Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow AI and machine learningbreadcrumb arrow Grafana Assistantbreadcrumb arrow Privacy and securitybreadcrumb arrow Manage access (RBAC)
Grafana Cloud

Manage Assistant access with RBAC

Grafana Assistant relies on Grafana Cloud role-based access control (RBAC) so you can decide who can chat, run investigations, or administer tenant-wide settings. This article explains the roles available, the permissions they unlock, and how to grant users the access they need.

Before you begin

  • Organization administrator access: Only admins can assign Grafana Cloud roles.
  • RBAC plan: Decide which teams need chat, investigations, or administrative control.
  • Feature availability: Confirm you enabled Grafana Assistant and investigations in your stack.
  • Scope per stack: RBAC applies within a Grafana Cloud stack. Use plugins.app:access scoped to plugins:id:grafana-assistant-app to control who can open Assistant in that stack. To remove or disable the Assistant in a specific stack, an administrator can navigate to Administration > Plugins and data > Plugins, search for Grafana Assistant or go directly to /plugins/grafana-assistant-app, uncheck the agreement box, and click Save.

Understand available roles

Grafana Cloud offers baseline organization roles plus Assistant-specific roles. Combining them lets you tailor access without granting more privileges than necessary.

Organization roles define broad access in Grafana Cloud:

Organization roleWhat the role can do with Grafana Assistant
AdminFull access to Assistant chat, investigations, rules, and MCP server management.
EditorChat, investigations, and personal MCP server management.
ViewerChat access.
No basic roleNo Assistant access unless an administrator adds an Assistant-specific role.

Assistant-specific roles extend or restrict access regardless of the user’s organization role:

Assistant roleWhat the role unlocks
Assistant AdminAdministers tenant-wide Assistant settings, usage analytics and limits, rules, and MCP servers in addition to chat.
Assistant MCP UserUses Assistant chat and manages personal MCP servers and rules.
Assistant UserBasic Assistant chat plus personal rule management.
Assistant Investigation UserLaunches and manages Assistant investigations and skills.
Assistant System Investigation ViewerAdds visibility of system-created investigations. Combine with Assistant Investigation User or organization Admin.

Assign Assistant-specific roles to give targeted access to teammates who are not Editors or Admins.

Note

System-created investigations (launched automatically via IRM webhooks, alerts, or incidents) are hidden by default. Only users with the Assistant System Investigation Viewer role (combined with Assistant Investigation User) or organization Admin role can see them.

Grant access in Grafana Cloud

Use the following procedures to grant the right level of access without over-provisioning.

Grant basic Assistant chat access

  1. Sign in as an organization administrator.
  2. Go to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant User.
  5. Click Apply.

Allow users to launch investigations and skills

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User.
  5. Click Apply.

Allow users to view system-created investigations

System-created investigations are launched automatically by IRM webhooks, alerts, or incidents. By default, only organization Admins can view them. This role is additive — the user also needs the Assistant Investigation User role for general investigation access.

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User (if not already assigned).
  5. Also choose Assistant > Assistant System Investigation Viewer.
  6. Click Apply.

Delegate Assistant administration

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Admin.
  5. Click Apply.

Users can hold multiple Assistant roles if they need both investigation access and tenant-wide configuration control.

Control access to Usage Analytics and limits

The Assistant > Usage page is gated by the grafana-assistant-app.usage:read permission. Editing limits from that page requires grafana-assistant-app.usage:write.

By default, these permissions are included in the Assistant Admin role. The Assistant Admin role is granted to the organization Admin basic role by default.

Enable MCP server management

To allow users to configure personal MCP servers without granting full Editor access:

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant MCP User.
  5. Click Apply.

MCP servers configured with Everybody scope require tenant-level MCP permissions (typically Admin or Assistant Admin roles).

Understand memory access control

Assistant respects Grafana’s existing RBAC when accessing memories:

  • Dashboard memory: Search results are filtered based on your Grafana folder and dashboard permissions. You can only discover and reference dashboards you have access to view.
  • Infrastructure memory: Semantic search results are filtered by datasource permissions. You can only access infrastructure metrics from datasources you’re authorized to query. If permissions can’t be verified, access is denied by default.

This ensures Assistant never exposes data beyond your existing Grafana permissions.

Map permissions to actions

Each Assistant role grants a set of permissions. Use the tables below when you need to understand or audit the underlying RBAC settings.

Core permissions

PermissionDescriptionScope
plugins.app:accessAccess the Assistant plugin shell.plugins:id:grafana-assistant-app
grafana-assistant-app.settings.terms:writeAccept terms and conditions to enable Assistant.n/a
grafana-assistant-app.settings.sql-discovery:readRead SQL table discovery settings.n/a
grafana-assistant-app.settings.sql-discovery:writeConfigure SQL table discovery settings.n/a
grafana-assistant-app.chats:accessUse Assistant chat.n/a
grafana-assistant-app.rules.user:readRead personal Assistant rules.n/a
grafana-assistant-app.rules.user:createCreate personal Assistant rules.n/a
grafana-assistant-app.rules.user:writeUpdate personal Assistant rules.n/a
grafana-assistant-app.rules.user:deleteDelete personal Assistant rules.n/a
grafana-assistant-app.rules.tenant:readRead tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:createCreate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:writeUpdate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:deleteDelete tenant-level Assistant rules.n/a
grafana-assistant-app.mcps.user:readRead personal MCP servers.n/a
grafana-assistant-app.mcps.user:createCreate personal MCP servers.n/a
grafana-assistant-app.mcps.user:writeUpdate personal MCP servers.n/a
grafana-assistant-app.mcps.user:deleteDelete personal MCP servers.n/a
grafana-assistant-app.mcps.tenant:readRead tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:createCreate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:writeUpdate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:deleteDelete tenant MCP servers.n/a
grafana-assistant-app.investigations:readView investigations.n/a
grafana-assistant-app.investigations:createLaunch investigations.n/a
grafana-assistant-app.investigations.system:readView system-created investigations.n/a
grafana-assistant-app.usage:readView Usage Analytics for the stack.n/a
grafana-assistant-app.usage:writeUpdate stack usage limits.n/a

Actions and required permissions

Assistant actionRequired permissions (all)
Enable Assistant and accept termsgrafana-assistant-app.settings.terms:write, plugins.app:access
Configure SQL table discoverygrafana-assistant-app.settings.sql-discovery:write, grafana-assistant-app.settings.sql-discovery:read, plugins.app:access
Use Assistant chatgrafana-assistant-app.chats:access, plugins.app:access
Manage personal rulesgrafana-assistant-app.rules.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage personal MCP serversgrafana-assistant-app.mcps.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant rulesgrafana-assistant-app.rules.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant MCP serversgrafana-assistant-app.mcps.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Use investigationsgrafana-assistant-app.investigations:*, grafana-assistant-app.chats:access, plugins.app:access
View system-created investigationsgrafana-assistant-app.investigations.system:read, grafana-assistant-app.investigations:read, plugins.app:access
View Usage Analytics dashboardgrafana-assistant-app.usage:read, plugins.app:access
Configure usage limitsgrafana-assistant-app.usage:write, grafana-assistant-app.usage:read, plugins.app:access

Permissions with a * suffix mean the role needs read, create, write, and delete access for that feature area.

Next steps