Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow AI and machine learningbreadcrumb arrow Grafana Assistantbreadcrumb arrow Privacy and securitybreadcrumb arrow Manage access (RBAC)
Grafana Cloud

Manage Assistant access with RBAC

Grafana Assistant relies on Grafana Cloud role-based access control (RBAC) so you can decide who can chat, run investigations, or administer tenant-wide settings. This article explains the roles available, the permissions they unlock, and how to grant users the access they need.

Before you begin

  • Organization administrator access: Only admins can assign Grafana Cloud roles.
  • RBAC plan: Decide which teams need chat, investigations, or administrative control.
  • Feature availability: Confirm you enabled Grafana Assistant and investigations in your stack.
  • Scope per stack: RBAC applies within a Grafana Cloud stack. Use plugins.app:access scoped to plugins:id:grafana-assistant-app to control who can open Assistant in that stack. To remove or disable the Assistant in a specific stack, an administrator can navigate to Administration > Plugins and data > Plugins, search for Grafana Assistant or go directly to /plugins/grafana-assistant-app, uncheck the agreement box, and click Save.

Understand available roles

Grafana Cloud offers baseline organization roles plus Assistant-specific roles. Combining them lets you tailor access without granting more privileges than necessary.

Organization roles define broad access in Grafana Cloud:

Organization roleWhat the role can do with Grafana Assistant
AdminFull access to Assistant chat, investigations, rules, and MCP server management.
EditorChat, investigations, and personal MCP server management.
ViewerChat access.
No basic roleNo Assistant access unless an administrator adds an Assistant-specific role.

Assistant-specific roles extend or restrict access regardless of the user’s organization role:

Assistant roleWhat the role unlocks
Assistant AdminAdministers tenant-wide Assistant settings, rules, and MCP servers in addition to chat.
Assistant MCP UserUses Assistant chat and manages personal MCP servers and rules.
Assistant UserBasic Assistant chat plus personal rule management.
Assistant Investigation UserLaunches and manages Assistant investigations.
Assistant System Investigation ViewerAdds visibility of system-created investigations. Combine with Assistant Investigation User.

Assign Assistant-specific roles to give targeted access to teammates who are not Editors or Admins.

Note

System-created investigations (launched automatically via IRM webhooks, alerts, or incidents) are hidden by default. Only users with the Assistant System Investigation Viewer role (combined with Assistant Investigation User) or organization Admin role can see them.

Grant access in Grafana Cloud

Use the following procedures to grant the right level of access without over-provisioning.

Grant basic Assistant chat access

  1. Sign in as an organization administrator.
  2. Go to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant User.
  5. Click Apply.

Allow users to launch investigations

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User.
  5. Click Apply.

Allow users to view system-created investigations

System-created investigations are launched automatically by IRM webhooks, alerts, or incidents. By default, only organization Admins can view them. This role is additive — the user also needs the Assistant Investigation User role for general investigation access.

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User (if not already assigned).
  5. Also choose Assistant > Assistant System Investigation Viewer.
  6. Click Apply.

Delegate Assistant administration

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Admin.
  5. Click Apply.

Users can hold multiple Assistant roles if they need both investigation access and tenant-wide configuration control.

Map permissions to actions

Each Assistant role grants a set of permissions. Use the tables below when you need to understand or audit the underlying RBAC settings.

Core permissions

PermissionDescriptionScope
plugins.app:accessAccess the Assistant plugin shell.plugins:id:grafana-assistant-app
grafana-assistant-app.settings.terms:writeAccept terms and conditions to enable Assistant.n/a
grafana-assistant-app.settings.sql-discovery:writeConfigure SQL table discovery settings.n/a
grafana-assistant-app.chats:accessUse Assistant chat.n/a
grafana-assistant-app.rules.user:readRead personal Assistant rules.n/a
grafana-assistant-app.rules.user:createCreate personal Assistant rules.n/a
grafana-assistant-app.rules.user:writeUpdate personal Assistant rules.n/a
grafana-assistant-app.rules.user:deleteDelete personal Assistant rules.n/a
grafana-assistant-app.rules.tenant:readRead tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:createCreate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:writeUpdate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:deleteDelete tenant-level Assistant rules.n/a
grafana-assistant-app.mcps.user:readRead personal MCP servers.n/a
grafana-assistant-app.mcps.user:createCreate personal MCP servers.n/a
grafana-assistant-app.mcps.user:writeUpdate personal MCP servers.n/a
grafana-assistant-app.mcps.user:deleteDelete personal MCP servers.n/a
grafana-assistant-app.mcps.tenant:readRead tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:createCreate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:writeUpdate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:deleteDelete tenant MCP servers.n/a
grafana-assistant-app.investigations:readView investigations.n/a
grafana-assistant-app.investigations:createLaunch investigations.n/a
grafana-assistant-app.investigations.system:readView system-created investigations.n/a

Actions and required permissions

Assistant actionRequired permissions (all)
Enable Assistant and accept termsgrafana-assistant-app.settings.terms:write, plugins.app:access
Configure SQL table discoverygrafana-assistant-app.settings.sql-discovery:write, plugins.app:access
Use Assistant chatgrafana-assistant-app.chats:access, plugins.app:access
Manage personal rulesgrafana-assistant-app.rules.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage personal MCP serversgrafana-assistant-app.mcps.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant rulesgrafana-assistant-app.rules.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant MCP serversgrafana-assistant-app.mcps.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Use investigationsgrafana-assistant-app.investigations:*, grafana-assistant-app.chats:access, plugins.app:access
View system-created investigationsgrafana-assistant-app.investigations.system:read, grafana-assistant-app.investigations:read, plugins.app:access

Permissions with a * suffix mean the role needs read, create, write, and delete access for that feature area.

Next steps