Configure RBAC permissions
Grafana Assistant access and functionality permissions are configurable through the Role-based access control (RBAC) function in Grafana Cloud. This page tells you how to configure Assistant access on an organizational level and control specific Assistant features like rules, Assistant Investigations, and MCP server management.
RBAC user-based roles
You can use RBAC permissions to control which users can access Grafana Assistant and use its features.
Basic organizational roles
The following basic roles provide access to Grafana Assistant functionality:
| Basic Role | Access |
|---|---|
| Admin | Full access to all Assistant features including chat, investigations, MCP servers, and tenant-wide rule management. |
| Editor | Access to Assistant chat, investigations, and personal MCP server management. |
| Viewer | Basic access to Assistant chat with read-only capabilities. |
| No basic role | No access to Assistant unless additional Assistant roles are assigned. |
These permissions apply to Assistant functionality across your Grafana instance.
Assistant-specific roles
You can also assign Assistant-specific roles to grant access independently of a user’s basic role. This is useful when you want to grant individual access to users who don’t have an Editor or Admin basic role.
| Assistant Role | Access |
|---|---|
| Assistant Admin | Can manage both user and tenant-wide Assistant resources and settings including MCP servers and rules. |
| Assistant MCP User | Can use Grafana Assistant and add personal MCP servers in addition to basic functionality. |
| Assistant User | Basic access to Grafana Assistant with read-only capabilities and personal rule management. |
| Assistant Investigation User | Can use Assistant Investigations for advanced troubleshooting capabilities. |
Configure Assistant access across Grafana
To grant a user permission to use Grafana Assistant with basic capabilities across your Grafana Cloud instance:
- Sign in to Grafana as an organization administrator.
- In the left navigation menu, click Administration > Users and access > Users.
- Search for the user whose permissions you want to update.
- In the Role field, assign the following role: Assistant > Assistant User.
- Click Apply to save the changes.
Configure investigation access
To allow a user to access Assistant Investigations for advanced troubleshooting:
- Sign in to Grafana as an organization administrator.
- In the left navigation menu, click Administration > Users and access > Users.
- Search for the user whose permissions you want to update.
- In the Role field, assign the following role: Assistant > Assistant Investigation User.
- Click Apply to save the changes.
Configure admin access
To grant a user administrative access to manage tenant-wide Assistant settings:
- Sign in to Grafana as an organization administrator.
- In the left navigation menu, click Administration > Users and access > Users.
- Search for the user whose permissions you want to update.
- In the Role field, assign the following role: Assistant > Assistant Admin.
- Click Apply to save the changes.
RBAC permissions
Grafana Assistant supports the following RBAC permissions:
| Permission | Description | Scope |
|---|---|---|
plugins.app:access | Access to the Assistant plugin | plugins:id:grafana-assistant-app |
grafana-assistant-app.chats:access | Access to Assistant chat functionality | n/a |
grafana-assistant-app.rules.user:read | Read user-level rules | n/a |
grafana-assistant-app.rules.user:create | Create user-level rules | n/a |
grafana-assistant-app.rules.user:write | Update user-level rules | n/a |
grafana-assistant-app.rules.user:delete | Delete user-level rules | n/a |
grafana-assistant-app.rules.tenant:read | Read tenant-level rules | n/a |
grafana-assistant-app.rules.tenant:create | Create tenant-level rules | n/a |
grafana-assistant-app.rules.tenant:write | Update tenant-level rules | n/a |
grafana-assistant-app.rules.tenant:delete | Delete tenant-level rules | n/a |
grafana-assistant-app.mcps.user:read | Read user MCP servers | n/a |
grafana-assistant-app.mcps.user:create | Create user MCP servers | n/a |
grafana-assistant-app.mcps.user:write | Update user MCP servers | n/a |
grafana-assistant-app.mcps.user:delete | Delete user MCP servers | n/a |
grafana-assistant-app.mcps.tenant:read | Read tenant MCP servers | n/a |
grafana-assistant-app.mcps.tenant:create | Create tenant MCP servers | n/a |
grafana-assistant-app.mcps.tenant:write | Update tenant MCP servers | n/a |
grafana-assistant-app.mcps.tenant:delete | Delete tenant MCP servers | n/a |
grafana-assistant-app.investigations:read | Read investigations | n/a |
grafana-assistant-app.investigations:create | Create investigations | n/a |
To perform specific Assistant actions, users must be granted multiple permissions across the Assistant app and plugin system.
| Assistant action | Required permissions | Applicable scope |
|---|---|---|
| Basic chat access | grafana-assistant-app.chats:access | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
| Manage personal rules | grafana-assistant-app.rules.user:readgrafana-assistant-app.rules.user:writegrafana-assistant-app.rules.user:creategrafana-assistant-app.rules.user:delete | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
grafana-assistant-app.chats:access | n/a | |
| Manage personal MCP servers | grafana-assistant-app.mcps.user:readgrafana-assistant-app.mcps.user:writegrafana-assistant-app.mcps.user:creategrafana-assistant-app.mcps.user:delete | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
grafana-assistant-app.chats:access | n/a | |
| Manage tenant rules | grafana-assistant-app.rules.tenant:readgrafana-assistant-app.rules.tenant:writegrafana-assistant-app.rules.tenant:creategrafana-assistant-app.rules.tenant:delete | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
grafana-assistant-app.chats:access | n/a | |
| Manage tenant MCP servers | grafana-assistant-app.mcps.tenant:readgrafana-assistant-app.mcps.tenant:writegrafana-assistant-app.mcps.tenant:creategrafana-assistant-app.mcps.tenant:delete | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
grafana-assistant-app.chats:access | n/a | |
| Use investigations | grafana-assistant-app.investigations:readgrafana-assistant-app.investigations:writegrafana-assistant-app.investigations:creategrafana-assistant-app.investigations:delete | n/a |
plugins.app:access | plugins:id:grafana-assistant-app | |
grafana-assistant-app.chats:access | n/a |
The Assistant Admin role includes all permissions required to manage Assistant functionality. The Assistant MCP User role includes permissions for chat and personal MCP server management. The Assistant User role includes basic chat access and personal rule management.
Was this page helpful?
Related resources from Grafana Labs
