mirror of https://github.com/grafana/grafana.git
38 KiB
38 KiB
| aliases | description | menuTitle | title | weight | ||
|---|---|---|---|---|---|---|
|
This topic includes a table that lists permission associated with Grafana fixed and basic roles. | RBAC role definitions | Grafana RBAC role definitions | 70 |
RBAC role definitions
The following tables list permissions associated with basic and fixed roles.
Basic role assignments
| Basic role | Associated fixed roles | Description |
|---|---|---|
| Grafana Admin | fixed:roles:readerfixed:roles:writerfixed:users:readerfixed:users:writerfixed:org.users:readerfixed:org.users:writerfixed:ldap:readerfixed:ldap:writerfixed:stats:readerfixed:settings:readerfixed:settings:writerfixed:provisioning:writerfixed:organization:readerfixed:organization:maintainerfixed:licensing:readerfixed:licensing:writer |
Default [Grafana server administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions/#grafana-server-administrators" >}}) assignments. |
| Admin | fixed:reports:readerfixed:reports:writerfixed:datasources:readerfixed:datasources:writerfixed:organization:writerfixed:datasources.permissions:readerfixed:datasources.permissions:writerfixed:teams:writerfixed:dashboards:readerfixed:dashboards:writerfixed:dashboards.permissions:readerfixed:dashboards.permissions:writerfixed:folders:readerfixes:folders:writerfixed:folders.permissions:readerfixed:folders.permissions:writerfixed:alerting:editorfixed:apikeys:readerfixed:apikeys:writerfixed:alerting:provisioning |
Default [Grafana organization administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
| Editor | fixed:datasources:explorerfixed:dashboards:creatorfixed:folders:creatorfixed:annotations:writerfixed:teams:creator if the editors_can_admin configuration flag is enabledfixed:alerting:editor |
Default [Editor]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
| Viewer | fixed:datasources:id:readerfixed:organization:readerfixed:annotations:readerfixed:annotations.dashboard:writerfixed:alerting:reader |
Default [Viewer]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
Fixed role definitions
| Fixed role | Permissions | Description |
|---|---|---|
fixed:alerting.instances:editor |
All permissions from fixed:alerting.instances:reader andalert.instances:createalert.instances:write for organization scope alert.instances.external:write for scope datasources:* |
Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.* |
fixed:alerting.instances:reader |
alert.instances:read for organization scope alert.instances.external:read for scope datasources:* |
Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.* |
fixed:alerting.notifications:editor |
All permissions from fixed:alerting.notifications:reader andalert.notifications:writefor organization scopealert.notifications.external:read for scope datasources:* |
Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.* |
fixed:alerting.notifications:reader |
alert.notifications:read for organization scopealert.notifications.external:read for scope datasources:* |
Read all Grafana and Alertmanager contact points, templates, and notification policies.* |
fixed:alerting.rules:editor |
All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:write alert.rule:delete for scope folders:* alert.rules.external:write for scope datasources:* |
Create, update, and delete all* Grafana, Mimir, and Loki alert rules.* |
fixed:alerting.rules:reader |
alert.rule:read for scope folders:* alert.rules.external:read for scope datasources:* |
Read all* Grafana, Mimir, and Loki alert rules.* |
fixed:alerting:editor |
All permissions from fixed:alerting.rules:editor fixed:alerting.instances:editorfixed:alerting.notifications:editor |
Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.* |
fixed:alerting:reader |
All permissions from fixed:alerting.rules:reader fixed:alerting.instances:readerfixed:alerting.notifications:reader |
Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.* |
fixed:alerting:provisioning |
alert.provisioning:read and alert.provisioning:write |
Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. * |
fixed:annotations.dashboard:writer |
annotations:write annotations.createannotations:delete for scope annotations:type:dashboard |
Create, update and delete dashboard annotations and annotation tags. |
fixed:annotations:reader |
annotations:read for scopes annotations:type:* |
Read all annotations and annotation tags. |
fixed:annotations:writer |
All permissions from fixed:annotations:reader annotations:write annotations.createannotations:delete for scope annotations:type:* |
Read, create, update and delete all annotations and annotation tags. |
fixed:apikeys:reader |
apikeys:read for scope apikeys:* |
Read all api keys. |
fixed:apikeys:writer |
All permissions from fixed:apikeys:reader and apikeys:create apikeys:delete for scope apikeys:* |
Read, create, delete all api keys. |
fixed:dashboards.permissions:reader |
dashboards.permissions:read |
Read all dashboard permissions. |
fixed:dashboards.permissions:writer |
All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write |
Read and update all dashboard permissions. |
fixed:dashboards:creator |
dashboards:createfolders:read |
Create dashboards. |
fixed:dashboards:reader |
dashboards:read |
Read all dashboards. |
fixed:dashboards:writer |
All permissions from fixed:dashboards:reader and dashboards:writedashboards:editdashboards:deletedashboards:createdashboards.permissions:readdashboards.permissions:write |
Read, create, update, and delete all dashboards. |
fixed:datasources.permissions:reader |
datasources.permissions:read |
Read data source permissions. |
fixed:datasources.permissions:writer |
All permissions from fixed:datasources.permissions:reader and datasources.permissions:write |
Create, read, or delete permissions of a data source. |
fixed:datasources:explorer |
datasources:explore |
Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
fixed:datasources:id:reader |
datasources.id:read |
Read the ID of a data source based on its name. |
fixed:datasources:reader |
datasources:readdatasources:query |
Read and query data sources. |
fixed:datasources:writer |
All permissions from fixed:datasources:reader and datasources:createdatasources:writedatasources:delete |
Read, query, create, delete, or update a data source. |
fixed:folders.permissions:reader |
folders.permissions:read |
Read all folder permissions. |
fixed:folders.permissions:writer |
All permissions from fixed:folders.permissions:reader and folders.permissions:write |
Read and update all folder permissions. |
fixed:folders:creator |
folders:create |
Create folders. |
fixed:folders:reader |
folders:readdashboards:read |
Read all folders and dashboards. |
fixed:folders:writer |
All permissions from fixed:dashboards:writer and folders:readfolders:writefolders:createfolders:deletefolders.permissions:readfolders.permissions:write |
Read, create, update, and delete all folders and dashboards. |
fixed:ldap:reader |
ldap.user:readldap.status:read |
Read the LDAP configuration and LDAP status information. |
fixed:ldap:writer |
All permissions from fixed:ldap:reader and ldap.user:syncldap.config:reload |
Read and update the LDAP configuration, and read LDAP status information. |
fixed:licensing:reader |
licensing:readlicensing.reports:read |
Read licensing information and licensing reports. |
fixed:licensing:writer |
All permissions from fixed:licensing:viewer and licensing:writelicensing:delete |
Read licensing information and licensing reports, update and delete the license token. |
fixed:org.users:reader |
org.users:read |
Read users within a single organization. |
fixed:org.users:writer |
All permissions from fixed:org.users:reader and org.users:addorg.users:removeorg.users:write |
Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
fixed:organization:maintainer |
All permissions from fixed:organization:reader and orgs:writeorgs:createorgs:deleteorgs.quotas:write |
Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
fixed:organization:reader |
orgs:readorgs.quotas:read |
Read an organization and its quotas. |
fixed:organization:writer |
All permissions from fixed:organization:reader and orgs:writeorgs.preferences:readorgs.preferences:write |
Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
fixed:provisioning:writer |
provisioning:reload |
Reload provisioning. |
fixed:reports:reader |
reports:readreports:sendreports.settings:read |
Read all reports and shared report settings. |
fixed:reports:writer |
All permissions from fixed:reports:reader and reports:createreports:writereports:deletereports.settings:write |
Create, read, update, or delete all reports and shared report settings. |
fixed:roles:reader |
roles:readteams.roles:readusers.roles:readusers.permissions:read |
Read all access control roles, roles and permissions assigned to users, teams. |
fixed:roles:writer |
All permissions from fixed:roles:reader and roles:writeroles:deleteteams.roles:addteams.roles:removeusers.roles:addusers.roles:remove |
Create, read, update, or delete all roles, assign or unassign roles to users, teams. |
fixed:roles:resetter |
roles:write with scope permissions:type:escalate |
Reset basic roles to their default. |
fixed:settings:reader |
settings:read |
Read Grafana instance settings. |
fixed:settings:writer |
All permissions from fixed:settings:reader andsettings:write |
Read and update Grafana instance settings. |
fixed:stats:reader |
server.stats:read |
Read Grafana instance statistics. |
fixed:teams:creator |
teams:createorg.users:read |
Create a team and list organization users (required to manage the created team). |
fixed:teams:writer |
teams:createteams:deleteteams:readteams:writeteams.permissions:readteams.permissions:write |
Create, read, update and delete teams and manage team memberships. |
fixed:users:reader |
users:readusers.quotas:readusers.authtoken:read` |
Read all users and their information, such as team memberships, authentication tokens, and quotas. |
fixed:users:writer |
All permissions from fixed:users:reader and users:writeusers:createusers:deleteusers:enableusers:disableusers.password:writeusers.permissions:writeusers:logoutusers.authtoken:writeusers.quotas:write |
Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
Alerting roles
If alerting is [enabled]({{< relref "../../alerting/migrating-alerts/opt-out/" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Access to Grafana alert rules is an intersection of many permissions:
- Permission to read a folder. For example, the fixed role
fixed:folders:readerincludes the actionfolders:readand a folder scopefolders:id:. - Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
There is only one exclusion at this moment. Role fixed:alerting:provisioning does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).