/dashboard_folder_permissions.md b/docs/sources/permissions/dashboard_folder_permissions.md index aed0f91ee7c..b11782b7474 100644 --- a/docs/sources/permissions/dashboard_folder_permissions.md +++ b/docs/sources/permissions/dashboard_folder_permissions.md @@ -15,7 +15,7 @@ weight = 3 {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}} For dashboards and dashboard folders there is a **Permissions** page that make it possible to -remove the default role based permissions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**. +remove the default role based permissions for Editors and Viewers. On this page you can add and assign permissions to specific **Users** and **Teams**. You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**. From 850c0e7111c5fb97fb80e6e7bf0eac32f69a24be Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:56:53 +0100 Subject: [PATCH 19/23] Update docs/sources/permissions/datasource_permissions.md Co-Authored-By: marefr --- docs/sources/permissions/datasource_permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/permissions/datasource_permissions.md b/docs/sources/permissions/datasource_permissions.md index f94fc47c4d2..6c5a98bdda5 100644 --- a/docs/sources/permissions/datasource_permissions.md +++ b/docs/sources/permissions/datasource_permissions.md @@ -15,7 +15,7 @@ weight = 4 > Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}). Datasource permissions allows you to restrict access for users to query a datasource. For each datasource there is -a permission page that makes it possible to enable permissions and add restrict query permissions to specific +a permission page that makes it possible to enable permissions and restrict query permissions to specific **Users** and **Teams**. ## Restricting Access - Enable Permissions From 1347ce5f756f403c24aec8cb21549d8a9e454a42 Mon Sep 17 00:00:00 2001 From: Dan Cech Date: Tue, 6 Nov 2018 15:57:14 +0100 Subject: [PATCH 20/23] Update docs/sources/permissions/datasource_permissions.md Co-Authored-By: marefr --- docs/sources/permissions/datasource_permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/permissions/datasource_permissions.md b/docs/sources/permissions/datasource_permissions.md index 6c5a98bdda5..ec54c1fbccd 100644 --- a/docs/sources/permissions/datasource_permissions.md +++ b/docs/sources/permissions/datasource_permissions.md @@ -58,7 +58,7 @@ permissions to users and teams which will allow access to query the datasource. {{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}} -If you have enabled permissions for a datasource and want to revoke datasource permissions to the default, i.e. +If you have enabled permissions for a datasource and want to return datasource permissions to the default, i.e. datasource can be queried by any user in that organization, you can disable permissions with a click of a button. Note that all existing permissions created for datasource will be deleted. From f294dbdb86c9abca662fd71d99c6adf01791ede5 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Tue, 6 Nov 2018 17:39:35 +0100 Subject: [PATCH 21/23] move enterprise down in menu --- docs/sources/enterprise/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index fba31641d8b..43ec2cd65c2 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -6,7 +6,7 @@ type = "docs" [menu.docs] name = "Grafana Enterprise" identifier = "enterprise" -weight = 5 +weight = 30 +++ # Grafana Enterprise From d0794dbce1d353d0c9339d45b9a757e2364cf10e Mon Sep 17 00:00:00 2001 From: Alexandre de Verteuil Date: Wed, 7 Nov 2018 09:17:36 +0100 Subject: [PATCH 22/23] Update docs/sources/permissions/dashboard_folder_permissions.md Co-Authored-By: marefr --- docs/sources/permissions/dashboard_folder_permissions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/sources/permissions/dashboard_folder_permissions.md b/docs/sources/permissions/dashboard_folder_permissions.md index b11782b7474..83cb0ee86a3 100644 --- a/docs/sources/permissions/dashboard_folder_permissions.md +++ b/docs/sources/permissions/dashboard_folder_permissions.md @@ -62,6 +62,12 @@ Permissions for a dashboard: Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins. +## Summary + - **View**: Can only view existing dashboards/folders. - You cannot override permissions for users with **Org Admin Role** +- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. + +For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule. +- You cannot override permissions for users with **Org Admin Role** - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule. From d7edc5988241d176ea7adf0e1df2640ea517b076 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Wed, 7 Nov 2018 13:52:11 +0100 Subject: [PATCH 23/23] minor fix --- docs/sources/enterprise/index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/sources/enterprise/index.md b/docs/sources/enterprise/index.md index 43ec2cd65c2..f65fa55f02b 100644 --- a/docs/sources/enterprise/index.md +++ b/docs/sources/enterprise/index.md @@ -17,8 +17,9 @@ version. Building on everything you already know and love about Grafana, Grafana Enterprise adds premium data sources, advanced authentication options, more permission controls, 24x7x365 support, and training from the core Grafana team. -Grafana Enterprise includes all of the features found in the open source edition. Below we list the additional features -that can only be found in the Grafana Enterprise. +Grafana Enterprise includes all of the features found in the open source edition and more. + +___ ### Enhanced LDAP Integration