--- title: "Grafana RBAC permission actions and scopes | Grafana Cloud documentation" description: "Learn about Grafana RBAC permissions, actions, and scopes." --- # Grafana RBAC permission actions and scopes > Note > > Available in [Grafana Enterprise](/docs/grafana/next/introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/). An RBAC permission comprises an action and a scope: - **Action:** An action describes what tasks a user can perform on a resource. - **Scope:** A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope `users:` to the relevant role. To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/#fixed-roles). If you’re using Grafana Enterprise or Grafana Cloud, you can create **custom roles** with specific sets of permissions. Refer to [Create custom roles](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/create-custom-roles/) to learn how. ## Action definitions The following list contains role-based access control actions. Expand table ActionApplicable scopesDescription `alert.instances.external:read` - `datasources:*` - `datasources:uid:*` Read alerts and silences in data sources that support alerting. `alert.instances.external:write` - `datasources:*` - `datasources:uid:*` Manage alerts and silences in data sources that support alerting. `alert.instances:create`NoneCreate silences in the current organization. `alert.instances:read`NoneRead alerts and silences in the current organization. `alert.instances:write`NoneUpdate and expire silences in the current organization. `alert.notifications.external:read` - `datasources:*` - `datasources:uid:*` Read templates, contact points, notification policies, and mute timings in data sources that support alerting. `alert.notifications.external:write` - `datasources:*` - `datasources:uid:*` Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. `alert.notifications:write`None**Deprecated.** Manage templates, contact points, notification policies, and mute timings in the current organization. Use the granular actions (`alert.notifications.templates:write`, `alert.notifications.receivers:write`, etc.) instead. `alert.notifications:read`None**Deprecated.** Read all templates, contact points, notification policies, and mute timings in the current organization. Use the granular actions (`alert.notifications.templates:read`, `alert.notifications.receivers:read`, etc.) instead. `alert.rules.external:read` - `datasources:*` - `datasources:uid:*` Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) `alert.rules.external:write` - `datasources:*` - `datasources:uid:*` Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). `alert.rules:create` - `folders:*` - `folders:uid:*` Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. `alert.rules:delete` - `folders:*` - `folders:uid:*` Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. `alert.rules:read` - `folders:*` - `folders:uid:*` Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. `alert.rules:write` - `folders:*` - `folders:uid:*` Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. `alert.silences:create` - `folders:*` - `folders:uid:*` Create rule-specific silences in a folder and its subfolders. `alert.silences:read` - `folders:*` - `folders:uid:*` Read all general silences and rule-specific silences in a folder and its subfolders. `alert.silences:write` - `folders:*` - `folders:uid:*` Update and expire rule-specific silences in a folder and its subfolders. `alert.provisioning:read`NoneRead all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. `alert.provisioning.secrets:read`NoneSame as `alert.provisioning:read` plus ability to export resources with decrypted secrets. `alert.provisioning:write`NoneUpdate all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. `alert.provisioning.provenance:write`NoneSet provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources `annotations:create` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Create annotations. `annotations:delete` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Delete annotations. `annotations:read` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read annotations and annotation tags. `annotations:write` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update annotations. `banners:write`NoneCreate [announcement banners](/docs/grafana-cloud/whats-new/2024-09-10-announcement-banner/). `dashboards:create` - `folders:*` - `folders:uid:*` Create dashboards in one or more folders and their subfolders. `dashboards:delete` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Delete one or more dashboards. `dashboards.insights:read`NoneRead dashboard insights data and see presence indicators. To view insights, `dashboards:read` on the dashboard is also needed. `dashboards.permissions:read` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read permissions for one or more dashboards. `dashboards.permissions:write` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update permissions for one or more dashboards. `dashboards:read` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read one or more dashboards. `dashboards:write` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update one or more dashboards. `dashboards.public:write` - `dashboards:*` - `dashboards:uid:*` Write shared dashboard configuration. `datasources.caching:read` - `datasources:*` - `datasources:uid:*` Read data source query caching settings. `datasources.caching:write` - `datasources:*` - `datasources:uid:*` Update data source query caching settings. `datasources:create`NoneCreate data sources. `datasources:delete` - `datasources:*` - `datasources:uid:*` Delete data sources. `datasources:explore`NoneEnable access to the **Explore** tab. `datasources.id:read` - `datasources:*` - `datasources:uid:*` Read data source IDs. `datasources.insights:read`NoneRead data sources insights data. To view insights, `datasources:read` on the datasource is also needed. `datasources.permissions:read` - `datasources:*` - `datasources:uid:*` List data source permissions. `datasources.permissions:write` - `datasources:*` - `datasources:uid:*` Update data source permissions. `datasources:query` - `datasources:*` - `datasources:uid:*` Query data sources. `datasources:read` - `datasources:*` - `datasources:uid:*` List data sources. `datasources:write` - `datasources:*` - `datasources:uid:*` Update data sources. `featuremgmt.read`NoneRead feature toggles. `featuremgmt.write`NoneWrite feature toggles. `folders.permissions:read` - `folders:*` - `folders:uid:*` Read permissions for one or more folders and their subfolders. `folders.permissions:write` - `folders:*` - `folders:uid:*` Update permissions for one or more folders and their subfolders. `folders:create` - `folders:*` - `folders:uid:*` - `folders:uid:general` Create folders or subfolders. If granted with scope `folders:uid:general`, it allows to create root level folders. Otherwise, it allows creating subfolders under the specified folders. `folders:delete` - `folders:*` - `folders:uid:*` Delete one or more folders and their subfolders. `folders:read` - `folders:*` - `folders:uid:*` Read one or more folders and their subfolders. `folders:write` - `folders:*` - `folders:uid:*` Update one or more folders and their subfolders. `ldap.config:reload`NoneReload the LDAP configuration. `ldap.status:read`NoneVerify the availability of the LDAP server or servers. `ldap.user:read`NoneRead users via LDAP. `ldap.user:sync`NoneSync users via LDAP. `library.panels:create` - `folders:*` - `folders:uid:*` Create a library panel in one or more folders and their subfolders. `library.panels:read` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Read one or more library panels. `library.panels:write` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Update one or more library panels. `library.panels:delete` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Delete one or more library panels. `licensing.reports:read`NoneGet custom permission reports. `licensing:delete`NoneDelete the license token. `licensing:read`NoneRead licensing information. `licensing:write`NoneUpdate the license token. `migrationassistant:migrate`NoneExecute on-prem to cloud migrations through the Migration Assistant. `org.users:write` - `users:*` - `users:id:*` Update the organization role (`None`, `Viewer`, `Editor`, or `Admin`) of a user. `org.users:add` - `users:*` - `users:id:*` Add a user to an organization or invite a new user to an organization. `org.users:read` - `users:*` - `users:id:*` Get user profiles within an organization. `org.users:remove` - `users:*` - `users:id:*` Remove a user from an organization. `orgs.preferences:read`NoneRead organization preferences. `orgs.preferences:write`NoneUpdate organization preferences. `orgs.quotas:read`NoneRead organization quotas. `orgs.quotas:write`NoneUpdate organization quotas. `orgs:create`NoneCreate an organization. `orgs:delete`NoneDelete one or more organizations. `orgs:read`NoneRead one or more organizations. `orgs:write`NoneUpdate one or more organizations. `plugins.app:access` - `plugins:*` - `plugins:id:*` Access one or more application plugins (still enforcing the organization role) `plugins:install`NoneInstall and uninstall plugins. `plugins:write` - `plugins:*` - `plugins:id:*` Edit settings for one or more plugins. `provisioning:reload``provisioners:*`Reload provisioning files. To find the exact scope for specific provisioner, refer to [Scope definitions](#scope-definitions). `reports:create`NoneCreate reports. `reports:write` - `reports:*` - `reports:id:*` Update reports. `reports.settings:read`NoneRead report settings. `reports.settings:write`NoneUpdate report settings. `reports:delete` - `reports:*` - `reports:id:*` Delete reports. `reports:read` - `reports:*` - `reports:id:*` List all available reports or get a specific report. `reports:send` - `reports:*` - `reports:id:*` Send a report email. `roles:delete` - `permissions:type:delegate` Delete a custom role. `roles:read` - `roles:*` - `roles:uid:*` List roles and read a specific role with its permissions. `roles:write` - `permissions:type:delegate` Create or update a custom role. `roles:write` - `permissions:type:escalate` Reset basic roles to their default permissions. `secret.securevalues:create` - `secret.securevalues:*` Create secure values. `secret.securevalues:read` - `secret.securevalues:*` Read and list secure values. `secret.securevalues:write` - `secret.securevalues:*` Update secure values. `secret.securevalues:delete` - `secret.securevalues:*` Delete secure values. `server.stats:read`NoneRead Grafana instance statistics. `server.usagestats.report:read`NoneView usage statistics report. `serviceaccounts:write` - `serviceaccounts:*` Create Grafana service accounts. `serviceaccounts:create`NoneUpdate Grafana service accounts. `serviceaccounts:delete` - `serviceaccounts:*` - `serviceaccounts:id:*` Delete Grafana service accounts. `serviceaccounts:read` - `serviceaccounts:*` - `serviceaccounts:id:*` Read Grafana service accounts. `serviceaccounts.permissions:write` - `serviceaccounts:*` - `serviceaccounts:id:*` Update Grafana service account permissions to control who can do what with the service account. `serviceaccounts.permissions:read` - `serviceaccounts:*` - `serviceaccounts:id:*` Read Grafana service account permissions to see who can do what with the service account. `settings:read` - `settings:*` - `settings:auth.saml:*` - `settings:auth.saml:enabled` (property level)Read the [Grafana configuration settings](/docs/grafana/next/setup-grafana/configure-grafana/) `settings:write` - `settings:*` - `settings:auth.saml:*` - `settings:auth.saml:enabled` (property level)Update any Grafana configuration settings that can be [updated at runtime](/docs/grafana/next/setup-grafana/configure-grafana/settings-updates-at-runtime/). `support.bundles:create`NoneCreate support bundles. `support.bundles:delete`NoneDelete support bundles. `support.bundles:read`NoneList and download support bundles. `snapshots:create`NoneCreate snapshots. `snapshots:delete`NoneDelete snapshots. `snapshots:read`NoneList snapshots. `status:accesscontrol` - `services:accesscontrol` Get access-control enabled status. `teams.permissions:read` - `teams:*` - `teams:id:*` Read members and Team Sync setup for teams. `teams.permissions:write` - `teams:*` - `teams:id:*` Add, remove and update members and manage Team Sync setup for teams. `teams.roles:add` - `permissions:type:delegate` Assign a role to a team. `teams.roles:read` - `teams:*` - `teams:id:*` List roles assigned directly to a team. `teams.roles:remove` - `permissions:type:delegate` Unassign a role from a team. `teams:create`NoneCreate teams. `teams:delete` - `teams:*` - `teams:id:*` Delete one or more teams. `teams:read` - `teams:*` - `teams:id:*` Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to `teams:read`: `teams:write`, `teams.permissions:read` or `teams.permissions:write`. `teams:write` - `teams:*` - `teams:id:*` Update one or more teams and team preferences. `users.authtoken:read` - `global.users:*` - `global.users:id:*` List authentication tokens that are assigned to a user. `users.authtoken:write` - `global.users:*` - `global.users:id:*` Update authentication tokens that are assigned to a user. `users.password:write` - `global.users:*` - `global.users:id:*` Update a user’s password. `users.permissions:read` - `users:*` List permissions of a user. `users.permissions:write` - `global.users:*` - `global.users:id:*` Update a user’s organization-level permissions. `users.quotas:read` - `global.users:*` - `global.users:id:*` List a user’s quotas. `users.quotas:write` - `global.users:*` - `global.users:id:*` Update a user’s quotas. `users.roles:add` - `permissions:type:delegate` Assign a role to a user or a service account. `users.roles:read` - `users:*` List roles assigned directly to a user or a service account. `users.roles:remove` - `permissions:type:delegate` Unassign a role from a user or a service account. `users:create`NoneCreate a user. `users:delete` - `global.users:*` - `global.users:id:*` Delete a user. `users:disable` - `global.users:*` - `global.users:id:*` Disable a user. `users:enable` - `global.users:*` - `global.users:id:*` Enable a user. `users:logout` - `global.users:*` - `global.users:id:*` Sign out a user. `users:read` - `global.users:*` Read or search user profiles. `users:write` - `global.users:*` - `global.users:id:*` Update a user’s profile. ### Grafana Alerting Notification action definitions Expand table | Action | Applicable scopes | Description | |-------------------------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `alert.notifications.receivers:read` | `receivers:*`
`receivers:uid:*` | Read contact points. | | `alert.notifications.receivers.secrets:read` | `receivers:*`
`receivers:uid:*` | Export contact points with decrypted secrets. | | `alert.notifications.receivers:create` | None | Create a new contact points. The creator is automatically granted full access to the created contact point. | | `alert.notifications.receivers:write` | `receivers:*`
`receivers:uid:*` | Update existing contact points. | | `alert.notifications.receivers.protected:write` | `receivers:*`
`receivers:uid:*` | Update [protected fields](/docs/grafana-cloud/alerting-and-irm/alerting/configure-notifications/manage-contact-points/#grafana-cloud-protected-fields) in contact points (such as target URLs for integrations). This scope only applies to Grafana Cloud. | | `alert.notifications.receivers:delete` | `receivers:*`
`receivers:uid:*` | Update and delete existing contact points. | | `alert.notifications.receivers:test` | None | Test contact point notification. Deprecated. Use “alert.notifications.receivers.test:create” | | `alert.notifications.receivers.test:create` | `receivers:*`
`receivers:uid:*`
`receivers:uid:-` | Test contact points to verify their configuration. Use scope `receivers:uid:-` to grant permission to test new integrations | | `receivers.permissions:read` | `receivers:*`
`receivers:uid:*` | Read permissions for contact points. | | `receivers.permissions:write` | `receivers:*`
`receivers:uid:*` | Manage permissions for contact points. | | `alert.notifications.time-intervals:read` | None | Read mute time intervals. | | `alert.notifications.time-intervals:write` | None | Create new or update existing mute time intervals. | | `alert.notifications.time-intervals:delete` | None | Delete existing time intervals. | | `alert.notifications.templates:read` | None | Read templates. | | `alert.notifications.templates:write` | None | Create new or update existing templates. | | `alert.notifications.templates:delete` | None | Delete existing templates. | | `alert.notifications.templates.test:write` | None | Test templates with custom payloads (preview and payload editor functionality). | | `alert.notifications.routes:read` | None | **Deprecated.** Read notification policies. Use `notifications.alerting.grafana.app/routingtrees:get` with an appropriate scope instead. | | `alert.notifications.routes:write` | None | **Deprecated.** Create, update, or delete notification policies. Use `notifications.alerting.grafana.app/routingtrees:update` and `notifications.alerting.grafana.app/routingtrees:delete` with an appropriate scope instead. | ## Scope definitions The following list contains role-based access control scopes. Expand table ScopesDescriptions - `annotations:*` - `annotations:type:*` Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, and `annotations:type:organization` matches organization annotations. - `dashboards:*` - `dashboards:uid:*` Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. - `datasources:*` - `datasources:uid:*` Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. - `folders:*` - `folders:uid:*` Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it. - `global.users:*` - `global.users:id:*` Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. - `library.panels:*` - `library.panels:uid:*` Restrict an action to a set of library panels. For example, `library.panels:*` matches any library panel, and `library.panel:uid:1` matches the library panel whose UID is `1`. - `orgs:*` - `orgs:id:*` Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. - `permissions:type:delegate` The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. - `permissions:type:escalate` The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. - `plugins:*` - `plugins:id:*` Restrict an action to a set of plugins. For example, `plugins:id:grafana-oncall-app` matches Grafana OnCall plugin, and `plugins:*` matches all plugins. - `provisioners:*` Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/rbac-grafana-provisioning/). - `reports:*` - `reports:id:*` Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. - `roles:*` - `roles:uid:*` Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. - `services:accesscontrol` Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. - `serviceaccounts:*` - `serviceaccounts:id:*` Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`. - `settings:*` Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. - `teams:*` - `teams:id:*` Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. - `users:*` - `users:id:*` Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. - None If an action has “None” specified for the scope, then the action doesn’t require a scope. For example, the `teams:create` action doesn’t require a scope and allows users to create teams. ## Discover plugin actions The action definitions table above lists actions for core Grafana features. App plugins can define their own actions, which follow the pattern `.:`. To discover which actions a plugin supports, query an existing role that has plugin permissions. For example, to see what actions are available for a plugin, you can query the basic Admin role: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl -X GET "https://your-grafana-instance/api/access-control/roles/basic_admin" \ -H "Authorization: Bearer " ``` The response includes all permissions granted to that role, including plugin-specific actions. Plugin actions typically use `None` for their scope because they operate at the organization level. For a centralized reference of plugin roles and their default permissions, refer to [Grafana Cloud app plugin role definitions](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/plugin-role-definitions/).