--- title: "Set up a Grafana Enterprise Logs tenant | Grafana Enterprise Logs documentation" description: "Describes how to set up GEL tenants and access policies." --- # Set up a Grafana Enterprise Logs tenant Tenants provide a mechanism for log stream isolation. Access policies may be set on a per-tenant basis. Authorization of requests is based on specified access policies. These instructions assume that you have the [Grafana Enterprise Logs administrative plugin](/docs/enterprise-logs/latest/setup/grafana-plugin/) installed. Use this plugin to create tenants, access policies, and tokens for your GEL cluster. ## Create a tenant Once a cluster is running, you can create new tenants. 1. Navigate to **Grafana Enterprise Logs** > **Tenants**. 2. Click **Create tenant**. 3. Enter a chosen display name and name for this tenant. 4. Choose the cluster for this tenant. 5. Click **Save changes**. ## Create an access policy Access policies are used to authorize actions and operations by specified tenants. Access policies have a realm, which defines the set of tenants they apply to, and a scope which defines the set of actions that they confer permissions to use. 1. Navigate to **Grafana Enterprise Logs** > **Access Policies**. 2. Click **Create access policy**. 3. Enter a chosen display name and name for access policy. 4. To enter the scopes for this access policy, click on either the **Yes** or **No** box, as appropriate to answer the question, under the Scopes heading to bring up a list of clickable scopes. Place check marks next to those scopes that correspond to operations that will be authorized under this access policy. 5. Sequentially select all tenants this access policy will grant access to. 6. Click **Create**. ## Create tokens for the access policies A token will be needed by any entity requesting actions or operations. One or more tokens may be created for each access policy. Tokens can be created with an expiration date, if the administrator wishes access granted to the system for a specific length of time. 1. Navigate to **Grafana Enterprise Logs** > **Access Policies**. 2. Click **Add token** for the access policy. 3. Enter a chosen name for the token and specify the expiration details. 4. Click **Create**. 5. Copy and save the token displayed. ## Create a Grafana data source To allow Grafana to read logs from GEL, you must create a Loki data source with the proper credentials. 1. Create an access policy with scope `logs:read` for the tenant you want to read logs from. Create and save a token for this access policy. 2. In Grafana Enterprise, navigate to **Configuration** > **Data Sources**. 3. Click **Add data source**. 4. Specify a name for this data source. Set the URL to `http://:3100`. 5. Enable **Basic Auth**. 6. The **User** differs based on use case. Set the **User** to one of: - For single tenant access, set the **User** to the name of the tenant you want to read from. - For explicitly-specified, multiple-tenant access, set the **User** to include the names of the each tenant you want to read from; delimit the tenant names with a pipe character (`|`). As an example, for the two tenants named `team-engineering` and `team-finance`, the **User** will be `team-engineering|team-finance`. This data source explicitly limits the tenants. The data source must be modified to add or remove a tenant. - For multiple tenant access by all tenants specified in an access policy, set the **User** to `*`. If the access policy changes, the data source will not need to be modified to honor the modified access policy. 7. Set the **Password** to your saved token for the access policy with `logs:read` access to the tenant(s). 8. Click **Save & Test**. ## Promtail access policy and token Promtail will need an access policy with `logs:write` scope in order to push logs to a GEL cluster. Create an access policy and token to be used by Promtail. Capture the token and specify it in the Promtail configuration.