---
title: "Use label-based access control (LBAC) | Grafana Enterprise Metrics documentation"
description: "Use label-based access control (LBAC) Label-based access control can be used to create access policies that will only allow for data to be queried that meets specific label requirements. The feature allows multiple sets of Prometheus label selectors to be associated with a policy and queries will only return data from series that match at least one of the provided selectors. This correlates to disjunctive normal form which allows any required policy to be expressed."
---

[Documentation](/docs/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Grafana Enterprise Metrics](/docs/enterprise-metrics/latest/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Manage](/docs/enterprise-metrics/latest/manage/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Manage a tenant](/docs/enterprise-metrics/latest/manage/tenant-management/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) Use label-based access control (LBAC)

Enterprise

## Use label-based access control (LBAC)

Label-based access control can be used to create access policies that will only allow for data to be queried that meets specific label requirements. The feature allows multiple sets of [Prometheus label selectors](https://prometheus.io/docs/prometheus/latest/querying/basics/#time-series-selectors) to be associated with a policy and queries will only return data from series that match at least one of the provided selectors. This correlates to [disjunctive normal form](https://en.wikipedia.org/wiki/Disjunctive_normal_form) which allows any required policy to be expressed.

## Setting up a label policy

Label policies are set when creating an access policy on a per tenant basis. This means each tenant associated with an access policy can have a unique label policy.

[Create LBAC policy](../create-lbac-policy.png)

## Alertmanager and ruler

Label policies are not enforced by the alertmanager and ruler. This means that the requests that they serve contain everything for a particular tenant without applying label-based access control. For example, listing all rule groups in the ruler will return all rule groups for the tenant even if a label selector in the access policy excludes some of the labels on the rules.

In the case of the ruler this only applies to the HTTP endpoints. All metrics that the ruler generates for alerting or recording rules (alerting rules generate the `ALERTS` and `ALERTS_FOR_STATE` metrics) are subject to label-based access control when queried.

## Writing metrics

GEM does not enforce label-based access control on the write requests. This means a `metrics:write` scope in the access policy allows clients to push any metrics without restrictions regarding the labels on the metrics.

* * *

## Examples

### Exclude a label

One common use case for creating an LBAC policy is to exclude metrics with a specific label. For instance, a label policy that excludes all series with the label `secret=true` would be created by just adding a select with `secret!="true"` when creating an access policy. This can be seen in the image below:

[Create exclude label](../label-exclude.png)

### Exclude a metric

Expanding upon the previous example, lets say we wanted to create an access policy that only excludes metrics with the label `secret=true` on the metric named `sensitive_requests_total`. Since the name of a metric is actually just a label with the key `__name__`, we can leverage the existing LBAC label selector syntax to enforce this:

[Create exclude metric](../metric-exclude.png)

You may notice above that two different selectors where added to enforce the policy. Specifically:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{secret!="true", __name__="sensitive_requests_total"}
```

and

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{__name__!="sensitive_requests_total"}
```

The first selector will match when returning a series from the metrics `sensitive_requests_total` and will ensure all of the returned series do not have the `secret: true` label. However, when requesting a metric besides `sensitive_requests_total`, the second label selector will match and return any data even if it has the `secret: true` label.