Docs: Permissions updates (#31843)

* moved restricting access content to a separate topic * changed topic name * Update organization_roles.md * update link * content updates
4 years ago · 93ead2a50c
parent a7e243db8a
commit 93ead2a50c
10 changed files with 118 additions and 92 deletions
--- a/docs/sources/dashboards/dashboard_folders.md
+++ b/docs/sources/dashboards/dashboard_folders.md
@ -46,6 +46,6 @@ The Dashboard Folder Page is similar to the Manage Dashboards page and is where
 Permissions can be assigned to a folder and inherited by the containing dashboards. An Access Control List (ACL) is used where
 **Organization Role**, **Team** and Individual **User** can be assigned permissions. Read the
- [Dashboard and Folder Permissions]({{< relref "../permissions/dashboard_folder_permissions.md" >}}) docs for more detail
+ [Dashboard and Folder Permissions]({{< relref "../permissions/dashboard-folder-permissions.md" >}}) docs for more detail
 on the permission system.
--- a/docs/sources/enterprise/license-restrictions.md
+++ b/docs/sources/enterprise/license-restrictions.md
@ -22,7 +22,7 @@ In the context of licensing, each user is classified as either a viewer or an ed
 - An editor is a user who has permission to edit and save a dashboard. Examples of editors are as follows:
    - Grafana server administrators.
    - Users who are assigned an organizational role of Editor or Admin.
-    - Users that have been granted Admin or Edit permissions at the dashboard or folder level. Refer to [Dashboard and folder permissions](https://grafana.com/docs/grafana/latest/permissions/dashboard_folder_permissions/).     
+    - Users that have been granted Admin or Edit permissions at the dashboard or folder level. Refer to [Dashboard and folder permissions](https://grafana.com/docs/grafana/latest/permissions/dashboard-folder-permissions/).     
 - A viewer is a user with the Viewer role, which does not permit the user to save a dashboard.
 Restrictions are applied separately for viewers and editors.
--- a/docs/sources/manage-users/_index.md
+++ b/docs/sources/manage-users/_index.md
@ -36,7 +36,7 @@ Organization Admins can:
 ## Teams
-Teams are groups of users within the same organization. Teams allow you to grant permissions for a group of users. They are most often used to manage [permissions for folders and dashboards]({{< relref "../permissions/dashboard_folder_permissions.md" >}}). Enterprise users can use them to apply [data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}).
+Teams are groups of users within the same organization. Teams allow you to grant permissions for a group of users. They are most often used to manage [permissions for folders and dashboards]({{< relref "../permissions/dashboard-folder-permissions.md" >}}). Enterprise users can use them to apply [data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}).
 Teams are mostly managed by Organization Admins. However, if the Grafana server setting [editors_can_admin]({{< relref "../administration/configuration.md#editors_can_admin" >}}) is applied, then users who are assigned the Team Admin role can also manage teams in their organization and users assigned to their teams.
--- a/docs/sources/manage-users/server-admin/server-admin-manage-users.md
+++ b/docs/sources/manage-users/server-admin/server-admin-manage-users.md
@ -8,7 +8,7 @@ aliases =["/docs/grafana/latest/manage-users/add-or-remove-user/","/docs/grafana
 This topic explains user management tasks performed by Grafana Server Admins.
-In order to perform any of these tasks, you must be logged in to Grafana on an account with Grafana Server Admin permissions. For more information about Grafana Admin permissions, refer to [Grafana Server Admin role]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}})
+In order to perform any of these tasks, you must be logged in to Grafana on an account with Grafana Server Admin permissions. For more information about Grafana Admin permissions, refer to [Grafana Server Admin role]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}).
 > **Note:** The Grafana Server Admin role does not exist in Grafana Cloud. Grafana Cloud users cannot perform tasks listed in this section.
@ -27,7 +27,7 @@ Grafana displays all user accounts on the server, listed in alphabetical order b
 - **Server Admin status -** If the user account has **Grafana Admin** option set, then a shield icon is displayed.
 - **Account status -** If the account is disabled, then the **Disabled** label is displayed.
-![Server Admin user list](/img/docs/manage-users/server-user-list-7-3.png "title")
+![Server Admin user list](/img/docs/manage-users/server-user-list-7-3.png)
 ## View user account details
--- a/docs/sources/permissions/_index.md
+++ b/docs/sources/permissions/_index.md
@ -41,7 +41,7 @@ Users can belong to one or more organizations. A user's organization membership
 ## Dashboard and folder permissions
-Dashboard and folder permissions allow you to remove the default role based permissions for Editors and Viewers and assign permissions to specific users and teams. Learn more about [Dashboard and folder permissions]({{< relref "dashboard_folder_permissions.md" >}}).
+Dashboard and folder permissions allow you to remove the default role based permissions for Editors and Viewers and assign permissions to specific users and teams. Learn more about [Dashboard and folder permissions]({{< relref "dashboard-folder-permissions.md" >}}).
 ## Data source permissions
--- a/docs/sources/permissions/dashboard-folder-permissions.md
+++ b/docs/sources/permissions/dashboard-folder-permissions.md
@ -0,0 +1,50 @@
 +++
 title = "Dashboard and folder permissions"
 description = "Grafana Dashboard and Folder Permissions Guide "
 keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
 aliases = ["/docs/grafana/latest/permissions/dashboard_folder_permissions/"]
 weight = 200
 +++
 # Grant dashboard and folder permissions
 You can assign and remove permissions for organization roles, users, and teams for specific dashboards and dashboard folders.
 This page explains how to grant permissions to specific folders and dashboards.
 To learn more about denying access to certain Grafana users, refer to [Restricting access]({{< relref "restricting-access.md">}}).
 ![Folder permissions](/img/docs/permissions/folder-permissions-7-5.png)
 ## Permission levels
 Grafana has three permission levels that can be assigned regardless of organization role.
 - **Admin -** Can edit and create dashboards and edit permissions. Can also add, edit, and delete folders.
 - **Edit -** Can edit and create dashboards. _Cannot_ edit folder/dashboard permissions, or add, edit, or delete folders.
 - **View -** Can only view existing dashboards/folders.
 ## Grant folder permissions
 Folder permissions apply to the folder and all dashboards contained within it.
 1. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and then click **Manage**.
 1. Hover your mouse cursor over a folder and then click **Go to folder**.
 1. Go to the **Permissions** tab, and then click **Add Permission**.
 1. In **Add Permission For**, select **User**, **Team**, or one of the role options.
 1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
 1. In the third box, select the permission you want to add.
 1. Click **Save**.
 ## Grant dashboard permissions
 1. In the top right corner of your dashboard, click the cog icon to go to **Dashboard settings**.
 1. Go to the **Permissions** tab, and then click **Add Permission**.
 1. In **Add Permission For**, select **User**, **Team**, or one of the role options.
 1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
 1. In the third box, select the permission you want to add.
 1. Click **Save**.
 ## Edit permissions
 To change existing permissions, navigate to the permissions page as described above. Instead of clicking **Add permission**, change or delete permissions already assigned. Changes take effect immediately.
--- a/docs/sources/permissions/dashboard_folder_permissions.md
+++ b/docs/sources/permissions/dashboard_folder_permissions.md
@ -1,84 +0,0 @@
 +++
 title = "Dashboard and Folder Permissions"
 description = "Grafana Dashboard and Folder Permissions Guide "
 keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
 weight = 200
 +++
 # Dashboard and Folder Permissions
 {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
 For dashboards and dashboard folders there is a **Permissions** page that makes it possible to
 remove the default role based permissions for Editors and Viewers. On this page you can add and assign permissions to specific **Users** and **Teams**.
 You can assign and remove permissions for **Organization Roles**, **Users** and **Teams**.
 Permission levels:
 - **Admin**: Can edit and create dashboards and edit permissions. Can also add, edit, and delete folders.
 - **Edit**: Can edit and create dashboards. **Cannot** edit folder/dashboard permissions, or add, edit, or delete folders.
 - **View**: Can only view existing dashboards/folders.
 ## Grant folder permissions
 1. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and then click **Manage**.
 1. Hover your mouse cursor over a folder and then click **Go to folder**.
 1. Go to the **Permissions** tab, and then click **Add Permission**.
 1. In the **Add Permission For** dialog, select **User**, **Team**, or one of the role options.
 1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
 1. In the third box, select the permission you want to add.
 1. Click **Save**.
 ## Grant dashboard permissions
 1. In the top right corner of your dashboard, click the cog icon to go to **Dashboard settings**.
 1. Go to the **Permissions** tab, and then click **Add Permission**.
 1. In the **Add Permission For** dialog, select **User**, **Team**, or one of the role options.
 1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
 1. In the third box, select the permission you want to add.
 1. Click **Save**.
 ## Restricting Access
 The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
 - You cannot override permissions for users with the Organization Admin role. Admins always have access to everything.
 - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
 ### How Grafana Resolves Multiple Permissions - Examples
 #### Example 1 (`user1` has the Editor Role)
 Permissions for a dashboard:
 - Everyone with Editor role can edit
 - user1 can view
 Result: `user1` has Edit permission as the highest permission always wins.
 #### Example 2 (`user1` has the Viewer Role and is a member of `team1`)
 Permissions for a dashboard:
 - `Everyone with Viewer Role Can View`
 - `user1 Can Edit`
 - `team1 Can Admin`
 Result: `user1` has Admin permission as the highest permission always wins.
 #### Example 3
 Permissions for a dashboard:
 - `user1 Can Admin (inherited from parent folder)`
 - `user1 Can Edit`
 Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins.
 ### Summary
 - **View**: Can only view existing dashboards/folders.
 - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level.
 For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
--- a/docs/sources/permissions/organization_roles.md
+++ b/docs/sources/permissions/organization_roles.md
@ -15,7 +15,26 @@ Each organization can have one or more data sources.
 All dashboards are owned by a particular organization.
- > **Note:** Most metric databases do not provide per-user series authentication. This means that organization data sources and dashboards are available to all users in a particular organization.
+> **Note:** Most metric databases do not provide per-user series authentication. This means that organization data sources and dashboards are available to all users in a particular organization.
 ## Compare roles
 The table below compares what each role can do. Read the sections below for more detailed explanations.
 |    | Admin   | Editor   | Viewer   |
 |:---|:--:|:--:|:--:|
 | View dashboards   |  x  |  x  |  x  |
 | Add, edit, delete dashboards   |  x  |  x  |    |
 | Add, edit, delete folders   |  x  |  x  |    |
 | View playlists   |  x  |  x  |  x  |
 | Create, update, delete playlists   |  x  |  x  |    |
 | Access Explore   |  x  |  x  |    |
 | Add, edit, delete data sources   |  x  |    |    |
 | Add and edit users   |  x  |    |    |
 | Add and edit teams   |  x  |    |    |
 | Change organizations settings   |  x  |    |    |
 | Change team settings   |  x  |    |    |
 | Configure app plugins   |  x  |    |    |
 ## Organization admin role
--- a/docs/sources/permissions/restricting-access.md
+++ b/docs/sources/permissions/restricting-access.md
@ -0,0 +1,41 @@
 +++
 title = "Restricting access"
 weight = 500
 +++
 # Restricting access
 The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
 - You cannot override permissions for users with the Organization Admin role. Admins always have access to everything.
 - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
 Here are some examples of how Grafana resolves multiple permissions.
 ## Example 1 (user1 has the Editor Role)
 Permissions for a dashboard:
 - Everyone with Editor role can edit
 - user1 can view
 Result: `user1` has Edit permission as the highest permission always wins.
 ## Example 2 (user1 has the Viewer Role and is a member of team1)
 Permissions for a dashboard:
 - Everyone with Viewer role can view
 - user1 Can Edit
 - team1 Can Admin
 Result: `user1` has Admin permission as the highest permission always wins.
 ## Example 3
 Permissions for a dashboard:
 - user1 can admin (inherited from parent folder)
 - user1 can edit
 Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins.
--- a/docs/sources/whatsnew/whats-new-in-v7-4.md
+++ b/docs/sources/whatsnew/whats-new-in-v7-4.md
@ -186,7 +186,7 @@ These features are included in the Grafana Enterprise edition.
 ### Licensing changes
-When determining a user’s role for billing purposes, a user who has the ability to edit and save dashboards is considered an Editor. This includes any user who is an Editor or Admin at the Org level, and who has granted Admin or Edit permissions via [Dashboard and folder permissions]({{< relref "../permissions/dashboard_folder_permissions.md">}}).
+When determining a user’s role for billing purposes, a user who has the ability to edit and save dashboards is considered an Editor. This includes any user who is an Editor or Admin at the Org level, and who has granted Admin or Edit permissions via [Dashboard and folder permissions]({{< relref "../permissions/dashboard-folder-permissions.md">}}).
 After the number of Viewers or Editors has reached its license limit, only Admins will see a banner in Grafana indicating that the license limit has been reached. Previously, all users saw the banner.