grafana/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md

aliases	description	labels	menuTitle	title	weight	refs
[../../../enterprise/access-control/fine-grained-access-control-references/ ../../../enterprise/access-control/rbac-fixed-basic-role-definitions/]	This topic includes a table that lists permission associated with Grafana fixed and basic roles.	[{products [cloud enterprise]}]	RBAC role definitions	Grafana RBAC role definitions	70	[{rbac-basic-roles {pattern /docs/grafana/} {destination /docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/#basic-roles}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/#basic-roles}} {rbac-terraform-provisioning {pattern /docs/grafana/} {destination /docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/rbac-terraform-provisioning/}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/rbac-terraform-provisioning/}} {rbac-manage-rbac-roles {pattern /docs/grafana/} {destination /docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/manage-rbac-roles/}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/manage-rbac-roles/}} {plan-rbac-rollout-strategy-create-a-custom-role-to-access-alerts-in-a-folder {pattern /docs/grafana/} {destination /docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder}} {oncall {pattern /docs/grafana/} {destination /docs/oncall/<GRAFANA_VERSION>/}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/alerting-and-irm/oncall/}} {available-grafana-oncall-rbac-roles--granted-actions {pattern /docs/grafana/} {destination /docs/oncall/<GRAFANA_VERSION>/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions}] [{pattern /docs/grafana-cloud/} {destination /docs/grafana-cloud/alerting-and-irm/oncall/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions}}]

RBAC role definitions

{{% admonition type="note" %}} Available in Grafana Enterprise and Grafana Cloud. {{% /admonition %}}

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role	UID	Associated fixed roles	Description
Grafana Admin	basic_grafana_admin	fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer fixed:datasources.caching:reader fixed:datasources.caching:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:plugins:maintainer fixed:authentication.config:writer fixed:library.panels:creator fixed:library.panels:reader fixed:library.panels:general.reader fixed:library.panels:writer fixed:library.panels:general.writer fixed:groupsync:writer fixed:migrationassistant:migrator	Default Grafana server administrator assignments.
Admin	basic_admin	fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer fixed:teams:writer fixed:dashboards:reader fixed:dashboards:writer fixed:dashboards.permissions:reader fixed:dashboards.permissions:writer fixed:dashboards.public:writer fixed:folders:reader fixed:folders:writer fixed:folders.permissions:reader fixed:folders.permissions:writer fixed:alerting:writer fixed:apikeys:reader fixed:apikeys:writer fixed:alerting.provisioning.secrets:reader fixed:alerting.provisioning:writer fixed:datasources.caching:reader fixed:datasources.caching:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:plugins:writer fixed:library.panels:creator fixed:library.panels:reader fixed:library.panels:general.reader fixed:library.panels:writer fixed:library.panels:general.writer fixed:alerting.provisioning.status:writer fixed:groupsync:writer	Default Grafana organization administrator assignments.
Editor	basic_editor	fixed:datasources:explorer fixed:dashboards:creator fixed:folders:creator fixed:annotations:writer fixed:teams:creator if the editors_can_admin configuration flag is enabled fixed:alerting:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:library.panels:creator fixed:library.panels:general.reader fixed:library.panels:general.writer fixed:alerting.provisioning.status:writer	Default Editor assignments.
Viewer	basic_viewer	fixed:datasources.id:reader fixed:organization:reader fixed:annotations:reader fixed:annotations.dashboard:writer fixed:alerting:reader fixed:plugins.app:reader fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:library.panels:general.reader fixed:datasources:explorer if the viewers_can_edit configuration flag is enabled	Default Viewer assignments.
No Basic Role	n/a		Default No Basic Role

Fixed role definitions

The following table has the existing built-in fixed role definitions. Other fixed roles might be added by plugins installed in Grafana. The UUID presented here can be used as an identifier for Terraform provisioning.

{{< admonition type="caution" >}} These UUIDs won't be available if your instance was created before Grafana v10.2.0.

To learn how to use the roles API to determine the role UUIDs, refer to Manage RBAC roles. {{< /admonition >}}

Fixed role	UUID	Permissions	Description
fixed:alerting:reader	fixed_O2oP1_uBFozI2i93klAkcvEWR30	All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader fixed:alerting.notifications:reader	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:alerting:writer	fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY	All permissions from fixed:alerting.rules:writer fixed:alerting.instances:writer fixed:alerting.notifications:writer	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting.instances:reader	fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y	alert.instances:read for organization scope alert.instances.external:read for scope datasources:*	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.instances:writer	fixed_pKOBJE346uyqMLdgWbk1NsQfEl0	All permissions from fixed:alerting.instances:reader and alert.instances:create alert.instances:write for organization scope alert.instances.external:write for scope datasources:*	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.notifications:reader	fixed_hmBn0lX5h1RZXB9Vaot420EEdA0	alert.notifications:read for organization scope alert.notifications.external:read for scope datasources:*	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.notifications:writer	fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc	All permissions from fixed:alerting.notifications:reader and alert.notifications:writefor organization scope alert.notifications.external:read for scope datasources:*	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.provisioning:writer	fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo	alert.provisioning:read and alert.provisioning:write	Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
fixed:alerting.provisioning.secrets:reader	fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c	alert.provisioning:read and alert.provisioning.secrets:read	Read-only permissions for Provisioning API and let export resources with decrypted secrets *
fixed:alerting.provisioning.status:writer	fixed_eAxlzfkTuobvKEgXHveFMBZrOj8	alert.provisioning.provenance:write	Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. *
fixed:alerting.rules:reader	fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA	alert.rule:read, alert.silences:read for scope folders:* alert.rules.external:read for scope datasources:* alert.notifications.time-intervals:read alert.notifications.receivers:list	Read all* Grafana, Mimir, and Loki alert rules.* and read rule-specific silences
fixed:alerting.rules:writer	fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc	All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:write alert.rule:delete alert.silences:create alert.silences:write for scope folders:* alert.rules.external:write for scope datasources:*	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.* and manage rule-specific silences
fixed:annotations:reader	fixed_hpZnoizrfAJsrceNcNQqWYV-xNU	annotations:read for scopes annotations:type:*	Read all annotations and annotation tags.
fixed:annotations:writer	fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE	All permissions from fixed:annotations:reader annotations:write annotations.create annotations:delete for scope annotations:type:*	Read, create, update and delete all annotations and annotation tags.
fixed:annotations.dashboard:writer	fixed_8A775xenXeKaJk4Cr7bchP9yXOA	annotations:write annotations.create annotations:delete for scope annotations:type:dashboard	Create, update and delete dashboard annotations and annotation tags.
fixed:apikeys:reader	fixed_kYZ7UEkwEvGmCCjTrq07cFAVFws	apikeys:read for scope apikeys:*	Read all api keys.
fixed:apikeys:writer	fixed_anTrcpRkm21NBO1Q2CsX8y0fiCQ	All permissions from fixed:apikeys:reader and apikeys:create apikeys:delete for scope apikeys:*	Read, create, delete all api keys.
fixed:authentication.config:writer	fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw	settings:read for scope settings:auth.saml:* settings:write for scope settings:auth.saml:*	Read and update authentication and SAML settings.
fixed:dashboards:creator	fixed_ZorKUcEPCM01A1fPakEzGBUyU64	dashboards:create folders:read	Create dashboards.
fixed:dashboards:reader	fixed_Sgr67JTOhjQGFlzYRahOe45TdWM	dashboards:read	Read all dashboards.
fixed:dashboards:writer	fixed_OK2YOQGIoI1G031hVzJB6rAJQAs	All permissions from fixed:dashboards:reader and dashboards:write dashboards:edit dashboards:delete dashboards:create dashboards.permissions:read dashboards.permissions:write	Read, create, update, and delete all dashboards.
fixed:dashboards.insights:reader	fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs	dashboards.insights:read	Read dashboard insights data and see presence indicators.
fixed:dashboards.permissions:reader	fixed_f17oxuXW_58LL8mYJsm4T_mCeIw	dashboards.permissions:read	Read all dashboard permissions.
fixed:dashboards.permissions:writer	fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k	All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write	Read and update all dashboard permissions.
fixed:dashboards.public:writer	fixed_f_GHHRBciaqESXfGz2oCcooqHxs	dashboards.public:write	Create, update, delete or pause a shared dashboard.
fixed:datasources:creator	fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw	datasources:create	Create data sources.
fixed:datasources:explorer	fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw	datasources:explore	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:reader	fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ	datasources:read datasources:query	Read and query data sources.
fixed:datasources:writer	fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik	All permissions from fixed:datasources:reader and datasources:create datasources:write datasources:delete	Read, query, create, delete, or update a data source.
fixed:datasources.caching:reader	fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4	datasources.caching:read	Read data source query caching settings.
fixed:datasources.caching:writer	fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE	datasources.caching:read datasources.caching:write	Enable, disable, or update query caching settings.
fixed:datasources.id:reader	fixed_entg--fHmDqWY2-69N0ocawK0Os	datasources.id:read	Read the ID of a data source based on its name.
fixed:datasources.insights:reader	fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk	datasources.insights:read	Read data source insights data.
fixed:datasources.permissions:reader	fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY	datasources.permissions:read	Read data source permissions.
fixed:datasources.permissions:writer	fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw	All permissions from fixed:datasources.permissions:reader and datasources.permissions:write	Create, read, or delete permissions of a data source.
fixed:folders:creator	fixed_gGLRbZGAGB6n9uECqSh_W382RlQ	folders:create	Create folders in the root level.
fixed:folders:reader	fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ	folders:read dashboards:read	Read all folders and dashboards.
fixed:folders:writer	fixed_wJXLoTzgE7jVuz90dryYoiogL0o	All permissions from fixed:dashboards:writer and folders:read folders:write folders:create folders:delete folders.permissions:read folders.permissions:write	Read, update, and delete all folders and dashboards. Create folders and subfolders.
fixed:folders.permissions:reader	fixed_E06l4cx0JFm47EeLBE4nmv3pnSo	folders.permissions:read	Read all folder permissions.
fixed:folders.permissions:writer	fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI	All permissions from fixed:folders.permissions:reader and folders.permissions:write	Read and update all folder permissions.
fixed:ldap:reader	fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE	ldap.user:read ldap.status:read	Read the LDAP configuration and LDAP status information.
fixed:groupsync:reader	fixed_tLIbDrE6kw93sKqooF8GVS9BF4E	groupsync.mappings:read	List all group attribute sync mappings. To use this role, enable the groupAttributeSync feature toggle.
fixed:groupsync:writer	fixed_q7XUYx_efzxxsVmWhQgpiYClwBs	groupsync.mappings:read groupsync.mappings:write	Create, read, update, and delete all group attribute sync mappings. To use this role, enable the groupAttributeSync feature toggle.
fixed:ldap:writer	fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU	All permissions from fixed:ldap:reader and ldap.user:sync ldap.config:reload	Read and update the LDAP configuration, and read LDAP status information.
fixed:library.panels:creator	fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY	library.panels:create folders:read	Create library panel at the root level.
fixed:library.panels:general.reader	fixed_ct0DghiBWR_2BiQm3EvNPDVmpio	library.panels:read	Read all library panels at the root level.
fixed:library.panels:general.writer	fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI	All permissions from fixed:library.panels:general.reader plus library.panels:create library.panels:delete library.panels:write	Create, read, write or delete all library panels and their permissions at the root level.
fixed:library.panels:reader	fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs	library.panels:read	Read all library panels.
fixed:library.panels:writer	fixed_JTljAr21LWLTXCkgfBC4H0lhBC8	All permissions from fixed:library.panels:reader plus library.panels:create library.panels:delete library.panels:write	Create, read, write or delete all library panels and their permissions.
fixed:licensing:reader	fixed_OADpuXvNEylO2Kelu3GIuBXEAYE	licensing:read licensing.reports:read	Read licensing information and licensing reports.
fixed:licensing:writer	fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE	All permissions from fixed:licensing:viewer and licensing:write licensing:delete	Read licensing information and licensing reports, update and delete the license token.
fixed:migrationassistant:migrator	fixed_LLk2p7TRuBztOAksTQb1Klc8YTk	migrationassistant:migrate	Execute on-prem to cloud migrations through the Migration Assistant.
fixed:org.users:reader	fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY	org.users:read	Read users within a single organization.
fixed:org.users:writer	fixed_VERj5nayasjgf_Yh0sWqqCkxWlw	All permissions from fixed:org.users:reader and org.users:add org.users:remove org.users:write	Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainer	fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg	All permissions from fixed:organization:reader and orgs:write orgs:create orgs:delete orgs.quotas:write	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:reader	fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w	orgs:read orgs.quotas:read	Read an organization and its quotas.
fixed:organization:writer	fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M	All permissions from fixed:organization:reader and orgs:write orgs.preferences:read orgs.preferences:write	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:plugins:maintainer	fixed_yEOKidBcWgbm74x-nTa3lW5lOyY	plugins:install	Install and uninstall plugins. Needs to be assigned globally.
fixed:plugins:writer	fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE	plugins:write	Enable and disable plugins and edit plugins' settings.
fixed:plugins.app:reader	fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA	plugins.app:access	Access application plugins (still enforcing the organization role).
fixed:provisioning:writer	fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA	provisioning:reload	Reload provisioning.
fixed:reports:reader	fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8	reports:read reports:send reports.settings:read	Read all reports and shared report settings.
fixed:reports:writer	fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw	All permissions from fixed:reports:reader and reports:create reports:write reports:delete reports.settings:write	Create, read, update, or delete all reports and shared report settings.
fixed:roles:reader	fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc	roles:read teams.roles:read users.roles:read users.permissions:read	Read all access control roles, roles and permissions assigned to users, teams.
fixed:roles:resetter	fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ	roles:write with scope permissions:type:escalate	Reset basic roles to their default.
fixed:roles:writer	fixed_W5aFaw8isAM27x_eWfElBhZ0iOc	All permissions from fixed:roles:reader and roles:write roles:delete teams.roles:add teams.roles:remove users.roles:add users.roles:remove	Create, read, update, or delete all roles, assign or unassign roles to users, teams.
fixed:serviceaccounts:creator	fixed_Ikw60fckA0MyiiZ73BawSfOULy4	serviceaccounts:create	Create Grafana service accounts.
fixed:serviceaccounts:reader	fixed_QFjJAZ88iawMLInYOxPA1DB1w6I	serviceaccounts:read	Read Grafana service accounts.
fixed:serviceaccounts:writer	fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk	serviceaccounts:read serviceaccounts:create serviceaccounts:write serviceaccounts:delete serviceaccounts.permissions:read serviceaccounts.permissions:write	Create, update, read and delete all Grafana service accounts and manage service account permissions.
fixed:settings:reader	fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q	settings:read	Read Grafana instance settings.
fixed:settings:writer	fixed_joIHDgMrGg790hMhUufVzcU4j44	All permissions from fixed:settings:reader and settings:write	Read and update Grafana instance settings.
fixed:stats:reader	fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA	server.stats:read	Read Grafana instance statistics.
fixed:teams:creator	fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI	teams:create org.users:read	Create a team and list organization users (required to manage the created team).
fixed:teams:read	fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ	teams:read	List all teams.
fixed:teams:writer	fixed_xw1T0579h620MOYi4L96GUs7fZY	teams:create teams:delete teams:read teams:write teams.permissions:read teams.permissions:write	Create, read, update and delete teams and manage team memberships.
fixed:users:reader	fixed_buZastUG3reWyQpPemcWjGqPAd0	users:read users.quotas:read users.authtoken:read `	Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer	fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM	All permissions from fixed:users:reader and users:write users:create users:delete users:enable users:disable users.password:write users.permissions:write users:logout users.authtoken:write users.quotas:write	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

You can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

• Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
• Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.

Grafana OnCall roles (beta)

{{% admonition type="note" %}} Available from Grafana 9.4 in early access. {{% /admonition %}}

{{% admonition type="note" %}} This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details. {{% /admonition %}}

If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. For a detailed list of the available OnCall RBAC roles, refer to the table in Available Grafana OnCall RBAC roles and granted actions.

The following table lists the default RBAC OnCall role assignments to the basic roles:

Basic role	Associated fixed roles	Description
Grafana Admin	plugins:grafana-oncall-app:admin	Default Grafana server administrator assignments.
Admin	plugins:grafana-oncall-app:admin	Default Grafana organization administrator assignments.
Editor	plugins:grafana-oncall-app:editor	Default Editor assignments.
Viewer	plugins:grafana-oncall-app:reader	Default Viewer assignments.