Cloud Provider Observability role-based access control

You can control user access to Cloud Provider Observability using Grafana Cloud Role Based Access Control (RBAC). Grafana Cloud basic roles grant users broad access to Cloud Provider Observability. To grant access more granularly, a security best practice, use the Cloud Provider plugin roles.

For more information on assigning RBAC roles to users, refer to Assign RBAC roles.

Fine-grained app access

Cloud Provider Observability provides custom app plugin roles to mitigate security vulnerabilities, by limiting user access to only the permissions users need. Cloud Provider plugin roles allow you to assign a specific role to a user who only needs to view or make changes to Cloud Provider Observability, instead of granting the user broad administrator access in Grafana Cloud.

For instance, a user assigned the Viewer basic role has permissions to view all Cloud Provider dashboards, but does not have permissions to update AWS scrape jobs. If you want the user with a Viewer basic role to have the ability to update AWS scrape jobs, but you don’t want to give the user Admin access to Grafana Cloud, you can assign the user a plugin role that would grant them specific access to update AWS scrape jobs.

For more information on custom app plugin roles, refer to Fine-graned access to app plugins.

Cloud Provider app plugin roles

The following table describes the Cloud Provider plugin roles and what permissions each role grants:

Plugin role	Permissions in Cloud Provider Observability
Reader	Read access to Cloud Provider Observability. Read access includes dashboards and scraped services in all three providers.
AWS Writer	Read access to Cloud Provider Observability and write access to the AWS provider. Write access includes the ability to complete tasks such as update configurations such as scrape jobs, accounts, and logs.
Azure Writer	Read access to Cloud Provider Observability and write access to the Azure provider. Write access includes the ability to complete tasks such as update configurations such as credentials, metrics, and logs.
GCP Writer	Read access to Cloud Provider Observability and write access to the GCP provider. Write access includes the ability to complete tasks such as update configurations such as logs and metrics.

Note
All users assigned a plugin role who are not assigned a Grafana Cloud basic role, must have the Datasources:Reader fixed role assigned to them to see dashboard data.
All users assigned a plugin writer role (AWS Writer, Azure Writer, or GCP Writer) who are either assigned the Viewer or no Grafana Cloud basic role, must have the Dashboards:Writer and Folders:Writer fixed roles assigned to them to install dashboards or add alerts and folders.
For more information on permissions for Grafana Cloud basic roles, refer to Roles and permissions.
For more information on Grafana Cloud fixed roles, refer to Fixed roles.

Grafana Cloud basic roles

Grafana Cloud basic roles can be assigned to users to provide them with the access they need to perform actions within Grafana Cloud. In addition to other permissions, certain roles can provide users the ability to view or edit Cloud Provider Observability dashboards, metadata and scrape jobs, accounts or credentials, and configurations.

The following table describes what permissions each Grafana Cloud basic role provides users for Cloud Provider Observability:

Basic role	Permissions in Cloud Provider Observability
Grafana Admin	Read and write access to all providers and dashboards.
Admin	Read and write access to all providers and dashboards.
Editor	Read access to Cloud Provider Observability, including all provider dashboards and scraped services.
Viewer	Read access to Cloud Provider Observability, including all provider dashboards and scraped services.