grafana/docs/sources/enterprise/access-control/fine-grained-access-control-references.md

+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++

Fine-grained access control references

The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).

Fine-grained access fixed roles

Fixed roles	Permissions	Descriptions
fixed:roles:reader	roles:read roles:list roles.builtin:list	Read all access control roles and built-in role assignments.
fixed:roles:writer	All permissions from fixed:roles:reader and roles:write roles:delete roles.builtin:add roles.builtin:remove	Create, read, update, or delete all roles and built-in role assignments.
fixed:reports:reader	reports:read reports:send reports.settings:read	Read all reports and shared report settings.
fixed:reports:writer	All permissions from fixed:reports:reader and reports.admin:write reports:delete reports.settings:write	Create, read, update, or delete all reports and shared report settings.
fixed:users:reader	users:read users.quotas:list users.authtoken:list users.teams:read	Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer	All permissions from fixed:users:reader and users:write users:create users:delete users:enable users:disable users.password:update users.permissions:update users:logout users.authtoken:update users.quotas:update	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
fixed:org.users:reader	org.users:read	Read users within a single organization.
fixed:org.users:writer	All permissions from fixed:org.users:reader and org.users:add org.users:remove org.users.role:update	Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:ldap:reader	ldap.user:read ldap.status:read	Read the LDAP configuration and LDAP status information.
fixed:ldap:writer	All permissions from fixed:ldap:reader and ldap.user:sync ldap.config:reload	Read and update the LDAP configuration, and read LDAP status information.
fixed:stats:reader	server.stats:read	Read Grafana instance statistics.
fixed:settings:reader	settings:read	Read Grafana instance settings.
fixed:settings:writer	All permissions from fixed:settings:reader and settings:write	Read and update Grafana instance settings.
fixed:datasources:explorer	datasources:explore	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:reader	datasources:read datasources:query	Read and query data sources.
fixed:datasources:writer	All permissions from fixed:datasources:reader and datasources:create datasources:write datasources:delete	Read, query, create, delete, or update a data source.
fixed:datasources:id:reader	datasources.id:read	Read the ID of a data source based on its name.
fixed:datasources.permissions:reader	datasources.permissions:read	Read data source permissions.
fixed:datasources.permissions:writer	All permissions from fixed:datasources.permissions:reader and datasources.permissions:create datasources.permissions:delete datasources.permissions:toggle	Create, read, or delete permissions of a data source.
fixed:licensing:reader	licensing:read licensing.reports:read	Read licensing information and licensing reports.
fixed:licensing:writer	All permissions from fixed:licensing:viewer and licensing:update licensing:delete	Read licensing information and licensing reports, update and delete the license token.
fixed:provisioning:writer	provisioning:reload	Reload provisioning.
fixed:orgs:reader	orgs:read orgs.quotas:read	Read the organization and its quotas.
fixed:orgs:writer	All permissions from fixed:orgs:reader and orgs:write orgs:delete orgs.quotas:write	Create, read, write, or delete an organization. Read or write its quotas.
fixed:current.org:reader	orgs:read orgs.quotas:read	Read the current organization, such as its ID, name, address, or quotas.
fixed:current.org:writer	All permissions from fixed:current.orgs:reader and orgs:write orgs.quotas:write orgs.preferences:read orgs.preferences:write	Read the current organization, its quotas, or its preferences. Update the current organization properties, or its preferences.

Default built-in role assignments

Built-in role	Associated role	Description
Grafana Admin	fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:orgs:reader fixed:orgs:writer fixed:licensing:reader fixed:licensing:writer	Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments.
Admin	fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:current.org:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer	Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments.
Editor	fixed:datasources:explorer	Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments.
Viewer	fixed:datasources:id:reader	Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments.