New in Grafana roles: Manage user permissions better with 'No basic role'
Since we introduced role-based access control (RBAC) in Grafana 9.0, users — and later, service accounts — have been required to have an assigned role that includes a basic set of permissions. This sometimes led organizations to create users and service accounts that had more permissions than necessary. As a result, Grafana administrators had to make additional adjustments to users’ permissions on a case-by-case basis.
As we continue to improve the access control in Grafana, we’re happy to announce that starting with Grafana 10.2, administrators can designate users and service accounts as having No basic role, which is a new permissionless role in Grafana. This feature is being rolled out on Grafana Cloud instances and will be available in Grafana Enterprise 10.2 binaries.
In this blog, we’ll show you how No basic role reduces an administrator’s manual efforts around permissions management, limits users’ access to only the resources they need to fulfill their duties, and improves overall security for your Grafana instance.
No basic role in Grafana: Advantages to permissionless roles
Granting the right permissions and access in an organization can be a challenge. This is something we’ve been working on in Grafana since we introduced team roles, which lets you set permissions for an entire group of users.
Until recently, Grafana users could be assigned one of three roles:
- Organization administrator: Has access to all organization resources, including dashboards, users, and teams.
- Editor: Can view and edit dashboards, folders, and playlists.
- Viewer: Can view dashboards and playlists.
The baseline role for all users and service accounts has always been the Viewer role. But this could potentially grant users the ability to view dashboards, folders, and even data sources that they shouldn’t have access to in the first place.
To solve for that, we’ve added a fourth option — No basic role, which is a role that comes with no permissions. This new option provides an easier user management experience in multiple ways:
- Tighter access controls. Users won’t be able to access other teams’ dashboards. By restricting users to just the dashboards they need, admin’s can reinforce the team’s scope and promotes cohesion.
- Smaller blast radius. A compromised service account token will have much more restricted access to information if it has no permissions, rather than the default Viewer role.
- Simplified access management. Instead of restricting access to each private dashboard by the individual, set restrictions based on entire teams to save time and ensure your security is properly scoped.
Thanks to No basic role, we’re taking permission management a step further by not granting permissions to users outside of a given team. Instead, you grant permissions through a Team Role sync or RBAC.
How to set up No basic role in Grafana
Managing permissions in the Grafana UI is easy, whether you’re starting from scratch or creating a new team or service account. First, let’s look at how to set No basic role for existing teams.
- Open the role picker menu. It can be found in the user’s details page or the organization’s users page.
- Select the No basic role option.
- Click on the Update button.
The baseline for any user should be no permissions at all, and administrators shouldn’t assign roles individually. Instead, permissions should be allocated based on the team the user is assigned to.
You can also use No basic role to reduce the scope of permissions for service accounts, which are important for machine-to-machine interactions. To do so, you’ll follow a similar path as you would for teams.
- Go to the role picker for service accounts, which can be found in the “create service account” menu, the service accounts list page, or in the details of a service account page.
- Open the Role picker menu.
- Select No basic role option.
- Click on the Apply button.
For more information on setting up No basic role, check out our documentation.
With the help of No basic role, your service account can start as a blank slate, which enables you to adhere to the principle of least privilege.
If you’re using RBAC with your users or service accounts, we encourage you to update the baseline role to No basic role and assign any missing permissions through RBAC instead.
Get started with No basic role in Grafana
With the new No basic role feature, we continue to take steps to ensure Grafana is a secure application. To learn more, check out our Roles and permissions documentation.
Keep in mind this feature is intended to restrict access to dashboards or other resources. If your goal is to share your Grafana dashboard with anyone, you might want to take a look at the public dashboards feature.
We should also note that this feature was requested by the community. With that in mind, we would like to hear feedback from you as we continue to shape Grafana to meet the needs of our community. Go to the Grafana Community Slack or reach out to your account representative today to let us know what you think!
If you’re not already using Grafana Cloud — the easiest way to get started with observability — sign up now for a free 14-day trial of Grafana Cloud Pro, with unlimited metrics, logs, traces, and users, long-term retention, and access to all Enterprise plugins.