RBAC role definitions
Note
Available in Grafana Enterprise and Grafana Cloud.
The following tables list permissions associated with basic and fixed roles.
Basic role assignments
Basic role | UID | Associated fixed roles | Description |
---|---|---|---|
Grafana Admin | basic_grafana_admin | fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer fixed:datasources.caching:reader fixed:datasources.caching:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:plugins:maintainer fixed:authentication.config:writer fixed:library.panels:creator fixed:library.panels:reader fixed:library.panels:general.reader fixed:library.panels:writer fixed:library.panels:general.writer | Default Grafana server administrator assignments. |
Admin | basic_admin | fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer fixed:teams:writer fixed:dashboards:reader fixed:dashboards:writer fixed:dashboards.permissions:reader fixed:dashboards.permissions:writer fixed:dashboards.public:writer fixed:folders:reader fixed:folders:writer fixed:folders.permissions:reader fixed:folders.permissions:writer fixed:alerting:writer fixed:apikeys:reader fixed:apikeys:writer fixed:alerting.provisioning.secrets:reader fixed:alerting.provisioning:writer fixed:datasources.caching:reader fixed:datasources.caching:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:plugins:writer fixed:library.panels:creator fixed:library.panels:reader fixed:library.panels:general.reader fixed:library.panels:writer fixed:library.panels:general.writer fixed:alerting.provisioning.status:writer | Default Grafana organization administrator assignments. |
Editor | basic_editor | fixed:datasources:explorer fixed:dashboards:creator fixed:folders:creator fixed:annotations:writer fixed:teams:creator if the editors_can_admin configuration flag is enabledfixed:alerting:writer fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:library.panels:creator fixed:library.panels:general.reader fixed:library.panels:general.writer fixed:alerting.provisioning.status:writer | Default Editor assignments. |
Viewer | basic_viewer | fixed:datasources.id:reader fixed:organization:reader fixed:annotations:reader fixed:annotations.dashboard:writer fixed:alerting:reader fixed:plugins.app:reader fixed:dashboards.insights:reader fixed:datasources.insights:reader fixed:library.panels:general.reader fixed:datasources:explorer if the viewers_can_edit configuration flag is enabled | Default Viewer assignments. |
No Basic Role | n/a | Default No Basic Role |
Fixed role definitions
Fixed role | Permissions | Description |
---|---|---|
fixed:alerting.instances:writer | All permissions from fixed:alerting.instances:reader andalert.instances:create alert.instances:write for organization scopealert.instances.external:write for scope datasources:* | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.* |
fixed:alerting.instances:reader | alert.instances:read for organization scopealert.instances.external:read for scope datasources:* | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.* |
fixed:alerting.notifications:writer | All permissions from fixed:alerting.notifications:reader andalert.notifications:write for organization scopealert.notifications.external:read for scope datasources:* | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.* |
fixed:alerting.notifications:reader | alert.notifications:read for organization scopealert.notifications.external:read for scope datasources:* | Read all Grafana and Alertmanager contact points, templates, and notification policies.* |
fixed:alerting.rules:writer | All permissions from fixed:alerting.rules:reader andalert.rule:create alert.rule:write alert.rule:delete alert.silences:create alert.silences:write for scope folders:* alert.rules.external:write for scope datasources:* | Create, update, and delete all* Grafana, Mimir, and Loki alert rules.* and manage rule-specific silences |
fixed:alerting.rules:reader | alert.rule:read , alert.silences:read for scope folders:* alert.rules.external:read for scope datasources:* alert.notifications.time-intervals:read alert.notifications.receivers:list | Read all* Grafana, Mimir, and Loki alert rules.* and read rule-specific silences |
fixed:alerting:writer | All permissions from fixed:alerting.rules:writer fixed:alerting.instances:writer fixed:alerting.notifications:writer | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.* |
fixed:alerting:reader | All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader fixed:alerting.notifications:reader | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.* |
fixed:alerting.provisioning.secrets:reader | alert.provisioning:read and alert.provisioning.secrets:read | Read-only permissions for Provisioning API and let export resources with decrypted secrets * |
fixed:alerting.provisioning:writer | alert.provisioning:read and alert.provisioning:write | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. * |
fixed:alerting.provisioning.status:writer | alert.provisioning.provenance:write | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. * |
fixed:annotations.dashboard:writer | annotations:write annotations.create annotations:delete for scope annotations:type:dashboard | Create, update and delete dashboard annotations and annotation tags. |
fixed:annotations:reader | annotations:read for scopes annotations:type:* | Read all annotations and annotation tags. |
fixed:annotations:writer | All permissions from fixed:annotations:reader annotations:write annotations.create annotations:delete for scope annotations:type:* | Read, create, update and delete all annotations and annotation tags. |
fixed:apikeys:reader | apikeys:read for scope apikeys:* | Read all api keys. |
fixed:apikeys:writer | All permissions from fixed:apikeys:reader andapikeys:create apikeys:delete for scope apikeys:* | Read, create, delete all api keys. |
fixed:authentication.config:writer | settings:read for scope settings:auth.saml:* settings:write for scope settings:auth.saml:* | Read and update authentication and SAML settings. |
fixed:dashboards:creator | dashboards:create folders:read | Create dashboards. |
fixed:dashboards.insights:reader | dashboards.insights:read | Read dashboard insights data and see presence indicators. |
fixed:dashboards.permissions:reader | dashboards.permissions:read | Read all dashboard permissions. |
fixed:dashboards.permissions:writer | All permissions from fixed:dashboards.permissions:reader anddashboards.permissions:write | Read and update all dashboard permissions. |
fixed:dashboards.public:writer | dashboards.public:write | Create, update, delete or pause a public dashboard. |
fixed:dashboards:reader | dashboards:read | Read all dashboards. |
fixed:dashboards:writer | All permissions from fixed:dashboards:reader anddashboards:write dashboards:edit dashboards:delete dashboards:create dashboards.permissions:read dashboards.permissions:write | Read, create, update, and delete all dashboards. |
fixed:datasources.caching:reader | datasources.caching:read | Read data source query caching settings. |
fixed:datasources.caching:writer | datasources.caching:read datasources.caching:write | Enable, disable, or update query caching settings. |
fixed:datasources:explorer | datasources:explore | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
fixed:datasources.id:reader | datasources.id:read | Read the ID of a data source based on its name. |
fixed:datasources.insights:reader | datasources.insights:read | Read data source insights data. |
fixed:datasources.permissions:reader | datasources.permissions:read | Read data source permissions. |
fixed:datasources.permissions:writer | All permissions from fixed:datasources.permissions:reader anddatasources.permissions:write | Create, read, or delete permissions of a data source. |
fixed:datasources:creator | datasources:create | Create data sources. |
fixed:datasources:reader | datasources:read datasources:query | Read and query data sources. |
fixed:datasources:writer | All permissions from fixed:datasources:reader anddatasources:create datasources:write datasources:delete | Read, query, create, delete, or update a data source. |
fixed:folders.permissions:reader | folders.permissions:read | Read all folder permissions. |
fixed:folders.permissions:writer | All permissions from fixed:folders.permissions:reader andfolders.permissions:write | Read and update all folder permissions. |
fixed:folders:creator | folders:create | Create folders in the root level. If granted together with folders:write permission, also allows creating subfolders under all folders. |
fixed:folders:reader | folders:read dashboards:read | Read all folders and dashboards. |
fixed:folders:writer | All permissions from fixed:dashboards:writer andfolders:read folders:write folders:create folders:delete folders.permissions:read folders.permissions:write | Read, create, update, and delete all folders and dashboards. If granted together with fixed:folders:creator , allows creating subfolders under all folders. |
fixed:ldap:reader | ldap.user:read ldap.status:read | Read the LDAP configuration and LDAP status information. |
fixed:ldap:writer | All permissions from fixed:ldap:reader andldap.user:sync ldap.config:reload | Read and update the LDAP configuration, and read LDAP status information. |
fixed:library.panels:creator | library.panels:create folders:read | Create library panel at the root level. |
fixed:library.panels:reader | library.panels:read | Read all library panels. |
fixed:library.panels:general.reader | library.panels:read | Read all library panels at the root level. |
fixed:library.panels:writer | All permissions from fixed:library.panels:reader pluslibrary.panels:create library.panels:delete library.panels:write | Create, read, write or delete all library panels and their permissions. |
fixed:library.panels:general.writer | All permissions from fixed:library.panels:general.reader pluslibrary.panels:create library.panels:delete library.panels:write | Create, read, write or delete all library panels and their permissions at the root level. |
fixed:licensing:reader | licensing:read licensing.reports:read | Read licensing information and licensing reports. |
fixed:licensing:writer | All permissions from fixed:licensing:viewer andlicensing:write licensing:delete | Read licensing information and licensing reports, update and delete the license token. |
fixed:org.users:reader | org.users:read | Read users within a single organization. |
fixed:org.users:writer | All permissions from fixed:org.users:reader andorg.users:add org.users:remove org.users:write | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
fixed:organization:maintainer | All permissions from fixed:organization:reader andorgs:write orgs:create orgs:delete orgs.quotas:write | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
fixed:organization:reader | orgs:read orgs.quotas:read | Read an organization and its quotas. |
fixed:organization:writer | All permissions from fixed:organization:reader andorgs:write orgs.preferences:read orgs.preferences:write | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
fixed:plugins.app:reader | plugins.app:access | Access application plugins (still enforcing the organization role). |
fixed:plugins:maintainer | plugins:install | Install and uninstall plugins. Needs to be assigned globally. |
fixed:plugins:writer | plugins:write | Enable and disable plugins and edit plugins’ settings. |
fixed:provisioning:writer | provisioning:reload | Reload provisioning. |
fixed:reports:reader | reports:read reports:send reports.settings:read | Read all reports and shared report settings. |
fixed:reports:writer | All permissions from fixed:reports:reader andreports:create reports:write reports:delete reports.settings:write | Create, read, update, or delete all reports and shared report settings. |
fixed:roles:reader | roles:read teams.roles:read users.roles:read users.permissions:read | Read all access control roles, roles and permissions assigned to users, teams. |
fixed:roles:writer | All permissions from fixed:roles:reader androles:write roles:delete teams.roles:add teams.roles:remove users.roles:add users.roles:remove | Create, read, update, or delete all roles, assign or unassign roles to users, teams. |
fixed:roles:resetter | roles:write with scope permissions:type:escalate | Reset basic roles to their default. |
fixed:serviceaccounts:reader | serviceaccounts:read | Read Grafana service accounts. |
fixed:serviceaccounts:creator | serviceaccounts:create | Create Grafana service accounts. |
fixed:serviceaccounts:writer | serviceaccounts:read serviceaccounts:create serviceaccounts:write serviceaccounts:delete serviceaccounts.permissions:read serviceaccounts.permissions:write | Create, update, read and delete all Grafana service accounts and manage service account permissions. |
fixed:settings:reader | settings:read | Read Grafana instance settings. |
fixed:settings:writer | All permissions from fixed:settings:reader andsettings:write | Read and update Grafana instance settings. |
fixed:stats:reader | server.stats:read | Read Grafana instance statistics. |
fixed:teams:reader | teams:read | List all teams. |
fixed:teams:creator | teams:create org.users:read | Create a team and list organization users (required to manage the created team). |
fixed:teams:writer | teams:create teams:delete teams:read teams:write teams.permissions:read teams.permissions:write | Create, read, update and delete teams and manage team memberships. |
fixed:users:reader | users:read users.quotas:read users.authtoken:read ` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
fixed:users:writer | All permissions from fixed:users:reader andusers:write users:create users:delete users:enable users:disable users.password:write users.permissions:write users:logout users.authtoken:write users.quotas:write | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
Alerting roles
You can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Access to Grafana alert rules is an intersection of many permissions:
- Permission to read a folder. For example, the fixed role
fixed:folders:reader
includes the actionfolders:read
and a folder scopefolders:id:
. - Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer
does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.
Grafana OnCall roles (beta)
Note
Available from Grafana 9.4 in early access.
Note
This feature is behind theaccessControlOnCall
feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.
If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. For a detailed list of the available OnCall RBAC roles, refer to the table in Available Grafana OnCall RBAC roles and granted actions.
The following table lists the default RBAC OnCall role assignments to the basic roles:
Basic role | Associated fixed roles | Description |
---|---|---|
Grafana Admin | plugins:grafana-oncall-app:admin | Default Grafana server administrator assignments. |
Admin | plugins:grafana-oncall-app:admin | Default Grafana organization administrator assignments. |
Editor | plugins:grafana-oncall-app:editor | Default Editor assignments. |
Viewer | plugins:grafana-oncall-app:reader | Default Viewer assignments. |