* Alerting docs: adds silence RBAC 11.1
* ran prettier
* Improve docs with new rule-specific silence RBAC information
* Apply suggestions from code review
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
* Apply suggestions from code review
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
* prettier
---------
Co-authored-by: Matt Jacobson <matthew.jacobson@grafana.com>
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
@ -47,7 +47,7 @@ The following list contains role-based access control actions.
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.silences:create` | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read general and rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
| `alert.silences:write` | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
@ -93,6 +93,15 @@ To remove a silence, complete the following steps.
> **Note:** You cannot remove a silence manually. Silences that have ended are retained and listed for five days.
## Rule-specific silences
Rule-specific silences are silences that apply only to a specific alert rule.
They're created when you silence an alert rule directly using the **Silence notifications** action in the UI.
{{<admonitiontype="note">}}
As opposed to general silences, rule-specific silence access is tied directly to the alert rule they act on. They can be created manually by including the specific label matcher: `__alert_rule_uid__=<alert rule UID>`.
@ -45,7 +45,7 @@ Grafana Alerting has the following permissions.
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.silences:create` | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read general and rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
| `alert.silences:write` | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
You can further customize access for alert rules by assigning permissions to individual folders or data sources, regardless of role assigned.
You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders or data sources.
{{<admonitiontype="note">}}
You can't use folders to customize access to notification resources.
Data source query permissions are required to create or modify an alert rule using that data source.
{{</admonition>}}
Details of how role access can combine with folder permissions for Grafana Alerting are below.
This allows different users, teams, or service accounts to have customized access to modify or silence alert rules in specific folders or using specific data sources.
Details on the additional access provided by folder permissions are below.
| No Basic Role | - | None. No access to alert rules or rule-specific silences in the folder. |
| No Basic Role | View | Read access to all general silences. Read access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| No Basic Role | Edit | Above access and write access to alert rules (given necessary data source query permissions) and their rule-specific silences _only_ in the given folder and subfolders. |
| Viewer | - | Read access to alert rules and silences in all folders. |
| Viewer | Edit | Read access to alert rules and silences in all folders. Write access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| Editor | View | Read and write access to alert rules and silences in all folders. Access can only be extended. |
{{<admonitiontype="note">}}
You can't use folders to customize access to notification resources.
| Admin | - | Write access to alert rules in all folders. |
| Editor | - | Write access to alert rules in all folders. |
| Viewer | Admin | Read access to alert rules in all folders. Write access to alert rules **only** in the folders where the Admin permission is added. |
| Viewer | Editor | Read access to alert rules in all folders. Write access to alert rules **only** in the folders where the Editor permission is added. |
| Viewer | Viewer | Read access to alert rules in all folders. |
brendamuir
2 years ago
committed by