Documentation Grafana Cloud Alerts and IRM IRM Set up Manage access

Manage access for Grafana IRM

Grafana IRM uses the role and team model built into Grafana Cloud to control what users can do and which resources they can access. Understanding how access works across the Grafana Cloud platform helps you configure IRM permissions effectively.

Before you begin

To manage access in IRM, you need:

• Organization administrator access: Only admins can assign Grafana Cloud roles.
• Familiarity with Grafana roles and permissions.

How access works in Grafana Cloud

Access to IRM is managed through a layered model that builds on Grafana Cloud’s identity and permissions system:

1. Grafana Cloud account roles — Admin, Editor, and Viewer roles are assigned at the Grafana Cloud portal level. These roles define baseline access to all stacks and products in your account.

2. Stack-level roles — Within each Grafana stack, users inherit their Cloud account role or can be assigned a different organization role. The stack-level role determines default access to all plugins, including IRM.

3. IRM plugin roles (RBAC) — For fine-grained control, role-based access control allows you to assign IRM-specific roles that grant or restrict permissions without changing a user’s stack-level role. For example, you can give a Viewer the ability to edit on-call schedules.

4. Teams — Grafana teams organize users into groups. IRM syncs these teams and uses them to scope resource visibility, ownership, and filtering.

For a complete overview of Grafana Cloud authentication and permissions, refer to Authentication and permissions.

Disable or restrict the IRM plugin

RBAC applies within a single Grafana Cloud stack. If you need to completely disable IRM on a specific stack, an administrator can turn off the plugin:

1. Go to Administration > Plugins and data > Plugins.
2. Search for Grafana IRM or go directly to /plugins/grafana-irm-app.
3. Disable the plugin and click Save.

To restrict access without fully disabling the plugin, use the plugins.app:access permission scoped to plugins:id:grafana-irm-app. Removing this permission from a user’s role prevents them from opening IRM. For more detail, refer to Control plugin access.

Topics in this section

• Roles and permissions for Grafana IRM
  Understand and configure basic roles and RBAC for Grafana IRM, including the full permission matrix for each role.
• Manage teams in Grafana IRM
  Organize IRM resources, manage team visibility, and configure cross-team workflows using Grafana teams.