Role-based access control (RBAC) overview

Note
Available in Grafana Enterprise and Grafana Cloud.

Role-based access control (RBAC) provides a standardized way of granting, changing, and revoking access so that users can view and modify Grafana resources such as dashboards, reports, and administrative settings. RBAC extends the permissions of basic roles included in Grafana OSS, and enables more granular control of users’ actions.

You can use RBAC to:

Modify existing basic roles: for example, enable an editor to create reports.
Assign fixed roles to users and teams: for example, grant an engineering team the ability to create data sources.
Create custom roles: for example, a role that allows users to create and edit dashboards, but not delete them.

RBAC roles and permissions

RBAC roles are associated to multiple permissions, each of which has an action and a scope:

Action: An action describes what tasks a user can perform on a resource.
Scope: A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope users:<userId> to the relevant role.

For more information refer to RBAC permission’s actions and scopes.

Available RBAC roles

You can assign the following RBAC roles in Grafana:

Basic role: Basic roles are the standard roles available in Grafana OSS.
Fixed role: If you’re using Grafana Enterprise or Grafana Cloud, you can assign discrete fixed roles to users, teams, and service accounts for improved control over user permissions than you cannot have with basic roles alone.
Custom role: If you’re using Grafana Enterprise or Grafana Cloud, use custom roles to create unique combinations of permission actions and scopes.

Additionally, if you’re using Grafana Cloud app plugins, there’s roles to control access to specific plugin features and can be assigned to users, teams, or basic roles. For more information refer to RBAC for app plugins.

Basic roles

Basic roles are the standard roles that are available in Grafana OSS. If you’re using Grafana Enterprise or Cloud you can still use basic roles.

Grafana includes the following basic roles:

Grafana administrator
Organization administrator
Editor
Viewer
None

Caution
All Grafana users must have a basic role assigned. Use the None role for users with no permissions.

Each basic role is comprised of a number of permissions. For example, the viewer basic role contains the following permissions, among others:

Action: datasources.id:read, Scope: datasources:*: Enables the viewer to see the ID of a data source.
Action: orgs:read: Enables the viewer to see their organization details
Action: annotations:read, Scope: annotations:*: Enables the viewer to see annotations that other users have added to a dashboard.

For a comprehensive list of the basic role permissions refer to Permissions associated to basic roles.

Modify basic roles

You can use RBAC to modify the permissions associated with any basic role, which changes what viewers, editors, or admins can do. If you modify a basic role, the change is not propagated to the other basic roles. You can’t delete basic roles.

You can modify basic roles using the configuration file or with the RBAC API. Refer to Manage RBAC roles to learn how.

Note that:

You cannot use a service account to modify basic roles via the RBAC API. To update basic roles, you must be a Grafana administrator and use basic authentication with the request.
If you’re a Cloud customer, contact Support to reset roles.

Fixed roles

If you’re using Grafana Enterprise or Grafana Cloud, you can assign discrete fixed roles to users, teams, and service accounts. This gives you fine-grained control over user permissions than you would have with basic roles alone. These roles are called “fixed” because you cannot change or delete fixed roles. You can also create custom roles of your own; see more information in the custom roles section below.

Assign fixed roles when the basic roles do not meet your permission requirements. For example, you might want a user with the basic viewer role to also edit dashboards. Or, you might want anyone with the editor role to also add and manage users. Fixed roles provide users more granular access to create, view, and update the following Grafana resources:

To learn more about the permissions you can grant for each resource, refer to RBAC role definitions.

Custom roles

If you’re using Grafana Enterprise or Grafana Cloud, you can create custom roles to manage user permissions in a way that meets your security requirements. Custom roles contain unique combinations of permissions actions (the allowed task) and scopes (where to perform the task).

For example:

The teams.roles:read action allows a user to see a list of roles associated with each team.
The teams:id:1 scope restricts the user’s action to the team with ID 1. When paired with the teams.roles:read action, this permission prohibits the user from viewing the roles for teams other than team 1.

Consider creating a custom role only when fixed roles do not meet your permissions requirements. To learn more, refer to Create custom roles.

Permission propagation

If you modify a specific basic role, the change is not propagated to the other basic roles. In other words, if you modify Viewer basic role and grant it additional permissions, Editors or Admins won’t be updated with that additional grant.

New permissions

When a new permission is created, it’s added automatically to modified basic roles. This means that a feature you thought you removed can get new permissions added back.

If you’re using custom roles, new permissions are not added automatically. If a new feature that requires additional permissions is released, you will have to add the permissions to custom roles manually.

Stop automatic access to new features

You can stop new plugins or apps from being automatically accessible to users with the default Editor or Viewer basic roles in Grafana Cloud. While this will not prevent new core Grafana features or new permissions inside existing apps from appearing, it will limit plugin access. For core RBAC changes, you will need to manage drift manually or set up automation.

The basic_editor and basic_viewer roles often include:

{
  "action": "plugins.app:access",
  "scope": "plugins:\*"
}

This allows access to all current and future plugins, including ones your users may not need or have licensed, such as IRM, Machine Learning, or Synthetics.

To prevent this, you can:

Remove the wildcard access.
Add explicit plugin permissions for only the apps you want.

To do so, follow these steps:

Get the current definition of the role. Refer to View role definitions for more details.
Modify the role definition. Open the JSON file, remove this permission, and add only the plugin IDs you want to keep access to. Make sure to include cloud-home-app or the homepage will result in a 404 error. For example:
```
{
"action": "plugins.app:access",
"scope": "plugins:id:grafana-kowalski-app"
},
{
"action": "plugins.app:access",
"scope": "plugins:id:cloud-home-app"
}
```
Optionally, if apps include fixed roles or granular actions, specify the required role-based permissions.
Bump the role version. Find the version field in the JSON and increment it by 1.

Update the modified role via the API:

curl -X PUT -H "Authorization: Bearer <admin SA token>" \
 -H "Content-Type: application/json" \
 https://<your-stack>.grafana.net/api/access-control/roles/basic_editor \
 -d @editor_custom_role.json