Grafana Cloud
Account management
Authorization and permissions
Role-based access control (RBAC)
RBAC for app pluginsRBAC for app plugins
Note
Available in Grafana Cloud.
RBAC can be used to manage access to app plugins. Each app plugin grants the basic Viewer, Editor and Admin organization roles a default set of plugin permissions. You can use RBAC to restrict which app plugins a basic organization role has access to. Some app plugins have fine-grained RBAC support, which allows you to grant additional access to these app plugins to teams and users regardless of their basic organization roles.
Restricting access to app plugins
By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access.
To change this default behavior and prevent a basic organization role from accessing an App plugin, you must update the basic role’s permissions.
See an example of preventing Viewers from accessing an app plugin to learn more.
To grant access to a limited set of app plugins, you will need plugin IDs. You can find them in plugin.json files or in the URL when you open the app plugin in the Grafana Cloud UI.
Note that unless an app plugin has fine-grained RBAC support, it is not possible to grant access to this app plugin for a user whose organization role does not have access to that app plugin.
Fine-grained access to app plugins
Plugins with fine-grained RBAC support allow you to manage access to plugin features at a more granular level. For instance, you can grant admin access to an app plugin to a user with Viewer organization role. Or restrict the Editor organization role from being able to edit plugin resources.
Please refer to plugin documentation to see what RBAC permissions the plugin has and what default access the plugin grants to Viewer, Editor and Admin organization roles.
The following list contains app plugins that have fine-grained RBAC support.
| App plugin | App plugin ID | App plugin permission documentation |
|---|---|---|
| Access policies | grafana-auth-app | n/a |
| Adaptive metrics | grafana-adaptive-metrics-app | RBAC actions for Adaptive Metrics |
| Incident | grafana-incident-app | n/a |
| OnCall | grafana-oncall-app | Configure RBAC for OnCall |
| Performance Testing (K6) | k6-app | Configure RBAC for K6 |
| Private data source connect (PDC) | grafana-pdc-app | n/a |
| Service Level Objective (SLO) | grafana-slo-app | Configure RBAC for SLO |
Revoke fine-grained access from app plugins
To list all the permissions granted to a basic role, use the HTTP API endpoint to query for the role. Basic role UIDs are listed in RBAC role definitions list. To remove the undesired plugin permissions from a basic role, you must update the basic role’s permissions.
Grant additional access to app plugins
To grant access to app plugins, you can use the predefined fixed plugin roles or create custom roles with specific plugin permissions. To learn about how to assign an RBAC role, refer to the documentation on assigning RBAC roles.
Was this page helpful?
Related resources from Grafana Labs
