Grafana OnCall relies on the teams and user permissions configured at the organization level of your Grafana instance. Organization administrators can invite
users, configure teams, and manage user permissions at Grafana.com.
User roles and permissions
Note: User roles and teams cannot be managed directly from Grafana OnCall.
User roles and permissions are assigned and managed at the Grafana organization or Cloud portal level. There are two ways to manage user roles and permissions
for Grafana OnCall.
Basic role authorization
By default, authorization within Grafana OnCall relies on the basic user roles configured at the organization level. All users are assigned a basic role by the
organization administrator. There are three available roles: Viewer, Editor, and Admin.
Role-based access control (RBAC)
RBAC for Grafana plugins allows for fine-grained access control so you can define custom roles and actions for users in Grafana OnCall. Use RBAC to grant
specific permissions within the Grafana OnCall plugin without changing the user’s basic role at the organization level. You can fine-tune basic roles to add or
remove certain Grafana OnCall RBAC roles.
For example, a user with the basic Viewer role at the organization level needs to edit on-call schedules. You can assign the Grafana OnCall RBAC role of
Schedules Editor to allow the user to view everything in Grafana OnCall, as well as allow them to edit on-call schedules.
To learn more about RBAC for Grafana OnCall, refer to the following documentation:
Available Grafana OnCall RBAC roles + granted actions
Note: granting any of the following roles will also grant the user the plugins.app:access action with a scope of
plugins:id:grafana-oncall-app (ie. granting the user the ability to access the plugin). Additionally, all of the
following RBAC roles do not currently support scopes.
To further control which Grafana OnCall objects specific groups of users can view, refer to Manage Teams in Grafana OnCall.
Role
Description
Granted Actions
Basic Roles Granted To
Admin
Read/write access to everything in OnCall
grafana-oncall-app.alert-groups:read
grafana-oncall-app.alert-groups:write
grafana-oncall-app.alert-groups:direct-paging
grafana-oncall-app.integrations:read
grafana-oncall-app.integrations:write
grafana-oncall-app.integrations:test
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.escalation-chains:write
grafana-oncall-app.schedules:read
grafana-oncall-app.schedules:write
grafana-oncall-app.schedules:export
grafana-oncall-app.chatops:read
grafana-oncall-app.chatops:write
grafana-oncall-app.chatops:update-settings
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.outgoing-webhooks:write
grafana-oncall-app.maintenance:read
grafana-oncall-app.maintenance:write
grafana-oncall-app.api-keys:read
grafana-oncall-app.api-keys:write
grafana-oncall-app.notifications:read
grafana-oncall-app.notification-settings:read
grafana-oncall-app.notification-settings:write
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
grafana-oncall-app.user-settings:admin
grafana-oncall-app.other-settings:read
grafana-oncall-app.other-settings:write
Grafana Admin, Admin
Editor
Similar to the Admin role, minus the abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general OnCall setings.
grafana-oncall-app.alert-groups:read
grafana-oncall-app.alert-groups:write
grafana-oncall-app.alert-groups:direct-paging
grafana-oncall-app.integrations:read
grafana-oncall-app.integrations:test
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.schedules:read
grafana-oncall-app.schedules:write
grafana-oncall-app.schedules:export
grafana-oncall-app.chatops:read
grafana-oncall-app.chatops:write
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.maintenance:read
grafana-oncall-app.maintenance:write
grafana-oncall-app.notifications:read
grafana-oncall-app.notification-settings:read
grafana-oncall-app.notification-settings:write
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
grafana-oncall-app.other-settings:read
Editor
Reader
Read-only access to everything in OnCall
grafana-oncall-app.alert-groups:read
grafana-oncall-app.integrations:read
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.schedules:read
grafana-oncall-app.chatops:read
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.maintenance:read
grafana-oncall-app.notification-settings:read
grafana-oncall-app.user-settings:read
grafana-oncall-app.other-settings:read
Viewer
Notifications Receiver
Grants the ability to receive OnCall alert notifications. By virtue, also grants the user the ability to edit their own OnCall settings.
grafana-oncall-app.notifications:read
grafana-oncall-app.user-settings:write
N/A
OnCaller
Grants read access to everything in OnCall. In addition, grants edit access to Alert Groups, Schedules and own settings
grafana-oncall-app.alert-groups:read
grafana-oncall-app.alert-groups:write
grafana-oncall-app.alert-groups:direct-paging
grafana-oncall-app.integrations:read
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.schedules:read
grafana-oncall-app.schedules:write
grafana-oncall-app.chatops:read
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.maintenance:read
grafana-oncall-app.notifications:read
grafana-oncall-app.notification-settings:read
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
grafana-oncall-app.other-settings:read
N/A
Alert Groups Reader
Read-only access to OnCall Alert Groups
grafana-oncall-app.alert-groups:read
N/A
Alert Groups Editor
Read access to OnCall Alert Groups + ability to act on Alert Groups (ie. ack, resolve, etc)
grafana-oncall-app.alert-groups:read
grafana-oncall-app.alert-groups:write
N/A
Alert Groups Direct Paging
Grants the ability to be able to manually create new Alert Groups (aka Direct Paging)
grafana-oncall-app.alert-groups:direct-paging
N/A
Integrations Reader
Read-only access to OnCall Integrations
grafana-oncall-app.integrations:read
N/A
Integrations Editor
Read/write access to OnCall Integrations
grafana-oncall-app.integrations:read
grafana-oncall-app.integrations:write
grafana-oncall-app.integrations:test
N/A
Escalation Chains Reader
Read-only access to OnCall Escalation Chains
grafana-oncall-app.escalation-chains:read
N/A
Escalation Chains Editor
Read/write access to OnCall Escalation Chains
grafana-oncall-app.escalation-chains:read
grafana-oncall-app.escalation-chains:write
N/A
Schedules Reader
Read-only access to OnCall Schedules
grafana-oncall-app.schedules:read
N/A
Schedules Editor
Read/write access to OnCall Schedules
grafana-oncall-app.schedules:read
grafana-oncall-app.schedules:write
grafana-oncall-app.schedules:export
N/A
ChatOps Reader
Read-only access to OnCall ChatOps
grafana-oncall-app.chatops:read
N/A
ChatOps Editor
Read/write access to OnCall ChatOps
grafana-oncall-app.chatops:read
grafana-oncall-app.chatops:write
grafana-oncall-app.chatops:update-settings
N/A
Outgoing Webhooks Reader
Read-only access to OnCall Outgoing Webhooks
grafana-oncall-app.outgoing-webhooks:read
N/A
Outgoing Webhooks Editor
Read/write access to OnCall Outgoing Webhooks
grafana-oncall-app.outgoing-webhooks:read
grafana-oncall-app.outgoing-webhooks:write
N/A
Maintenance Reader
Read-only access to OnCall Maintenance
grafana-oncall-app.maintenance:read
N/A
Maintenance Editor
Read/write access to OnCall Maintenance
grafana-oncall-app.maintenance:read
grafana-oncall-app.maintenance:write
N/A
API Keys Reader
Read-only access to OnCall API Keys
grafana-oncall-app.api-keys:read
N/A
API Keys Editor
Read/write access to OnCall API Keys. Also grants access to be able to consume the API.
grafana-oncall-app.api-keys:read
grafana-oncall-app.api-keys:write
N/A
Notification Settings Reader
Read-only access to OnCall Notification Settings
grafana-oncall-app.notification-settings:read
N/A
Notification Settings Editor
Read/write access to OnCall Notification Settings
grafana-oncall-app.notification-settings:read
grafana-oncall-app.notification-settings:write
N/A
User Settings Reader
Read-only access to own OnCall User Settings
grafana-oncall-app.user-settings:read
N/A
User Settings Editor
Read/write access to own OnCall User Settings + ability to view basic information about other OnCall users
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
N/A
User Settings Admin
Read/write access to your own, plus other’s OnCall User Settings
grafana-oncall-app.user-settings:read
grafana-oncall-app.user-settings:write
grafana-oncall-app.user-settings:admin
N/A
Settings Reader
Read-only access to OnCall Settings
grafana-oncall-app.other-settings:read
N/A
Settings Editor
Read/write access to OnCall Settings
grafana-oncall-app.other-settings:read
grafana-oncall-app.other-settings:write
N/A
Manage Teams in Grafana OnCall
Teams in Grafana OnCall enable the configuration of visibility and filtering of resources, such as alert groups,
integrations, escalation chains, and schedules. OnCall teams are automatically synced with
Grafana teams created at the organization
level of your Grafana instance. To modify global settings like team name or team members, navigate to
Configuration > Teams. For OnCall-specific team settings,
go to Alerts & IRM > OnCall > Settings > Teams and Access Settings.
This section displays a list of teams, allowing you to configure team visibility and access to team resources for all
Grafana users, or only admins and team members. You can also set a default team, which is a user-specific setting;
the default team will be pre-selected each time a user creates a new resource. The team list includes a No team tag,
signifying that the resource has no team and is accessible to everyone.
Admins can view the list of all teams, while editors and viewers can only see teams (and their resources)
they are members of or if the team setting “who can see the team name and access the team resources” is set to
“all users of Grafana”.
⚠️ In the main Grafana teams section, users can set team-specific user permissions, such as Admin, Editor, or Viewer,
but only for resources within that team. Currently, Grafana OnCall ignores this setting and uses global roles instead.
Teams help filter resources on their respective pages, improving organization. You can assign a resource to a team when
creating it. Alert groups created via the Integration API inherit the team from the integration.
Resources from different teams can be connected with one another. For instance, you can create an integration in one
team, set up multiple routes for the integration, and utilize escalation chains from other teams. Users, schedules,
and outgoing webhooks from other teams can also be included in the escalation chain. If a user only has access to the
first team and not others, they will be unable to view the resource, which will display as 🔒 Private resource.
This feature enables the distribution of escalations across various teams.