Menu
Documentation
Grafana Cloud
AI and machine learning
Grafana Assistant
Manage privacy and security
Manage access (RBAC)
Grafana Cloud
AI and machine learning
Grafana Assistant
Manage privacy and security
Manage access (RBAC)Grafana Cloud
Manage Assistant access with RBAC
Grafana Assistant relies on Grafana Cloud role-based access control (RBAC) so you can decide who can chat, run investigations, or administer tenant-wide settings. This article explains the roles available, the permissions they unlock, and how to grant users the access they need.
Before you begin
- Organization administrator access: Only admins can assign Grafana Cloud roles.
- RBAC plan: Decide which teams need chat, investigations, or administrative control.
- Feature availability: Confirm you enabled Grafana Assistant and investigations in your stack.
Understand available roles
Grafana Cloud offers baseline organization roles plus Assistant-specific roles. Combining them lets you tailor access without granting more privileges than necessary.
Organization roles define broad access in Grafana Cloud:
| Organization role | What the role can do with Grafana Assistant |
|---|---|
| Admin | Full access to Assistant chat, investigations, rules, and MCP server management. |
| Editor | Chat, investigations, and personal MCP server management. |
| Viewer | Read-only chat access. |
| No basic role | No Assistant access unless an administrator adds an Assistant-specific role. |
Assistant-specific roles extend or restrict access regardless of the user’s organization role:
| Assistant role | What the role unlocks |
|---|---|
| Assistant Admin | Administers tenant-wide Assistant settings, rules, and MCP servers in addition to chat. |
| Assistant MCP User | Uses Assistant chat and manages personal MCP servers and rules. |
| Assistant User | Basic Assistant chat plus personal rule management. |
| Assistant Investigation User | Launches and manages Assistant investigations. |
Assign Assistant-specific roles to give targeted access to teammates who are not Editors or Admins.
Grant access in Grafana Cloud
Use the following procedures to grant the right level of access without over-provisioning.
Grant basic Assistant chat access
- Sign in as an organization administrator.
- Go to Administration > Users and access > Users.
- Select the user and open the Role picker.
- Choose Assistant > Assistant User.
- Click Apply.
Allow users to launch investigations
- Sign in as an organization administrator.
- Navigate to Administration > Users and access > Users.
- Select the user and open the Role picker.
- Choose Assistant > Assistant Investigation User.
- Click Apply.
Delegate Assistant administration
- Sign in as an organization administrator.
- Navigate to Administration > Users and access > Users.
- Select the user and open the Role picker.
- Choose Assistant > Assistant Admin.
- Click Apply.
Users can hold multiple Assistant roles if they need both investigation access and tenant-wide configuration control.
Map permissions to actions
Each Assistant role grants a set of permissions. Use the tables below when you need to understand or audit the underlying RBAC settings.
Core permissions
| Permission | Description | Scope |
|---|---|---|
plugins.app:access | Access the Assistant plugin shell. | plugins:id:grafana-assistant-app |
grafana-assistant-app.chats:access | Use Assistant chat. | n/a |
grafana-assistant-app.rules.user:read | Read personal Assistant rules. | n/a |
grafana-assistant-app.rules.user:create | Create personal Assistant rules. | n/a |
grafana-assistant-app.rules.user:write | Update personal Assistant rules. | n/a |
grafana-assistant-app.rules.user:delete | Delete personal Assistant rules. | n/a |
grafana-assistant-app.rules.tenant:read | Read tenant-level Assistant rules. | n/a |
grafana-assistant-app.rules.tenant:create | Create tenant-level Assistant rules. | n/a |
grafana-assistant-app.rules.tenant:write | Update tenant-level Assistant rules. | n/a |
grafana-assistant-app.rules.tenant:delete | Delete tenant-level Assistant rules. | n/a |
grafana-assistant-app.mcps.user:read | Read personal MCP servers. | n/a |
grafana-assistant-app.mcps.user:create | Create personal MCP servers. | n/a |
grafana-assistant-app.mcps.user:write | Update personal MCP servers. | n/a |
grafana-assistant-app.mcps.user:delete | Delete personal MCP servers. | n/a |
grafana-assistant-app.mcps.tenant:read | Read tenant MCP servers. | n/a |
grafana-assistant-app.mcps.tenant:create | Create tenant MCP servers. | n/a |
grafana-assistant-app.mcps.tenant:write | Update tenant MCP servers. | n/a |
grafana-assistant-app.mcps.tenant:delete | Delete tenant MCP servers. | n/a |
grafana-assistant-app.investigations:read | View investigations. | n/a |
grafana-assistant-app.investigations:create | Launch investigations. | n/a |
grafana-assistant-app.investigations:write | Update investigations. | n/a |
grafana-assistant-app.investigations:delete | Delete investigations. | n/a |
Actions and required permissions
| Assistant action | Required permissions (all) |
|---|---|
| Use Assistant chat | grafana-assistant-app.chats:access, plugins.app:access |
| Manage personal rules | grafana-assistant-app.rules.user:*, grafana-assistant-app.chats:access, plugins.app:access |
| Manage personal MCP servers | grafana-assistant-app.mcps.user:*, grafana-assistant-app.chats:access, plugins.app:access |
| Manage tenant rules | grafana-assistant-app.rules.tenant:*, grafana-assistant-app.chats:access, plugins.app:access |
| Manage tenant MCP servers | grafana-assistant-app.mcps.tenant:*, grafana-assistant-app.chats:access, plugins.app:access |
| Use investigations | grafana-assistant-app.investigations:*, grafana-assistant-app.chats:access, plugins.app:access |
Permissions with a * suffix mean the role needs read, create, write, and delete access for that feature area.
Next steps
- Review Manage your data privacy and security to understand data handling, third-party providers, security measures, and access controls.
- Review Pricing and limits to understand projected costs and limits.
Was this page helpful?
Related resources from Grafana Labs
Video
Getting started with managing your metrics, logs, and traces using Grafana
In this webinar, we’ll demo how to get started using the LGTM Stack: Loki for logs, Grafana for visualization, Tempo for traces, and Mimir for metrics.
Video
Intro to Kubernetes monitoring in Grafana Cloud
In this webinar you’ll learn how Grafana offers developers and SREs a simple and quick-to-value solution for monitoring their Kubernetes infrastructure.
Video
Building advanced Grafana dashboards
In this webinar, we’ll demo how to build and format Grafana dashboards.