Configure authorization and permissions

Grafana Cloud authorization and permissions

You can configure multiple ways to allow users to access your Grafana Cloud instance.

User authorization and authentication

Grafana Cloud uses Open Authorization, with Grafana.com as the authentication provider, by default, for all user accounts. If you are using a Grafana Cloud Pro or Grafana Advanced account, you also have the option to configure the following authentication or authorization methods:

  • LDAP
  • SAML
  • OAUTH

To view information on configuring OAUTH, see Configure Open Authorization.

Add an LDAP configuration

To add an LDAP configuration, click Open a Support Ticket from the Cloud Portal. We will request the ldap.toml file and configuration parameters and provision the provider in your Grafana instance.

To learn more about LDAP, see LDAP configuration in the Grafana documentation.

Configure SAML

Advanced accounts can have SAML enabled by contacting support. Click Open a Support Ticket from the to create a ticket.

When you create the ticket, be prepared to upload some information with the ticket to expedite the process. Use the Attachments upload to submit them, by clicking on the document logo, shown here.

Upload a file in a support ticket

Please provide the following:

  • A description of what IdP metadata.xml is supposed to look like, preferably with a sample and according to each major provider, if possible
  • Instructions covering what needs to be done on the SAML side for the major providers
  • A sample of the IdP XML response, to read the raw assertions in case we need to troubleshoot why one or more attributes may not be properly parsed

NOTE: We do not allow IdP-initiated login on Grafana Cloud (for security reasons).

To learn how to configure and enable OAuth from your Grafana Cloud stack, see Configure Open Authorization.

Enable Team Sync

Cloud users with Pro, Advanced, and Enterprise accounts can use Team Sync to enable synchronization between your auth provider’s teams and Grafana. This is available once LDAP, SAML, or OAuth2 are configured. For more information, see Team Sync.

You can configure Team Sync with Support when you contact them to set up your authentication.

Data source permissions

If you are a Cloud user with a Pro, Advanced, or Enterprise account, you can set data source permissions that allow you to restrict user access to data source querying. For more information, see Data source permissions in the Grafana documentation.

User roles and permissions

You can assign users roles and permissions that allow them different capabilities. To learn more about the specific capabilities assigned to each role, see User account roles and permissions.

Configure user roles

You can assign users to one of three roles: Admin, Editor, and Viewer.

  1. From your Grafana Cloud instance home page, click the Configuration(gear) icon and select Users.
  2. In the Role column, select a role from the dropdown menu.

Authorize a service using access policies and tokens

You can use Grafana Cloud Access Policies and tokens to authorize requests to Grafana Cloud resources that do not involve users.