Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow AI and machine learningbreadcrumb arrow Grafana Assistantbreadcrumb arrow Manage privacy and securitybreadcrumb arrow Manage access (RBAC)
Grafana Cloud

Manage Assistant access with RBAC

Grafana Assistant relies on Grafana Cloud role-based access control (RBAC) so you can decide who can chat, run investigations, or administer tenant-wide settings. This article explains the roles available, the permissions they unlock, and how to grant users the access they need.

Before you begin

  • Organization administrator access: Only admins can assign Grafana Cloud roles.
  • RBAC plan: Decide which teams need chat, investigations, or administrative control.
  • Feature availability: Confirm you enabled Grafana Assistant and investigations in your stack.
  • Scope per stack: RBAC applies within a Grafana Cloud stack. Use plugins.app:access scoped to plugins:id:grafana-assistant-app to control who can open Assistant in that stack. To remove or disable the Assistant in a specific stack, contact Grafana Support.

Understand available roles

Grafana Cloud offers baseline organization roles plus Assistant-specific roles. Combining them lets you tailor access without granting more privileges than necessary.

Organization roles define broad access in Grafana Cloud:

Organization roleWhat the role can do with Grafana Assistant
AdminFull access to Assistant chat, investigations, rules, and MCP server management.
EditorChat, investigations, and personal MCP server management.
ViewerRead-only chat access.
No basic roleNo Assistant access unless an administrator adds an Assistant-specific role.

Assistant-specific roles extend or restrict access regardless of the user’s organization role:

Assistant roleWhat the role unlocks
Assistant AdminAdministers tenant-wide Assistant settings, rules, and MCP servers in addition to chat.
Assistant MCP UserUses Assistant chat and manages personal MCP servers and rules.
Assistant UserBasic Assistant chat plus personal rule management.
Assistant Investigation UserLaunches and manages Assistant investigations.

Assign Assistant-specific roles to give targeted access to teammates who are not Editors or Admins.

Grant access in Grafana Cloud

Use the following procedures to grant the right level of access without over-provisioning.

Grant basic Assistant chat access

  1. Sign in as an organization administrator.
  2. Go to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant User.
  5. Click Apply.

Allow users to launch investigations

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User.
  5. Click Apply.

Delegate Assistant administration

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Admin.
  5. Click Apply.

Users can hold multiple Assistant roles if they need both investigation access and tenant-wide configuration control.

Map permissions to actions

Each Assistant role grants a set of permissions. Use the tables below when you need to understand or audit the underlying RBAC settings.

Core permissions

PermissionDescriptionScope
plugins.app:accessAccess the Assistant plugin shell.plugins:id:grafana-assistant-app
grafana-assistant-app.chats:accessUse Assistant chat.n/a
grafana-assistant-app.rules.user:readRead personal Assistant rules.n/a
grafana-assistant-app.rules.user:createCreate personal Assistant rules.n/a
grafana-assistant-app.rules.user:writeUpdate personal Assistant rules.n/a
grafana-assistant-app.rules.user:deleteDelete personal Assistant rules.n/a
grafana-assistant-app.rules.tenant:readRead tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:createCreate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:writeUpdate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:deleteDelete tenant-level Assistant rules.n/a
grafana-assistant-app.mcps.user:readRead personal MCP servers.n/a
grafana-assistant-app.mcps.user:createCreate personal MCP servers.n/a
grafana-assistant-app.mcps.user:writeUpdate personal MCP servers.n/a
grafana-assistant-app.mcps.user:deleteDelete personal MCP servers.n/a
grafana-assistant-app.mcps.tenant:readRead tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:createCreate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:writeUpdate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:deleteDelete tenant MCP servers.n/a
grafana-assistant-app.investigations:readView investigations.n/a
grafana-assistant-app.investigations:createLaunch investigations.n/a

Actions and required permissions

Assistant actionRequired permissions (all)
Use Assistant chatgrafana-assistant-app.chats:access, plugins.app:access
Manage personal rulesgrafana-assistant-app.rules.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage personal MCP serversgrafana-assistant-app.mcps.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant rulesgrafana-assistant-app.rules.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant MCP serversgrafana-assistant-app.mcps.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Use investigationsgrafana-assistant-app.investigations:*, grafana-assistant-app.chats:access, plugins.app:access

Permissions with a * suffix mean the role needs read, create, write, and delete access for that feature area.

Next steps