apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Teams: Display teams page to team reader if they also have the access to list team permissions (#84650)

Browse Source 
* display teams to team reader if they also have the access to list team permissions

* fix a typo in the docs
pull/84660/head
Ieva 2 years ago committed by GitHub
parent 4ca68925a1
commit 7aa0ba8c59
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 135 additions and 134 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 268
      docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md
  2. 1
      pkg/services/accesscontrol/models.go

268
docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md
Unescape View File

@ -29,140 +29,140 @@ To learn more about the Grafana resources to which you can apply RBAC, refer to
The following list contains role-based access control actions.
| Action | Applicable scope | Description |
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
| `alert.instances:create` | n/a | Create silences in the current organization. |
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
| `alert.instances:write` | n/a | Update and expire silences in the current organization. |
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `annotations:create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
| `annotations:delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
| `annotations:read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
| `annotations:write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
| `apikeys:create` | n/a | Create API keys. |
| `apikeys:read` | `apikeys:*`<br>`apikeys:id:*` | Read API keys. |
| `apikeys:delete` | `apikeys:*`<br>`apikeys:id:*` | Delete API keys. |
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders and their subfolders. |
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
| `dashboards.insights:read` | n/a | Read dashboard insights data and see presence indicators. |
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
| `dashboards.public:write` | `dashboards:*`<br>`dashboards:uid:*` | Write public dashboard configuration. |
| `datasources.caching:read` | `datasources:*`<br>`datasources:uid:*` | Read data source query caching settings. |
| `datasources.caching:write` | `datasources:*`<br>`datasources:uid:*` | Update data source query caching settings. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
| `datasources.insights:read` | n/a | Read data sources insights data. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
| `featuremgmt.read` | n/a | Read feature toggles. |
| `featuremgmt.write` | n/a | Write feature toggles. |
| `folders.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders and their subfolders. |
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders and their subfolders. |
| `folders:create` | n/a | Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update. |
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders and their subfolders. |
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders and their subfolders. |
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders and their subfolders. If granted together with `folders:create` permission, also allows creating subfolders under these folders. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.user:read` | n/a | Read users via LDAP. |
| `ldap.user:sync` | n/a | Sync users via LDAP. |
| `library.panels:create` | `folders:*` <br> `folders:uid:*` | Create a library panel in one or more folders and their subfolders. |
| `library.panels:read` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Read one or more library panels. |
| `library.panels:write` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Update one or more library panels. |
| `library.panels:delete` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Delete one or more library panels. |
| `licensing.reports:read` | n/a | Get custom permission reports. |
| `licensing:delete` | n/a | Delete the license token. |
| `licensing:read` | n/a | Read licensing information. |
| `licensing:write` | n/a | Update the license token. |
| `org.users:write` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. |
| `org.users:add` | `users:*` <br> `users:id:*` | Add a user to an organization or invite a new user to an organization. |
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
| `orgs.preferences:read` | n/a | Read organization preferences. |
| `orgs.preferences:write` | n/a | Update organization preferences. |
| `orgs.quotas:read` | n/a | Read organization quotas. |
| `orgs.quotas:write` | n/a | Update organization quotas. |
| `orgs:create` | n/a | Create an organization. |
| `orgs:delete` | n/a | Delete one or more organizations. |
| `orgs:read` | n/a | Read one or more organizations. |
| `orgs:write` | n/a | Update one or more organizations. |
| `plugins.app:access` | `plugins:*` <br> `plugins:id:*` | Access one or more application plugins (still enforcing the organization role) |
| `plugins:install` | n/a | Install and uninstall plugins. |
| `plugins:write` | `plugins:*` <br> `plugins:id:*` | Edit settings for one or more plugins. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
| `reports:create` | n/a | Create reports. |
| `reports:write` | `reports:*` <br> `reports:id:*` | Update reports. |
| `reports.settings:read` | n/a | Read report settings. |
| `reports.settings:write` | n/a | Update report settings. |
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
| `reports:read` | `reports:*` <br> `reports:id:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` <br> `reports:id:*` | Send a report email. |
| `roles:delete` | `permissions:type:delegate` | Delete a custom role. |
| `roles:read` | `roles:*` <br> `roles:uid:*` | List roles and read a specific with its permissions. |
| `roles:write` | `permissions:type:delegate` | Create or update a custom role. |
| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. |
| `server.stats:read` | n/a | Read Grafana instance statistics. |
| `server.usagestats.report:read` | n/a | View usage statistics report. |
| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. |
| `serviceaccounts:create` | n/a | Update Grafana service accounts. |
| `serviceaccounts:delete` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Delete Grafana service accounts. |
| `serviceaccounts:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service accounts. |
| `serviceaccounts.permissions:write` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Update Grafana service account permissions to control who can do what with the service account. |
| `serviceaccounts.permissions:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service account permissions to see who can do what with the service account. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). |
| `support.bundles:create` | n/a | Create support bundles. |
| `support.bundles:delete` | n/a | Delete support bundles. |
| `support.bundles:read` | n/a | List and download support bundles. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and Team Sync setup for teams. |
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage Team Sync setup for teams. |
| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. |
| `teams.roles:read` | `teams:*`<br>`teams:id:*` | List roles assigned directly to a team. |
| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. |
| `teams:create` | n/a | Create teams. |
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
| `users.authtoken:read` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:write` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s password. |
| `users.permissions:read` | `users:*` | List permissions of a user. |
| `users.permissions:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s organization-level permissions. |
| `users.quotas:read` | `global.users:*` <br> `global.users:id:*` | List a user’s quotas. |
| `users.quotas:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s quotas. |
| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. |
| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. |
| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. |
| `users:create` | n/a | Create a user. |
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
| `users:enable` | `global.users:*` <br> `global.users:id:*` | Enable a user. |
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
| `users:read` | `global.users:*` | Read or search user profiles. |
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s profile. |
| Action | Applicable scope | Description |
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
| `alert.instances:create` | n/a | Create silences in the current organization. |
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
| `alert.instances:write` | n/a | Update and expire silences in the current organization. |
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `annotations:create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
| `annotations:delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
| `annotations:read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
| `annotations:write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
| `apikeys:create` | n/a | Create API keys. |
| `apikeys:read` | `apikeys:*`<br>`apikeys:id:*` | Read API keys. |
| `apikeys:delete` | `apikeys:*`<br>`apikeys:id:*` | Delete API keys. |
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders and their subfolders. |
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
| `dashboards.insights:read` | n/a | Read dashboard insights data and see presence indicators. |
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
| `dashboards.public:write` | `dashboards:*`<br>`dashboards:uid:*` | Write public dashboard configuration. |
| `datasources.caching:read` | `datasources:*`<br>`datasources:uid:*` | Read data source query caching settings. |
| `datasources.caching:write` | `datasources:*`<br>`datasources:uid:*` | Update data source query caching settings. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
| `datasources.insights:read` | n/a | Read data sources insights data. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
| `featuremgmt.read` | n/a | Read feature toggles. |
| `featuremgmt.write` | n/a | Write feature toggles. |
| `folders.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders and their subfolders. |
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders and their subfolders. |
| `folders:create` | n/a | Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update. |
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders and their subfolders. |
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders and their subfolders. |
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders and their subfolders. If granted together with `folders:create` permission, also allows creating subfolders under these folders. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.user:read` | n/a | Read users via LDAP. |
| `ldap.user:sync` | n/a | Sync users via LDAP. |
| `library.panels:create` | `folders:*` <br> `folders:uid:*` | Create a library panel in one or more folders and their subfolders. |
| `library.panels:read` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Read one or more library panels. |
| `library.panels:write` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Update one or more library panels. |
| `library.panels:delete` | `folders:*` <br> `folders:uid:*` <br> `library.panels:*` <br> `library.panels:uid:*` | Delete one or more library panels. |
| `licensing.reports:read` | n/a | Get custom permission reports. |
| `licensing:delete` | n/a | Delete the license token. |
| `licensing:read` | n/a | Read licensing information. |
| `licensing:write` | n/a | Update the license token. |
| `org.users:write` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. |
| `org.users:add` | `users:*` <br> `users:id:*` | Add a user to an organization or invite a new user to an organization. |
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
| `orgs.preferences:read` | n/a | Read organization preferences. |
| `orgs.preferences:write` | n/a | Update organization preferences. |
| `orgs.quotas:read` | n/a | Read organization quotas. |
| `orgs.quotas:write` | n/a | Update organization quotas. |
| `orgs:create` | n/a | Create an organization. |
| `orgs:delete` | n/a | Delete one or more organizations. |
| `orgs:read` | n/a | Read one or more organizations. |
| `orgs:write` | n/a | Update one or more organizations. |
| `plugins.app:access` | `plugins:*` <br> `plugins:id:*` | Access one or more application plugins (still enforcing the organization role) |
| `plugins:install` | n/a | Install and uninstall plugins. |
| `plugins:write` | `plugins:*` <br> `plugins:id:*` | Edit settings for one or more plugins. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
| `reports:create` | n/a | Create reports. |
| `reports:write` | `reports:*` <br> `reports:id:*` | Update reports. |
| `reports.settings:read` | n/a | Read report settings. |
| `reports.settings:write` | n/a | Update report settings. |
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
| `reports:read` | `reports:*` <br> `reports:id:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` <br> `reports:id:*` | Send a report email. |
| `roles:delete` | `permissions:type:delegate` | Delete a custom role. |
| `roles:read` | `roles:*` <br> `roles:uid:*` | List roles and read a specific role with its permissions. |
| `roles:write` | `permissions:type:delegate` | Create or update a custom role. |
| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. |
| `server.stats:read` | n/a | Read Grafana instance statistics. |
| `server.usagestats.report:read` | n/a | View usage statistics report. |
| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. |
| `serviceaccounts:create` | n/a | Update Grafana service accounts. |
| `serviceaccounts:delete` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Delete Grafana service accounts. |
| `serviceaccounts:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service accounts. |
| `serviceaccounts.permissions:write` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Update Grafana service account permissions to control who can do what with the service account. |
| `serviceaccounts.permissions:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service account permissions to see who can do what with the service account. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). |
| `support.bundles:create` | n/a | Create support bundles. |
| `support.bundles:delete` | n/a | Delete support bundles. |
| `support.bundles:read` | n/a | List and download support bundles. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and Team Sync setup for teams. |
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage Team Sync setup for teams. |
| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. |
| `teams.roles:read` | `teams:*`<br>`teams:id:*` | List roles assigned directly to a team. |
| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. |
| `teams:create` | n/a | Create teams. |
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to `teams:read`: `teams:write`, `teams.permissions:read` or `teams.permissions:write`. |
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
| `users.authtoken:read` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:write` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s password. |
| `users.permissions:read` | `users:*` | List permissions of a user. |
| `users.permissions:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s organization-level permissions. |
| `users.quotas:read` | `global.users:*` <br> `global.users:id:*` | List a user’s quotas. |
| `users.quotas:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s quotas. |
| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. |
| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. |
| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. |
| `users:create` | n/a | Create a user. |
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
| `users:enable` | `global.users:*` <br> `global.users:id:*` | Enable a user. |
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
| `users:read` | `global.users:*` | Read or search user profiles. |
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s profile. |
### Grafana OnCall action definitions (beta)

1
pkg/services/accesscontrol/models.go
Unescape View File

@ -524,6 +524,7 @@ var TeamsAccessEvaluator = EvalAny(
EvalAny(
EvalPermission(ActionTeamsWrite),
EvalPermission(ActionTeamsPermissionsWrite),
EvalPermission(ActionTeamsPermissionsRead),
),
),
)

Write Preview
Loading…
Cancel
Save