apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42274 Commits
5978 Branches
596 Tags
1.7 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 9a29dd7d6e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9a29dd7d6e'
${ noResults }
grafana/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-defin.../index.md

66 KiB
Raw Blame History

aliases description menuTitle title weight
[../../../enterprise/access-control/fine-grained-access-control-references/ ../../../enterprise/access-control/rbac-fixed-basic-role-definitions/] This topic includes a table that lists permission associated with Grafana fixed and basic roles. RBAC role definitions Grafana RBAC role definitions 70

RBAC role definitions

Note: Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and Grafana Cloud Advanced.

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role Associated fixed roles Description
Grafana Admin fixed:roles:reader
fixed:roles:writer
fixed:users:reader
fixed:users:writer
fixed:org.users:reader
fixed:org.users:writer
fixed:ldap:reader
fixed:ldap:writer
fixed:stats:reader
fixed:settings:reader
fixed:settings:writer
fixed:provisioning:writer
fixed:organization:reader
fixed:organization:maintainer
fixed:licensing:reader
fixed:licensing:writer
fixed:datasources.caching:reader
fixed:datasources.caching:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:plugins:maintainer
fixed:authentication.config:writer		 Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments.
Admin fixed:reports:reader
fixed:reports:writer
fixed:datasources:reader
fixed:datasources:writer
fixed:organization:writer
fixed:datasources.permissions:reader
fixed:datasources.permissions:writer
fixed:teams:writer
fixed:dashboards:reader
fixed:dashboards:writer
fixed:dashboards.permissions:reader
fixed:dashboards.permissions:writer
fixed:dashboards.public:writer
fixed:folders:reader
fixed:folders:writer
fixed:folders.permissions:reader
fixed:folders.permissions:writer
fixed:alerting:writer
fixed:apikeys:reader
fixed:apikeys:writer
fixed:alerting.provisioning:writer
fixed:datasources.caching:reader
fixed:datasources.caching:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:plugins:writer		 Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Editor fixed:datasources:explorer
fixed:dashboards:creator
fixed:folders:creator
fixed:annotations:writer
fixed:teams:creator if the editors_can_admin configuration flag is enabled
fixed:alerting:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader		 Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Viewer fixed:datasources:id:reader
fixed:organization:reader
fixed:annotations:reader
fixed:annotations.dashboard:writer
fixed:alerting:reader
fixed:plugins.app:reader
fixed:dashboards.insights:reader
fixed:datasources.insights:reader		 Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments.

Fixed role definitions

Fixed role Permissions Description
fixed:alerting.instances:writer All permissions from fixed:alerting.instances:reader and
alert.instances:create
alert.instances:write for organization scope
alert.instances.external:write for scope datasources:*		 Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.instances:reader alert.instances:read for organization scope
alert.instances.external:read for scope datasources:*		 Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.notifications:writer All permissions from fixed:alerting.notifications:reader and
alert.notifications:writefor organization scope
alert.notifications.external:read for scope datasources:*		 Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.notifications:reader alert.notifications:read for organization scope
alert.notifications.external:read for scope datasources:*		 Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.rules:writer All permissions from fixed:alerting.rules:reader and
alert.rule:create
alert.rule:write
alert.rule:delete for scope folders:*
alert.rules.external:write for scope datasources:*		 Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting.rules:reader alert.rule:read for scope folders:*
alert.rules.external:read for scope datasources:*		 Read all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting:writer All permissions from fixed:alerting.rules:writer
fixed:alerting.instances:writer
fixed:alerting.notifications:writer		 Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting:reader All permissions from fixed:alerting.rules:reader
fixed:alerting.instances:reader
fixed:alerting.notifications:reader		 Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:alerting.provisioning:writer alert.provisioning:read and alert.provisioning:write Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
fixed:annotations.dashboard:writer annotations:write
annotations.create
annotations:delete for scope annotations:type:dashboard		 Create, update and delete dashboard annotations and annotation tags.
fixed:annotations:reader annotations:read for scopes annotations:type:* Read all annotations and annotation tags.
fixed:annotations:writer All permissions from fixed:annotations:reader
annotations:write
annotations.create
annotations:delete for scope annotations:type:*		 Read, create, update and delete all annotations and annotation tags.
fixed:apikeys:reader apikeys:read for scope apikeys:* Read all api keys.
fixed:apikeys:writer All permissions from fixed:apikeys:reader and
apikeys:create
apikeys:delete for scope apikeys:*		 Read, create, delete all api keys.
fixed:authentication.config:writer settings:read
settings:write for scopes settings:auth:* and settings:auth.saml:*		 Read and update authentication and SAML settings.
fixed:dashboards:creator dashboards:create
folders:read		 Create dashboards.
fixed:dashboards.insights:reader dashboards.insights:read Read dashboard insights data and see presence indicators.
fixed:dashboards.permissions:reader dashboards.permissions:read Read all dashboard permissions.
fixed:dashboards.permissions:writer All permissions from fixed:dashboards.permissions:reader and
dashboards.permissions:write		 Read and update all dashboard permissions.
fixed:dashboards.public:writer dashboards.public:write Create, update, delete or pause a public dashboard.
fixed:dashboards:reader dashboards:read Read all dashboards.
fixed:dashboards:writer All permissions from fixed:dashboards:reader and
dashboards:write
dashboards:edit
dashboards:delete
dashboards:create
dashboards.permissions:read
dashboards.permissions:write		 Read, create, update, and delete all dashboards.
fixed:datasources.caching:reader datasources.caching:read Read data source query caching settings.
fixed:datasources.caching:writer datasources.caching:read
datasources.caching:write		 Enable, disable, or update query caching settings.
fixed:datasources:explorer datasources:explore Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:id:reader datasources.id:read Read the ID of a data source based on its name.
fixed:datasources.insights:reader datasources.insights:read Read data source insights data.
fixed:datasources.permissions:reader datasources.permissions:read Read data source permissions.
fixed:datasources.permissions:writer All permissions from fixed:datasources.permissions:reader and
datasources.permissions:write		 Create, read, or delete permissions of a data source.
fixed:datasources:reader datasources:read
datasources:query		 Read and query data sources.
fixed:datasources:writer All permissions from fixed:datasources:reader and
datasources:create
datasources:write
datasources:delete		 Read, query, create, delete, or update a data source.
fixed:folders.permissions:reader folders.permissions:read Read all folder permissions.
fixed:folders.permissions:writer All permissions from fixed:folders.permissions:reader and
folders.permissions:write		 Read and update all folder permissions.
fixed:folders:creator folders:create Create folders in the root level. If granted together with folders:write permission, also allows creating subfolders under all folders.
fixed:folders:reader folders:read
dashboards:read		 Read all folders and dashboards.
fixed:folders:writer All permissions from fixed:dashboards:writer and
folders:read
folders:write
folders:create
folders:delete
folders.permissions:read
folders.permissions:write		 Read, create, update, and delete all folders and dashboards. If granted together with fixed:folders:creator, allows creating subfolders under all folders.
fixed:ldap:reader ldap.user:read
ldap.status:read		 Read the LDAP configuration and LDAP status information.
fixed:ldap:writer All permissions from fixed:ldap:reader and
ldap.user:sync
ldap.config:reload		 Read and update the LDAP configuration, and read LDAP status information.
fixed:licensing:reader licensing:read
licensing.reports:read		 Read licensing information and licensing reports.
fixed:licensing:writer All permissions from fixed:licensing:viewer and
licensing:write
licensing:delete		 Read licensing information and licensing reports, update and delete the license token.
fixed:org.users:reader org.users:read Read users within a single organization.
fixed:org.users:writer All permissions from fixed:org.users:reader and
org.users:add
org.users:remove
org.users:write		 Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainer All permissions from fixed:organization:reader and
orgs:write
orgs:create
orgs:delete
orgs.quotas:write		 Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:reader orgs:read
orgs.quotas:read		 Read an organization and its quotas.
fixed:organization:writer All permissions from fixed:organization:reader and
orgs:write
orgs.preferences:read
orgs.preferences:write		 Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:plugins.app:reader plugins.app:access Access application plugins (still enforcing the organization role).
fixed:plugins:maintainer plugins:install Install and uninstall plugins.
fixed:plugins:writer plugins:write Enable and disable plugins and edit plugins' settings.
fixed:provisioning:writer provisioning:reload Reload provisioning.
fixed:reports:reader reports:read
reports:send
reports.settings:read		 Read all reports and shared report settings.
fixed:reports:writer All permissions from fixed:reports:reader and
reports:create
reports:write
reports:delete
reports.settings:write		 Create, read, update, or delete all reports and shared report settings.
fixed:roles:reader roles:read
teams.roles:read
users.roles:read
users.permissions:read		 Read all access control roles, roles and permissions assigned to users, teams.
fixed:roles:writer All permissions from fixed:roles:reader and
roles:write
roles:delete
teams.roles:add
teams.roles:remove
users.roles:add
users.roles:remove		 Create, read, update, or delete all roles, assign or unassign roles to users, teams.
fixed:roles:resetter roles:write with scope permissions:type:escalate Reset basic roles to their default.
fixed:serviceaccounts:reader serviceaccounts:read Read Grafana service accounts.
fixed:serviceaccounts:creator serviceaccounts:create Create Grafana service accounts.
fixed:serviceaccounts:writer serviceaccounts:read
serviceaccounts:create
serviceaccounts:write
serviceaccounts:delete
serviceaccounts.permissions:read
serviceaccounts.permissions:write		 Create, update, read and delete all Grafana service accounts and manage service account permissions.
fixed:settings:reader settings:read Read Grafana instance settings.
fixed:settings:writer All permissions from fixed:settings:reader and
settings:write		 Read and update Grafana instance settings.
fixed:stats:reader server.stats:read Read Grafana instance statistics.
fixed:teams:creator teams:create
org.users:read		 Create a team and list organization users (required to manage the created team).
fixed:teams:writer teams:create
teams:delete
teams:read
teams:write
teams.permissions:read
teams.permissions:write		 Create, read, update and delete teams and manage team memberships.
fixed:users:reader users:read
users.quotas:read
users.authtoken:read
`		 Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer All permissions from fixed:users:reader and
users:write
users:create
users:delete
users:enable
users:disable
users.password:write
users.permissions:write
users:logout
users.authtoken:write
users.quotas:write		 Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

If alerting is [enabled]({{< relref "../../../../alerting/migrating-alerts/opt-out/" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

  • Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
  • Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).

Grafana OnCall roles (beta)

Note: Available from Grafana 9.4 in early access.

Note: This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration [docs]({{< relref "../../../../setup-grafana/configure-grafana/#feature_toggles" >}}) for details.

If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. This will allow you to control access to different OnCall features using the following RBAC roles:

Fixed role Permissions Description
plugins:grafana-oncall-app:reader plugins.app:access
grafana-oncall-app.alert-groups:read
grafana-oncall-app.integrations:read
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.schedules:read
grafana-oncall-app.chatops:read
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.maintenance:read
grafana-oncall-app.notification-settings:read
grafana-oncall-app.user-settings:read
grafana-oncall-app.other-settings:read		 Read everything in OnCall.
plugins:grafana-oncall-app:oncaller All permissions from plugins:grafana-oncall-app:reader and grafana-oncall-app.alert-groups:write
grafana-oncall-app.schedules:write		 Read everything in OnCall and edit alert groups and schedules.
plugins:grafana-oncall-app:editor All permissions from plugins:grafana-oncall-app:oncaller and grafana-oncall-app.notifications:read
grafana-oncall-app.integrations:test
grafana-oncall-app.schedules:export
grafana-oncall-app.chatops:write
grafana-oncall-app.maintenance:write
grafana-oncall-app.notification-settings:write
grafana-oncall-app.user-settings:write		 Read everything in OnCall and edit alert groups, schedules, ChatOps, maintenance, notification settings, and user's own settings.
plugins:grafana-oncall-app:admin All permissions from plugins:grafana-oncall-app:editor and grafana-oncall-app.integrations:write
grafana-oncall-app.escalation-chains:write
grafana-oncall-app.chatops:update-settings:write
grafana-oncall-app.outgoing-webhooks:write
grafana-oncall-app.api-keys:write
grafana-oncall-app.user-settings:admin
grafana-oncall-app.other-settings:write		 Read and edit everything in OnCall.
plugins:grafana-oncall-app:alert-groups-reader plugins.app:access
grafana-oncall-app.alert-groups:read		 Read OnCall alert groups.
plugins:grafana-oncall-app:alert-groups-editor plugins.app:access
grafana-oncall-app.alert-groups:read
grafana-oncall-app.alert-groups:write		 Create, read, update and delete OnCall alert groups.
plugins:grafana-oncall-app:integrations-reader plugins.app:access
grafana-oncall-app.integrations:read		 Read OnCall integrations.
plugins:grafana-oncall-app:integrations-editor plugins.app:access
grafana-oncall-app.integrations:read
grafana-oncall-app.integrations:write
grafana-oncall-app.integrations:test		 Create, read, update and delete OnCall integrations.
plugins:grafana-oncall-app:escalation-chains-reader plugins.app:access
grafana-oncall-app.escalation-chains:read		 Read OnCall escalation chains.
plugins:grafana-oncall-app:escalation-chains-editor plugins.app:access
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.escalation-chains:write		 Create, read, update and delete OnCall escalation chains.
plugins:grafana-oncall-app:schedules-reader plugins.app:access
grafana-oncall-app.schedules:read		 Read OnCall schedules.
plugins:grafana-oncall-app:schedules-editor plugins.app:access
grafana-oncall-app.schedules:read
grafana-oncall-app.schedules:write
grafana-oncall-app.schedules:export		 Create, read, update and delete OnCall schedules.
plugins:grafana-oncall-app:chatops-reader plugins.app:access
grafana-oncall-app.chatops:read		 Read OnCall ChatOps.
plugins:grafana-oncall-app:chatops-editor plugins.app:access
grafana-oncall-app.chatops:read
grafana-oncall-app.chatops:write
grafana-oncall-app.chatops:update-settings		 Read and update OnCall ChatOps.
plugins:grafana-oncall-app:outgoing-webhooks-reader plugins.app:access
grafana-oncall-app.outgoing-webhooks:read		 Read OnCall outgoing webhooks.
plugins:grafana-oncall-app:outgoing-webhooks-editor plugins.app:access
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.outgoing-webhooks:write		 Create, read, update and delete OnCall outgoing webhooks.
plugins:grafana-oncall-app:maintenance-reader plugins.app:access
grafana-oncall-app.maintenance:read		 Read OnCall maintenance.
plugins:grafana-oncall-app:maintenance-editor plugins.app:access
grafana-oncall-app.maintenance:read
grafana-oncall-app.maintenance:write		 Read and update OnCall maintenance.
plugins:grafana-oncall-app:api-keys-reader plugins.app:access
grafana-oncall-app.api-keys:read		 Read OnCall API keys.
plugins:grafana-oncall-app:api-keys-editor plugins.app:access
grafana-oncall-app.api-keys:read
grafana-oncall-app.api-keys:write		 Create, read, update and delete OnCall API keys. Also grants access to be able to consume the OnCall API.
plugins:grafana-oncall-app:notification-settings-reader plugins.app:access
grafana-oncall-app.notification-settings:read		 Read OnCall notification settings.
plugins:grafana-oncall-app:notification-settings-editor plugins.app:access
grafana-oncall-app.notification-settings:read
grafana-oncall-app.notification-settings:write		 Read and update OnCall notification settings.
plugins:grafana-oncall-app:user-settings-reader plugins.app:access
grafana-oncall-app.user-settings:read		 Read user's own OnCall user settings.
plugins:grafana-oncall-app:user-settings-editor plugins.app:access
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write		 Read and update user's own OnCall user settings.
plugins:grafana-oncall-app:user-settings-admin plugins.app:access
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
grafana-oncall-app.user-settings:admin		 Read and update OnCall user settings for all users.
plugins:grafana-oncall-app:settings-reader plugins.app:access
grafana-oncall-app.other-settings:read		 Read OnCall settings.
plugins:grafana-oncall-app:settings-editor plugins.app:access
grafana-oncall-app.other-settings:read
grafana-oncall-app.other-settings:write		 Read and update OnCall settings.

The following table lists the default RBAC OnCall role assignments to the basic roles:

Basic role Associated fixed roles Description
Grafana Admin plugins:grafana-oncall-app:admin Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments.
Admin plugins:grafana-oncall-app:admin Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Editor plugins:grafana-oncall-app:editor Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Viewer plugins:grafana-oncall-app:reader Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments.