Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Alerts and IRMbreadcrumb arrow SLObreadcrumb arrow Set upbreadcrumb arrow RBAC
Grafana Cloud

Configure RBAC permissions

SLO creation and management permissions are configurable through the Role-based access control (RBAC) function in Grafana Cloud. This page tells you how to configure SLO access on an organizational level, or on a user level with folder permissions.

RBAC user-based roles

You can use RBAC permissions to control which users can view, create, edit, and delete SLOs.

Basic organizational roles

The following basic roles provide access to SLO functionality:

Basic RoleAccess
AdminView, create, edit, and delete SLOs. Can also modify organization preferences.
EditorView, create, edit, and delete SLOs.
ViewerView SLOs.
No basic roleNo access to SLOs unless additional SLO roles or SLO permissions are assigned.

These permissions apply to all SLOs in your Grafana instance.

SLO-specific roles

You can also assign SLO-specific roles to grant access independently of a user’s basic role. This is useful when you want to grant individual access to users who don’t have an Editor or Admin basic role.

Note

SLO roles grant permission to perform SLO actions, but users must also have folder permissions to access SLOs in specific folders. For example, a user with the SLO Writer role can only create or edit SLOs in folders where they have folder edit permission.

SLO RoleAccess
SLO AdminView, create, edit, and delete SLOs in folders where the user has folder permissions. Can also modify organization preferences.
SLO WriterView, create, edit, and delete SLOs in folders where the user has folder permissions.
SLO ViewerView SLOs in folders where the user has folder read permission.

Configure SLO access across Grafana

To grant a user permission to view, create, update, and delete SLOs across your entire Grafana Cloud instance:

  1. Sign in to Grafana as an organization administrator.
  2. In the left navigation menu, click Administration > Users and access > Users.
  3. Search for the user whose permissions you want to update.
  4. In the Role field, assign the following roles: SLO > SLO Writer and Folders > Writer.
  5. Click Apply to save the changes.

Configure SLO access within folders

You can manage access to individual SLOs using folder-level permissions.

To allow a user to view, create, update, or delete SLOs within a specific folder, assign appropriate roles and configure the folder’s permissions.

You can customize access for users, service accounts, teams, and roles. For more information, see the Grant folder permissions in the Grafana administration documentation.

Note

If a folder with restricted permissions is deleted, the visibility of the SLOs contained in that folder will default to the visibility settings for the Grafana SLO folder and will be visible in the SLO Overview accordingly.

To give a user view, create, update, and delete access for only the SLOs contained in a certain folder:

  1. Sign in to Grafana as an organization administrator.
  2. In the left-side menu, click Administration > Users and access > Users.
  3. Search for the user whose permissions you want to edit.
  4. Click the user’s role and, under the Plugins section of the drowpdown, click SLO > SLO Writer.
  5. Click Apply to save the changes.
  6. Next, go to the left-side menu and click Dashboards.
  7. Choose the folder you want to add permissions for.
  8. Click Folder actions and select Manage permissions from the dropdown.
  9. Click Add a permission and grant the specific user Folder Edit permissions.
  10. The user is now able to view, create, update, and delete SLOs restricted to the chosen Folder.

RBAC permissions

Grafana SLO supports the following RBAC permissions:

PermissionDescriptionIncluded in rolesAvailable scopes
grafana-slo-app.slo:readRead SLOsSLO Reader, SLO Writer, SLO Adminplugins:id:grafana-slo-app folders:* folders:uid:*
grafana-slo-app.slo:writeCreate or update SLOsSLO Writer, SLO Adminplugins:id:grafana-slo-app folders:* folders:uid:*
grafana-slo-app.slo:deleteDelete SLOsSLO Writer, SLO Adminplugins:id:grafana-slo-app folders:* folders:uid:*

Note

The Available scopes column shows where each permission can be applied, not what access is automatically granted. For example, folders:* means the permission can be scoped to all folders or to specific folders using folders:uid:<folder-uid>. You must explicitly assign these scopes when creating custom roles. The built-in SLO roles (SLO Reader, SLO Writer, SLO Admin) already include the plugins:id:grafana-slo-app scope, but users must still be granted folder permissions separately to access SLOs in specific folders.

Permissions required for SLO actions

To perform specific SLO actions, users must be granted multiple permissions across the SLO app, folders, and plugin system. For most users, assigning an SLO role combined with folder permissions is the simplest approach.

SLO actionRequired permissionsApplicable scopeRecommended approach
Readgrafana-slo-app.slo:readplugins:id:grafana-slo-appSLO Reader + folders:read for required folders
plugins.app:accessplugins:id:grafana-slo-app
folders:readfolders:*, folders:uid:*
Create or
Update		grafana-slo-app.slo:writeplugins:id:grafana-slo-appSLO Writer + folders:write for required folders
plugins.app:accessplugins:id:grafana-slo-app
folders:readfolders:*, folders:uid:*
folders:writefolders:*, folders:uid:*
Deletegrafana-slo-app.slo:deleteplugins:id:grafana-slo-appSLO Writer + folders:write for required folders
plugins.app:accessplugins:id:grafana-slo-app
folders:readfolders:*, folders:uid:*
folders:writefolders:*, folders:uid:*

Role summary

RolePermissions included
SLO ReaderGrants grafana-slo-app.slo:read and plugin access. Users can view SLOs in folders where they have folder read permission.
SLO WriterGrants all SLO permissions (read, write, delete) and plugin access. Users can manage SLOs in folders where they have folder edit permission, and can view SLOs in folders where they have folder view permission.
SLO AdminSame as SLO Writer, plus the ability to modify organization preferences.

Tip

Recommendation: For most use cases, assign SLO roles (SLO Reader, SLO Writer, SLO Admin) combined with appropriate folder permissions. The SLO roles grant the ability to perform SLO actions, while folder permissions control which folders those actions apply to.