Managing access in Grafana: a single stack journey with teams, roles, and real-world patterns
When multiple teams use Grafana, it can start to feel a bit messy. Dashboards pile up, permissions become unclear, and teams accidentally overwrite each other’s work.
To help you and your organization stay clear, collaborative, and secure, we recommend putting all users in a single Grafana Cloud stack and managing access with teams, roles, and folders. To illustrate this, I’ll share a hypothetical example of how you can put this into practice across three teams.
Let’s dive in!
Three teams, one stack
Let’s imagine that it’s Monday morning, and I’m sitting down with my coffee ready to start the work day. In this hypothetical, I’m part of the observability team serving an engineering organization of 50 people, and my goal today is to set up Grafana for our various engineering teams.
As part of this process, I want to reduce setup and maintenance work. I also want to make sure teams can access the right dashboards and data, avoid stepping on each other’s work, and still collaborate when needed. I do all of this in a single Grafana Cloud stack—no multi-stack complexity required.
In our setup, we have three teams:
- Team A builds product features and needs autonomy with their own dashboards and data sources.
- Team B handles data engineering and needs autonomy with their own dashboards.
- Team C is our observability team (that’s us), and we act as admins of the Grafana stack.
Note: For the purpose of this blog post, we’ll focus on the steps you’d need to follow in Grafana Cloud. However, the same basic concepts can be followed in Grafana Enterprise.
1. Create the stack
With a single stack, I get unified SSO, centralized configuration, and plugin management. Equally important: Having everything under one stack means teams are not isolated in silos. They can discover each other’s dashboards, share work, and learn from one another.
When everyone works in a single stack, collaboration becomes much easier. A dashboard built by one team can be shared directly with others, without duplicating it across stacks. Teams can choose to open specific folders or dashboards, encouraging re-use and cross-learning while still maintaining ownership of their own work.
Shared spaces, like an “Everyone” folder, make it simple to publish executive dashboards or cross-team metrics that all groups can benefit from. And because everything lives in one environment, users are easily set up to adapt when teams reorganize, collaborate across groups, or swarm together on new projects.
2. Create teams and their folders
I start by adding new users with the Viewer role by default. It’s a safe baseline: they can see everything, but they can’t change anything.
Each team needs to be added to the same stack and to a Grafana Team. To do this, I create a folder for each team that they can manage and grant them the fixed:teams:read fixed role. This means they can share items in their team folder with other teams, to encourage collaboration and learning from each other.
I upgrade Team C to the Admin role so that they can manage all resources in the instance.
To encourage creativity while keeping things tidy, I create a personal folder for each team member that they can manage for drafting content and then moving it into their team folder when ready.
3. Design top-level folder structure
I will limit the number of top-level folders to keep things organized and secure. We will have an “Everyone” folder for shared items that all teams can manage, an “Admins” folder for sensitive content only we can access (Team C’s folder), and one folder per team.
This setup helps users quickly understand where to go, what they can access, and what they can manage.
4. Configure data access
Next, I focus on how teams interact with data. All teams forward metrics to a shared database tenant, but not everyone should see all of the data. I create one shared metrics data source and grant each team query access only to their slice of the data, based on label based access controls (LBAC) per team. This way, we maintain a central observability pipeline but still preserve data separation.
I grant the datasources:explorer fixed role to all teams so they can use the Drilldown app for easily exploring data sources.
Team A, however, needs to build and manage their own data sources for product-specific use cases. For them, I grant the datasources:creator fixed role so they can create and manage their own data sources independently.
5. Consider non-folder resources and stack-wide permissions
Not all Grafana resources live in folders. Service accounts, alert contact points, Fleet Management collectors, and other feature resources are managed at the stack level. For these, I check the role options in the team management UI and assign fixed roles to teams carefully.
For example, I grant teams the Frontend Observability writer fixed role so that they can create and manage services.
6. Scale it with Terraform and SSO
Once the model is working, I codify it.
All new users get added from an Identity Provider through SCIM (I use Okta in this example). As they sync they are automatically assigned to the right team based on their Okta group membership. I use role sync logic to assign the Admin role for our team instead of the default, which I’ve set to the Viewer role.
I use Terraform to provision teams their folders, fixed roles, and shared datasource LBAC rules.
Let’s say I need to add a new team called Team D. Now I’ll only need to push new Okta groups to Grafana and run my Terraform script, and then they’ll automatically be set up and ready to start using Grafana.
Where to go from here
Getting access and permissions right in Grafana is one of the best ways to unlock its full potential. With the right structure in place, teams can collaborate more easily, stay secure without extra overhead, and build on each other’s work instead of starting from scratch. To really get a deeper understanding of these ideas, here are a few resources that can help.
Our least privilege custom role explainer blog walks through how to design roles that keep things simple and safe, so people have just the access they need. My LBAC for metrics data sources demo shows how you can give every team a clear view of their own data while still benefiting from a shared pipeline. And our introducing SCIM blog covers how to connect Grafana to your identity provider, making it easy to bring new users on board and keep permissions in sync as your organization grows.
Taken together, these resources will help you put the single-stack model into practice and set your teams up to get the very most from Grafana.
Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!
