Configure RBAC

Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.

A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.

Each permission contains one or more actions and a scope.

Permissions

Grafana Alerting has the following permissions.

Action	Applicable scope	Description
`alert.instances.external:read`	`datasources:` `datasources:uid:`	Read alerts and silences in data sources that support alerting.
`alert.instances.external:write`	`datasources:` `datasources:uid:`	Manage alerts and silences in data sources that support alerting.
`alert.instances:create`	n/a	Create silences in the current organization.
`alert.instances:read`	n/a	Read alerts and silences in the current organization.
`alert.instances:write`	n/a	Update and expire silences in the current organization.
`alert.notifications.external:read`	`datasources:` `datasources:uid:`	Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
`alert.notifications.external:write`	`datasources:` `datasources:uid:`	Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
`alert.notifications:write`	n/a	Manage templates, contact points, notification policies, and mute timings in the current organization.
`alert.notifications:read`	n/a	Read all templates, contact points, notification policies, and mute timings in the current organization.
`alert.rules.external:read`	`datasources:` `datasources:uid:`	Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
`alert.rules.external:write`	`datasources:` `datasources:uid:`	Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
`alert.rules:create`	`folders:` `folders:uid:`	Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.
`alert.rules:delete`	`folders:` `folders:uid:`	Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.
`alert.rules:read`	`folders:` `folders:uid:`	Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.
`alert.rules:write`	`folders:` `folders:uid:`	Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query.
`alert.silences:create`	`folders:` `folders:uid:`	Create rule-specific silences in a folder and its subfolders.
`alert.silences:read`	`folders:` `folders:uid:`	Read all general silences and rule-specific silences in a folder and its subfolders.
`alert.silences:write`	`folders:` `folders:uid:`	Update and expire rule-specific silences in a folder and its subfolders.
`alert.provisioning:read`	n/a	Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
`alert.provisioning.secrets:read`	n/a	Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.
`alert.provisioning:write`	n/a	Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
`alert.provisioning.provenance:write`	n/a	Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources
`alert.notifications.receivers:read`	`receivers:` `receivers:uid:`	Read contact points.
`alert.notifications.receivers.secrets:read`	`receivers:` `receivers:uid:`	Export contact points with decrypted secrets.
`alert.notifications.receivers:create`	n/a	Create a new contact points. The creator is automatically granted full access to the created contact point.
`alert.notifications.receivers:write`	`receivers:` `receivers:uid:`	Update existing contact points.
`alert.notifications.receivers:delete`	`receivers:` `receivers:uid:`	Update and delete existing contact points.
`receivers.permissions:read`	`receivers:` `receivers:uid:`	Read permissions for contact points.
`receivers.permissions:write`	`receivers:` `receivers:uid:`	Manage permissions for contact points.
`alert.notifications.time-intervals:read`	n/a	Read mute time intervals.
`alert.notifications.time-intervals:write`	n/a	Create new or update existing mute time intervals.
`alert.notifications.time-intervals:delete`	n/a	Delete existing time intervals.
`alert.notifications.templates:read`	n/a	Read templates.
`alert.notifications.templates:write`	n/a	Create new or update existing templates.
`alert.notifications.templates:delete`	n/a	Delete existing templates.
`alert.notifications.routes:read`	n/a	Read notification policies.
`alert.notifications.routes:write`	n/a	Create new, update and update notification policies.