New in Grafana Enterprise 8.0: Fine-grained access control for reporting and user management

From early on, Grafana has managed access control with three organizational permission levels (Viewer, Editor, and Admin) and one special global permission level of Grafana Admin. There are also configuration file options that can be globally applied to all users in an organization within an instance, as well as data source permissions and dashboard permissions.

Over the years, we’ve received a number of requests from Grafana Enterprise customers for more specialized access control configurations. Organizations with centralized user management, for example, might want to turn off Grafana’s internal user management APIs for all their administrators. Others might want to let their editors modify reports, add their own data sources and reports, or build team spaces.

We’ve been able to accommodate some of these requests, but sometimes we’ve had to say that it’s an edge case we don’t support. It would be impossible to cover all the different possibilities for customized solutions for every aspect of Grafana, so we had to come up with a generalized solution.

Introducing fine-grained access control

In the Grafana 8 release, we introduced fine-grained access control for Grafana Enterprise. The beta feature gives you the ability to fine-tune what users can access and modify within Grafana. In this blog post, we’ll walk you through what you can now do.

Allow more users to use reporting

Reporting is one of the most useful parts of Grafana Enterprise. That said, it doesn’t play well with dashboard permissions, and it is resource intensive, so up until now it has been a feature available only to organization administrators. With fine-grained access control, we let you decide for yourself if you want to make reporting available to your users.

If you want to make sure reports are available for editors to edit and viewers to view, you can create a set of roles that provide the necessary  permissions to do so. You can set up a provisioning file and save it as reporting.yml in the access control provisioning directory, and it’ll automatically be picked up by Grafana:

yaml Copy

apiVersion: 1

roles:
    - name: "reports:edit"
      description: "Role to grant edit rights for reports"
      version: 1
      permissions:
            - action: "reports.admin:create"
          - action: "reports.admin:write"
            scope: "reports:*"
          - action: "reports:delete"
            scope: "reports:*"
       builtInRoles:
             - name: "Editor"
    - name: "reports:view"
      description: "Role to grant viewing rights for reports"
      version: 1
      permissions:
              - action: "reports:read"
              scope: "reports:*"
            - action: "reports:send"
                scope: "reports:*"
       builtInRoles:
             - name: "Viewer"
             - name: "Editor"

With this new set of permissions, when you log in as an editor, you can create, delete, and edit all reports (but you don’t have access to change instance-wide preferences).

As a viewer, you can view and manually send reports, but you can’t edit anything.

Prevent user management from within Grafana

Many of our customers authenticate their users to Grafana using OAuth, SAML, or LDAP and want to disable the ability to create or modify users from within Grafana.

With the introduction of fine-grained access control, this is done by removing the ways for administrators to manually manage users.

By using access control provisioning, you can remove the default assignments for fixed:users:admin:edit and fixed:users:org:edit.

yaml Copy

apiVersion: 1

removeDefaultAssignments:
    - builtInRole: "Grafana Admin"
      fixedRole: "fixed:users:admin:edit"
  - builtInRole: "Admin"
    fixedRole: "fixed:users:org:edit"

After you add this to the provisioning/access-control directory and restart Grafana, admins who access users administration to try to edit a user will see all the options greyed out. They can no longer modify or create users.

The future

While these first elements of fine-grained access control are useful, we’re nowhere near the end of this journey.

Grafana Enterprise customers come in many sizes and forms, but they’re all working with data in the modern world — and that means that they want to be in control of who can access what.

In the near future, we’re going to extend the scope of fine-grained access control to cover most of Grafana, support customizing access for individual users or teams, and integrate with Grafana’s UI so that you can set, remove, and manage your accesses without using curl or writing a provisioning file.

When all of that is in place, we’ll continue iterating to make the system even better and provide deeper integrations with each service to make sure that Grafana fits your organization’s requirements, whatever they may be.

We’re already seeing that existing and new Grafana Enterprise customers are thrilled about the steps we’ve taken, and that makes us excited to keep working to deliver the level of control they need.

Find out more

If you’re interested in learning more about fine-grained access control in Grafana Enterprise, take a look at the documentation and the demo in the Grafana 8.0 deep dive session from GrafanaCONline 2021. Read more about Grafana Enterprise and contact us if you’d like to try it out!