Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Alerts and IRMbreadcrumb arrow IRMbreadcrumb arrow Set upbreadcrumb arrow Manage accessbreadcrumb arrow Roles and permissions
Grafana Cloud
Last reviewed: April 1, 2026

Roles and permissions for Grafana IRM

Grafana IRM provides two layers of access control: basic role authorization and role-based access control (RBAC). Together, they determine what each user can do within IRM.

Basic role authorization

By default, IRM uses the basic roles assigned to users at the Grafana organization level. Every user has one of three basic roles:

Basic roleIRM access
ViewerRead-only access to all IRM resources.
EditorCan edit most resources, including schedules and alert groups. Can’t create integrations, escalation chains, or outgoing webhooks.
AdminFull access to all IRM features and settings.

Users with the None basic role have no default IRM access. They don’t appear in user filters or search results within IRM. To grant IRM access to users with the None role, assign an IRM RBAC role.

For more information about basic roles, refer to Grafana roles and permissions.

Role-based access control (RBAC)

RBAC provides fine-grained access control so you can grant specific IRM permissions without changing a user’s basic role. This is useful when a user needs targeted capabilities beyond what their basic role provides.

For example, a user with the Viewer basic role needs to edit on-call schedules. You can assign the IRM Schedules Editor role to allow them to view everything in IRM and also edit schedules, without granting full Editor access.

Note

Granting any IRM RBAC role also grants access to the IRM plugin.

The following IRM features don’t yet support RBAC and still rely on basic role authorization:

  • Incidents
  • Tasks
  • Incident settings

IRM RBAC roles

The following tables list all RBAC roles available in IRM.

Main roles

RoleDescriptionBasic roles granted to
AdminFull read/write access to everything in IRM, including admin settings, API key management, and other user settings.Grafana Admin, Admin
EditorSimilar to Admin, but can’t create integrations, escalation chains, or outgoing webhooks. Can’t update ChatOps settings, other users’ settings, or admin settings.Editor
ReaderRead-only access to all IRM resources.Viewer
Incident AccessAccess to the IRM plugin for incident workflows only. Doesn’t grant any oncall-specific permissions.N/A
Notifications ReceiverCan receive alert notifications and edit their own IRM user settings.N/A
OnCallerRead access to all IRM resources, plus edit access to alert groups, schedules (including shift swaps), and their own user settings. Designed for on-call responders.N/A

Specialized roles

For more granular control, assign specialized roles focused on specific functionality.

What each role can do

The following examples illustrate practical behaviors by role for common IRM tasks:

  • Acknowledge an alert group: Requires alert-groups:write. Available to Admin, Editor, OnCaller, and Alert Groups Editor roles.
  • Create an integration: Requires integrations:write. Available to Admin and Integrations Editor roles only. The Editor basic role can’t create integrations.
  • Edit an on-call schedule: Requires schedules:write. Available to Admin, Editor, OnCaller, and Schedules Editor roles.
  • Request a shift swap: Requires schedules-swaps:write. Available to Admin, Editor, OnCaller, and Schedules Editor roles.
  • Incident management: All incident actions use basic role authorization. RBAC roles don’t affect incident permissions.

Control plugin access

Every IRM RBAC role includes the plugins.app:access permission scoped to plugins:id:grafana-irm-app. This permission controls whether a user can open the IRM plugin at all.

If you remove this permission from a user’s role, that user can’t access IRM in the stack, even if they have other IRM-specific permissions. This is how the Incident Access role works — it grants only plugins.app:access with no oncall-specific permissions, allowing users to access incident workflows without seeing oncall-related features.

You can use this mechanism to restrict IRM access to specific users on a per-stack basis without disabling the plugin entirely. To fully disable IRM on a stack, refer to Disable or restrict the IRM plugin.

Assign roles

To assign IRM RBAC roles to users or teams, use the Grafana role assignment UI or API.

For example, to grant a Viewer the ability to edit on-call schedules:

  1. Sign in as an organization administrator.
  2. Go to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Under Grafana IRM, select Schedules Editor.
  5. Click Apply.

The user now has read access to all IRM resources (from their Viewer basic role) plus the ability to edit schedules, create shift swaps, and export schedules.

For detailed instructions on role assignment, including API-based and team-level assignment, refer to:

Best practices

  • Use RBAC for precise control: Rather than giving everyone Editor or Admin roles, use RBAC to grant specific permissions. For example, assign the OnCaller role to on-call responders who need to act on alerts and schedules but don’t need to create integrations.
  • Limit the Admin role: Reserve Admin access for users who need to manage all aspects of IRM, including settings and API keys.
  • Review permissions regularly: Audit user roles periodically to ensure they align with current responsibilities.
  • Combine RBAC with team membership: Use RBAC to control what actions users can take, and teams to control which resources they can see.