2022-04-27 22:51:56 +08:00
---
2022-05-17 23:24:11 +08:00
aliases:
2022-12-10 00:36:04 +08:00
- ../../enterprise/access-control/
- ../../enterprise/access-control/about-rbac/
- ../../enterprise/access-control/roles/
2022-05-17 23:24:11 +08:00
description: Role-based access control (RBAC) provides a standardized way of granting,
changing, and revoking access so that users can view and modify Grafana resources,
such as users and reports.
Explicitly set all front matter labels in the source files (#71548)
* Set every page to have defaults of 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/enterprise-licensing pages to have 'Enterprise' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/recorded-queries pages to have labels cloud,enterprise
* Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/stats-and-license pages to have labels cloud,enterprise
* Set alerting pages to have labels cloud,enterprise,oss
* Set breaking-changes pages to have labels cloud,enterprise,oss
* Set dashboards pages to have labels cloud,enterprise,oss
* Set datasources pages to have labels cloud,enterprise,oss
* Set explore pages to have labels cloud,enterprise,oss
* Set fundamentals pages to have labels cloud,enterprise,oss
* Set introduction/grafana-cloud pages to have labels cloud
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Fix introduction pages products
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set panels-visualizations pages to have labels cloud,enterprise,oss
* Set release-notes pages to have labels cloud,enterprise,oss
* Set search pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set troubleshooting pages to have labels cloud,enterprise,oss
* Set whatsnew pages to have labels cloud,enterprise,oss
* Apply updated labels from review
Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com>
Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
---------
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com>
Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
2023-07-18 16:10:12 +08:00
labels:
products:
- cloud
- enterprise
2022-06-17 03:09:16 +08:00
menuTitle: Role-based access control (RBAC)
title: Grafana Role-based access control (RBAC)
weight: 120
2024-09-07 14:02:59 +08:00
refs:
api-rbac:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /developers/http_api/access_control/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/developer-resources/api-reference/http-api/access_control/
rbac-role-definitions:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/rbac-fixed-basic-role-definitions/
rbac-role-definitions-basic-role-assignments:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/#basic-role-assignments
- pattern: /docs/grafana-cloud/
rbac-manage-rbac-roles:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/access-control/manage-rbac-roles/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/manage-rbac-roles/
rbac-assign-rbac-roles:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/access-control/assign-rbac-roles/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/assign-rbac-roles/
rbac-basic-role-uid-mapping:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/access-control/manage-rbac-roles/#list-permissions-associated-with-roles
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/access-control/manage-rbac-roles/#list-permissions-associated-with-roles
service-accounts:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/service-accounts/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/service-accounts/
alerting:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /alerting/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/alerting-and-irm/alerting/
data-sources:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /datasources/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/connect-externally-hosted/data-sources/
roles-and-permissions:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/roles-and-permissions/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/cloud-roles/
dashboards:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/
dashboards-annotate-visualizations:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/build-dashboards/annotate-visualizations/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/build-dashboards/annotate-visualizations/
dashboards-create-reports:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/create-reports/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/create-reports/
dashboards-manage-library-panels:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/build-dashboards/manage-library-panels/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/build-dashboards/manage-library-panels/
dashboards-create-a-dashboard-folder:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/manage-dashboards/#create-a-dashboard-folder
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/manage-dashboards/#create-a-dashboard-folder
folder-permissions:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /dashboards/manage-dashboards/#folder-permissions
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/visualizations/dashboards/manage-dashboards/#folder-permissions
2024-09-10 15:33:45 +08:00
migrate-api-keys:
- pattern: /docs/grafana/
destination: /docs/grafana/< GRAFANA_VERSION > /administration/service-accounts/migrate-api-keys/
- pattern: /docs/grafana-cloud/
destination: /docs/grafana-cloud/account-management/authentication-and-permissions/service-accounts/migrate-api-keys/
2022-04-27 22:51:56 +08:00
---
2022-06-17 03:09:16 +08:00
# Role-based access control (RBAC)
2025-06-20 00:31:13 +08:00
{{< admonition type = "note" > }}
2024-09-07 14:02:59 +08:00
Available in [Grafana Enterprise ](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/ ) and [Grafana Cloud ](/docs/grafana-cloud ).
2025-06-20 00:31:13 +08:00
{{< / admonition > }}
2022-07-28 17:32:11 +08:00
2022-06-17 03:09:16 +08:00
RBAC provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as dashboards, reports, and administrative settings.
{{< section > }}
## About RBAC
2022-04-27 22:51:56 +08:00
Role-based access control (RBAC) provides a standardized way of granting, changing, and revoking access so that users can view and modify Grafana resources, such as users and reports.
2024-05-06 15:27:46 +08:00
RBAC extends Grafana basic roles that are included in Grafana OSS, and enables more granular control of users’
2022-04-27 22:51:56 +08:00
By using RBAC you can provide users with permissions that extend the permissions available with basic roles. For example, you can use RBAC to:
- Modify existing basic roles: for example, enable an editor to create reports
- Assign fixed roles to users and teams: for example, grant an engineering team the ability to create data sources
- Create custom roles: for example, a role that allows users to create and edit dashboards, but not delete them
2022-05-17 21:46:43 +08:00
RBAC roles contain multiple permissions, each of which has an action and a scope:
2022-04-27 22:51:56 +08:00
2022-05-17 21:46:43 +08:00
- **Role:** `fixed:datasources:reader`
- **Permission:**
- **Action:** `datasources:read`
- **Scope:** `datasources:*`
2022-04-27 22:51:56 +08:00
2024-09-07 14:02:59 +08:00
For information on the RBAC API refer to [RBAC API ](ref:api-rbac ).
2024-05-06 15:27:46 +08:00
2022-06-17 03:09:16 +08:00
### Basic roles
2022-04-27 22:51:56 +08:00
Basic roles are the standard roles that are available in Grafana OSS. If you have purchased a Grafana Enterprise license, you can still use basic roles.
Grafana includes the following basic roles:
- Grafana administrator
- Organization administrator
- Editor
- Viewer
2023-10-12 19:52:07 +08:00
- None
2022-04-27 22:51:56 +08:00
2022-05-17 21:46:43 +08:00
Each basic role is comprised of a number of _permissions_ . For example, the viewer basic role contains the following permissions among others:
2022-04-27 22:51:56 +08:00
2022-05-17 21:46:43 +08:00
- `Action: datasources.id:read, Scope: datasources:*` : Enables the viewer to see the ID of a data source.
- `Action: orgs:read` : Enables the viewer to see their organization details
- `Action: annotations:read, Scope: annotations:*` : Enables the viewer to see annotations that other users have added to a dashboard.
- `Action: annotations:create, Scope: annotations:type:dashboard` : Enables the viewer to add annotations to a dashboard.
- `Action: annotations:write, Scope: annotations:type:dashboard` : Enables the viewer to modify annotations of a dashboard.
- `Action: annotations:delete, Scope: annotations:type:dashboard` : Enables the viewer to remove annotations from a dashboard.
2022-04-27 22:51:56 +08:00
2025-06-20 00:31:13 +08:00
{{< admonition type = "note" > }}
2023-10-12 19:52:07 +08:00
You can't have a Grafana user without a basic role assigned. The `None` role contains no permissions.
2025-06-20 00:31:13 +08:00
{{< / admonition > }}
2022-05-21 03:48:52 +08:00
2022-06-17 03:09:16 +08:00
#### Basic role modification
2022-05-21 03:48:52 +08:00
You can use RBAC to modify the permissions associated with any basic role, which changes what viewers, editors, or admins can do. You can't delete basic roles.
2022-04-27 22:51:56 +08:00
2022-05-21 03:48:52 +08:00
Note that any modification to any of these basic role is not propagated to the other basic roles.
For example, if you modify Viewer basic role and grant additional permission, Editors or Admins won't have that additional grant.
2022-04-27 22:51:56 +08:00
2024-09-07 14:02:59 +08:00
For more information about the permissions associated with each basic role, refer to [Basic role definitions ](ref:rbac-role-definitions-basic-role-assignments ).
To interact with the API and view or modify basic roles permissions, refer to [the table ](ref:rbac-basic-role-uid-mapping ) that maps basic role names to the associated UID.
2022-05-17 21:46:43 +08:00
2025-06-20 00:31:13 +08:00
{{< admonition type = "note" > }}
2024-05-06 15:27:46 +08:00
You cannot use a service account to modify basic roles via the RBAC API. To update basic roles, you must be a Grafana administrator and use basic authentication with the request.
2025-06-20 00:31:13 +08:00
{{< / admonition > }}
2024-05-06 15:27:46 +08:00
2025-03-21 22:32:49 +08:00
For Cloud customers, contact Support to reset roles.
2022-06-17 03:09:16 +08:00
### Fixed roles
2022-04-27 22:51:56 +08:00
2024-09-07 14:02:59 +08:00
Grafana Enterprise includes the ability for you to assign discrete fixed roles to users, teams, and service accounts. This gives you fine-grained control over user permissions than you would have with basic roles alone. These roles are called "fixed" because you cannot change or delete fixed roles. You can also create _custom_ roles of your own; see more information in the [custom roles section ](#custom-roles ) below.
2022-04-27 22:51:56 +08:00
Assign fixed roles when the basic roles do not meet your permission requirements. For example, you might want a user with the basic viewer role to also edit dashboards. Or, you might want anyone with the editor role to also add and manage users. Fixed roles provide users more granular access to create, view, and update the following Grafana resources:
2024-09-07 14:02:59 +08:00
- [Alerting ](ref:alerting )
- [Annotations ](ref:dashboards-annotate-visualizations )
2024-09-10 15:33:45 +08:00
- [API keys ](ref:migrate-api-keys )
2024-09-07 14:02:59 +08:00
- [Dashboards and folders ](ref:dashboards )
- [Data sources ](ref:data-sources )
- [Explore ](/docs/grafana/<GRAFANA_VERSION>/explore/ )
- [Feature Toggles ](/docs/grafana/<GRAFANA_VERSION>/administration/feature-toggles/ )
- [Folders ](ref:dashboards-create-a-dashboard-folder )
- [LDAP ](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/ldap/ )
- [Library panels ](ref:dashboards-manage-library-panels )
- [Licenses ](/docs/grafana/<GRAFANA_VERSION>/administration/stats-and-license/ )
- [Organizations ](/docs/grafana/<GRAFANA_VERSION>/administration/organization-management/ )
- [Provisioning ](/docs/grafana/<GRAFANA_VERSION>/administration/provisioning/ )
- [Reports ](ref:dashboards-create-reports )
- [Roles ](ref:roles-and-permissions )
- [Service accounts ](ref:service-accounts )
2024-09-16 17:14:52 +08:00
- [Settings ](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/settings-updates-at-runtime/ )
2024-09-07 14:02:59 +08:00
- [Teams ](/docs/grafana/<GRAFANA_VERSION>/administration/team-management/ )
- [Users ](/docs/grafana/<GRAFANA_VERSION>/administration/user-management/ )
To learn more about the permissions you can grant for each resource, refer to [RBAC role definitions ](ref:rbac-role-definitions ).
2022-06-17 03:09:16 +08:00
### Custom roles
2022-04-27 22:51:56 +08:00
If you are a Grafana Enterprise customer, you can create custom roles to manage user permissions in a way that meets your security requirements.
2022-06-02 20:14:48 +08:00
Custom roles contain unique combinations of permissions _actions_ and _scopes_ . An action defines the action a use can perform on a Grafana resource. For example, the `teams.roles:read` action allows a user to see a list of roles associated with each team.
2022-04-27 22:51:56 +08:00
2022-06-02 20:14:48 +08:00
A scope describes where an action can be performed. For example, the `teams:id:1` scope restricts the user's action to the team with ID `1` . When paired with the `teams.roles:read` action, this permission prohibits the user from viewing the roles for teams other than team `1` .
2022-04-27 22:51:56 +08:00
Consider creating a custom role when fixed roles do not meet your permissions requirements.
2022-06-17 03:09:16 +08:00
#### Custom role creation
2022-04-27 22:51:56 +08:00
You can use either of the following methods to create, assign, and manage custom roles:
2024-09-07 14:02:59 +08:00
- Grafana provisioning: You can use a YAML file to configure roles. For more information about using provisioning to create custom roles, refer to [Manage RBAC roles ](ref:rbac-manage-rbac-roles ). For more information about using provisioning to assign RBAC roles to users or teams, refer to [Assign RBAC roles ](ref:rbac-assign-rbac-roles ).
- RBAC API: As an alternative, you can use the Grafana HTTP API to create and manage roles. For more information about the HTTP API, refer to [RBAC API ](ref:api-rbac ).
2022-04-27 22:51:56 +08:00
2022-06-17 03:09:16 +08:00
### Limitation
2022-04-27 22:51:56 +08:00
If you have created a folder with the name `General` or `general` , you cannot manage its permissions with RBAC.
2024-09-07 14:02:59 +08:00
If you set [folder permissions ](ref:folder-permissions ) for a folder named `General` or `general` , the system disregards the folder when RBAC is enabled.
