grafana/docs/sources/enterprise/access-control/rbac-fixed-basic-role-definitions.md

title	menuTitle	description	aliases	weight
RBAC role definitions	RBAC role definitions	This topic includes a table that lists permission associated with Grafana fixed and basic roles.	[/docs/grafana/latest/enterprise/access-control/fine-grained-access-control-references/]	70

RBAC role definitions

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role	Associated fixed roles	Description
Grafana Admin	fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer	Default [Grafana server administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) assignments.
Admin	fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer fixed:teams:writer fixed:dashboards:reader fixed:dashboards:writer fixed:dashboards.permissions:reader fixed:dashboards.permissions:writer fixed:folders:reader fixes:folders:writer fixed:folders.permissions:reader fixed:folders.permissions:writer fixed:alerting:editor	Default [Grafana organization administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.
Editor	fixed:datasources:explorer fixed:dashboards:creator fixed:folders:creator fixed:annotations:writer fixed:teams:creator if the editors_can_admin configuration flag is enabled fixed:alerting:editor	Default [Editor]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.
Viewer	fixed:datasources:id:reader fixed:organization:reader fixed:annotations:reader fixed:annotations.dashboard:writer fixed:alerting:reader	Default [Viewer]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.

Fixed role definitions

Fixed role	Permissions	Description
fixed:alerting.instances:editor	All permissions from fixed:alerting.instances:reader and alert.instances:create alert.instances:update for organization scope alert.instances.external:write for scope datasources:*	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.instances:reader	alert.instances:read for organization scope alert.instances.external:read for scope datasources:*	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.notifications:editor	All permissions from fixed:alerting.notifications:reader and alert.notifications:create alert.notifications:update alert.notifications:delete for organization scope alert.notifications.external:read for scope datasources:*	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.notifications:reader	alert.notifications:read for organization scope alert.notifications.external:read for scope datasources:*	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.rules:editor	All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:update alert.rule:delete for scope folders:* alert.rules.external:write for scope datasources:*	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting.rules:reader	alert.rule:read for scope folders:* alert.rules.external:read for scope datasources:*	Read all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting:editor	All permissions from fixed:alerting.rules:editor fixed:alerting.instances:editor fixed:alerting.notifications:editor	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting:reader	All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader fixed:alerting.notifications:reader	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:annotations.dashboard:writer	annotations:write annotations.create annotations:delete for scope annotations:type:dashboard	Create, update and delete dashboard annotations and annotation tags.
fixed:annotations:reader	annotations:read	Read all annotations and annotation tags.
fixed:annotations:writer	annotations:write annotations.create annotations:delete for scope annotations:type:*	Create, update and delete all annotations and annotation tags.
fixed:dashboards.permissions:reader	dashboards.permissions:read	Read all dashboard permissions.
fixed:dashboards.permissions:writer	All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write	Read and update all dashboard permissions.
fixed:dashboards:creator	dashboards:create folders:read	Create dashboards.
fixed:dashboards:reader	dashboards:read	Read all dashboards.
fixed:dashboards:writer	All permissions from fixed:dashboards:reader and dashboards:write dashboards:edit dashboards:delete dashboards:create dashboards.permissions:read dashboards.permissions:write	Read, create, update, and delete all dashboards.
fixed:datasources.permissions:reader	datasources.permissions:read	Read data source permissions.
fixed:datasources.permissions:writer	All permissions from fixed:datasources.permissions:reader and datasources.permissions:write	Create, read, or delete permissions of a data source.
fixed:datasources:explorer	datasources:explore	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:id:reader	datasources.id:read	Read the ID of a data source based on its name.
fixed:datasources:reader	datasources:read datasources:query	Read and query data sources.
fixed:datasources:writer	All permissions from fixed:datasources:reader and datasources:create datasources:write datasources:delete	Read, query, create, delete, or update a data source.
fixed:folders.permissions:reader	folders.permissions:read	Read all folder permissions.
fixed:folders.permissions:writer	All permissions from fixed:folders.permissions:reader and folders.permissions:write	Read and update all folder permissions.
fixed:folders:creator	folders:create	Create folders.
fixed:folders:reader	folders:read dashboards:read	Read all folders and dashboards.
fixed:folders:writer	All permissions from fixed:dashboards:writer and folders:read folders:write folders:create folders:delete folders.permissions:read folders.permissions:write	Read, create, update, and delete all folders and dashboards.
fixed:ldap:reader	ldap.user:read ldap.status:read	Read the LDAP configuration and LDAP status information.
fixed:ldap:writer	All permissions from fixed:ldap:reader and ldap.user:sync ldap.config:reload	Read and update the LDAP configuration, and read LDAP status information.
fixed:licensing:reader	licensing:read licensing.reports:read	Read licensing information and licensing reports.
fixed:licensing:writer	All permissions from fixed:licensing:viewer and licensing:update licensing:delete	Read licensing information and licensing reports, update and delete the license token.
fixed:org.users:reader	org.users:read	Read users within a single organization.
fixed:org.users:writer	All permissions from fixed:org.users:reader and org.users:add org.users:remove org.users.role:update	Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainer	All permissions from fixed:organization:reader and orgs:write orgs:create orgs:delete orgs.quotas:write	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:reader	orgs:read orgs.quotas:read	Read an organization and its quotas.
fixed:organization:writer	All permissions from fixed:organization:reader and orgs:write orgs.preferences:read orgs.preferences:write	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:provisioning:writer	provisioning:reload	Reload provisioning.
fixed:reports:reader	reports:read reports:send reports.settings:read	Read all reports and shared report settings.
fixed:reports:writer	All permissions from fixed:reports:reader and reports.admin:write reports:delete reports.settings:write	Create, read, update, or delete all reports and shared report settings.
fixed:roles:reader	roles:read roles:list teams.roles:list users.roles:list users.permissions:list roles.builtin:list	Read all access control roles, roles and permissions assigned to users, teams and built-in role assignments.
fixed:roles:writer	All permissions from fixed:roles:reader and roles:write roles:delete teams.roles:add teams.roles:remove users.roles:add users.roles:remove roles.builtin:add roles.builtin:remove	Create, read, update, or delete all roles, assign or unassign roles to users, teams and built-in role assignments.
fixed:settings:reader	settings:read	Read Grafana instance settings.
fixed:settings:writer	All permissions from fixed:settings:reader and settings:write	Read and update Grafana instance settings.
fixed:stats:reader	server.stats:read	Read Grafana instance statistics.
fixed:teams:creator	teams:create org.users:read	Create a team and list organization users (required to manage the created team).
fixed:teams:writer	teams:create teams:delete teams:read teams:write teams.permissions:read teams.permissions:write	Create, read, update and delete teams and manage team memberships.
fixed:users:reader	users:read users.quotas:list users.authtoken:list users.teams:read	Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer	All permissions from fixed:users:reader and users:write users:create users:delete users:enable users:disable users.password:update users.permissions:update users:logout users.authtoken:update users.quotas:update	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

If you [enable]({{< relref "../../alerting/unified-alerting/opt-in.md" >}}) Grafana Alerting, you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

• Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
• Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy#create-a-custom-role-to-access-alerts-in-a-folder" >}}).