---
title: "Control access with roles | Grafana Cloud documentation"
description: "How to control access in Kubernetes Monitoring with RBAC and LBAC"
---

# Control access with roles

You can control user access to Kubernetes Monitoring with Role Based Access Control (RBAC). By default, the [basic roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/#basic-roles) grant users broad access. For more advanced access control, you can use Role-Based Access Control (RBAC) or Label-Based Access Control (LBAC).

## Precision access with RBAC custom plugin roles

Kubernetes Monitoring provides [custom app plugin roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-for-app-plugins/) which limit user access to only the permissions needed. This means you can assign a specific role to a user who must view or make changes to Kubernetes Monitoring, instead of granting the user broad administrator access in Grafana Cloud. The use of plugin roles is a security best practice.

There are two fixed roles for Kubernetes Monitoring:

- `plugins:grafana-k8s-app:admin`
- `plugins:grafana-k8s-app:reader`

To assign these roles, refer to [Assign RBAC roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/assign-rbac-roles/).

> Note
> 
> If you have granted a user the None basic role plus plugins.app:access, that user has no access to Kubernetes. To restore access, assign one of these Kubernetes roles.

## Access with LBAC using namespace label

LBAC uses labels on resources to define access dynamically. You can use LBAC to limit access in Kubernetes Monitoring to an individual team by using any Prometheus label that exists on the Kubernetes metrics. The following are steps to use the namespace label. In this way, a team’s namespace can access only the metrics and logs they are responsible for, including viewing alerts and performing analysis and troubleshooting.

To accomplish LBAC, you create a cloud access policy and token that is assigned to the namespace that needs limited access. When you create the access policy token, Grafana Cloud creates a logical segmentation of logs and metrics in the Cloud Logs and Prometheus databases. Members of the team then have access only to those logs and metrics.

The following diagram shows two access polices with their tokens have been created for two separate teams.

[Diagram of two team namespaces with access only to their specific metrics and logs](/media/docs/grafana-cloud/k8s/lbac-diagram.png)

The major steps to create one access policy per namespace are:

1. Remove default data source permissions.
2. Create a namespace.
3. Create or sync the team.
4. Create the access policy for the namespace.
5. Create the access policy token.
6. Assign team to data source.
7. Select the data source for the namespace in Kubernetes Monitoring.

### Remove default data source permissions

Remove the default Editor and Viewer permissions that apply to the cloud Prometheus and logs data sources. This prevents everyone being able to access all the data.

1. In the Grafana Cloud portal of your stack, expand **Connections** on the main menu.
2. Select **Data sources**
3. Select the default data source.
4. Click the **Permissions** tab.
5. Delete the **Editor** role by selecting the **X** at the end of the row.
6. Delete the **Viewer** role by selecting the **X** at the end of the row.
   
   [A list of roles and their permissions for the data source](/media/docs/grafana-cloud/k8s/datasource-role-perm.png)

### Create a namespace

[Create a new namespace](https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace).

### Sync or create the team

If you have already created a team using a third party, refer to [Configure team sync](/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/).

If you have not created a team, [create the team in Grafana Cloud](/docs/grafana/latest/administration/team-management/configure-grafana-teams/#create-a-grafana-team), and add the appropriate team members.

### Create an access policy for the namespace

Create an access policy for the namespace.

1. In the Grafana Cloud portal of your stack, expand **Administration** in the main menu.
2. Select **Users and access** on the menu.
3. At the Users and access page, click **Cloud access policies**.
4. Click **Create access policy**.
5. In the Create new access policy window, enter the following:
   
   1. Display name: Enter a name for the policy.
   2. Scopes: Select **Read** for metrics and logs.
   3. Label selectors:
      
      - Click **Add label selector** and add the following, changing the name of your namespace:
        
        ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
        
        ```none
        { namespace = “mynamespace” }
        ```
      - Click **Add label selector**, then copy and paste the following in the label selector field:
        
        ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
        
        ```none
        {cluster!="", __name__=~"kubecost_cluster_info|node_total_hourly_cost|pod_pvc_allocation|cluster:namespace:pod_cpu.active:kube_pod_container_resource_requests|node_cpu_hourly_cost|kube_node_.*|machine_.*"}
        ```
6. Click **Create** to create the policy.

[Fields completed for **Create new access policy** window](/media/docs/grafana-cloud/k8s/create-access-policy.png)

### Create access policy token

Create an [access policy token](/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/create-access-policies/#create-tokens-for-an-access-policy) for the access policy. As part of this process, you create data sources within the logs and metrics data sources that are available in Grafana Cloud. These custom data sources segment areas of the two underlying databases, and they are specifically for the team associated with the namespace.

1. In the **Cloud access policies** page, find the access policy you created.
2. Click **Add token**.
3. In the Create new token window, enter the name of the token, and click **Create**.
4. In the Token successfully added window:
   
   1. Click **Create data source** for both the Prometheus and Logs data sources. Grafana generates each data source that will be available only with this access policy token.
   2. Click **Copy to clipboard** to copy the token.
   3. Paste the token into a file in a safe place.

### Assign the team to the custom data sources

Change the permissions of the custom data sources that Grafana generated for the access policy token, and add the team to the new data sources.

In the Token successfully added window, complete the following steps for the Cloud Prometheus and Cloud Logs data sources.

1. Click the **Data source settings** link next to the data source to open its settings.
2. Select the **Permissions** tab.
3. Delete the Viewer and Editor roles.
4. Click **Add a permission**.
5. In the drop-down menu, select **Team**.
6. Select the team.
7. Leave the **Query** permission selected.
8. Click **Save**.

### Choose the data source in Kubernetes Monitoring

Now team members can use the data source picker to view the data source for their namespace and view the data available to them.

[Data source picker in Kubernetes Monitoring showing a custom data source](/media/docs/grafana-cloud/k8s/datasource-picker.png)