Grafana Cloud app plugin role definitions This page lists the RBAC roles available for Grafana Cloud app plugins. Plugin roles control access to specific plugin features and can be assigned to users, teams, or basic roles.
For general information about how RBAC works with app plugins, refer to RBAC for app plugins .
Note
Third-party plugins can define their own RBAC roles. This page documents roles for Grafana Cloud app plugins only. Refer to the documentation for third-party plugins to learn about their available roles.
Default plugin permissions by basic role When you assign a user a basic organization role (Viewer, Editor, or Admin), they automatically receive default plugin permissions. The following table summarizes the default access level for each Grafana Cloud plugin.
Expand table
Plugin Viewer Editor Admin Adaptive Logs Read exemptions Read exemptions Admin access Adaptive Metrics Read recommendations, exemptions Read recommendations, exemptions Admin access Adaptive Traces Read recommendations Read recommendations Admin access Application Observability View access View access Admin access Assistant Chat access, user rules/quickstarts + MCP servers, investigations + Tenant-wide settings Cloud Provider Read access Read access Provider-specific write access Collector Read access Read access Full access Cost Attributions Read attributions Read attributions Read attributions Cost Management and Billing — — Full access Frontend Observability Read apps, source maps + Write apps, source maps + Delete apps Grafana Auth — — Write access policies IRM Read all + Write alert groups, schedules, maintenance, user settings + Write integrations, escalation chains, etc. k6 Read settings + Write settings Admin access Knowledge Graph Read assertions + Write configuration and rules + Full write access Kubernetes Monitoring Read all Read all Admin access Labels Read labels + Create, edit, delete labels + Full write access Machine Learning Read forecasting, outliers, sift + Write forecasting, outliers, sift + Full write access OnCall Read all + Write alert groups, schedules, maintenance, user settings + Write integrations, escalation chains, etc. Private Data Connect — — Full access SLO Read SLOs Create, edit, delete SLOs + Modify org preferences Synthetic Monitoring Read checks, probes, alerts, thresholds + Create, edit, delete checks, probes, alerts, thresholds + Manage access tokens
Note
The permissions above are automatically granted based on the user’s organization role. You can assign additional plugin-specific roles (listed below) to grant more granular access.
Adaptive Logs plugin Plugin ID: grafana-adaptivelogs-app
Expand table
Plugin role Description plugins:grafana-adaptivelogs-app:adminRead/write access to everything in Adaptive Logs plugins:grafana-adaptivelogs-app:patterns-editorRead/write access to recommendations and patterns plugins:grafana-adaptivelogs-app:patterns-readerRead access to recommendations and patterns plugins:grafana-adaptivelogs-app:segments-adminCreate and manipulate segments plugins:grafana-adaptivelogs-app:expiring-exemptions-userUse the expiring exemptions button plugins:grafana-adaptivelogs-app:plugin-accessAccess to the Adaptive Logs plugin
Adaptive Metrics plugin Plugin ID: grafana-adaptive-metrics-app
Expand table
Plugin role Description plugins:grafana-adaptive-metrics-app:adminRead/write access to everything in Adaptive Metrics plugins:grafana-adaptive-metrics-app:rules-editorRead/write access to recommendations and rules plugins:grafana-adaptive-metrics-app:rules-readerRead access to recommendations and rules plugins:grafana-adaptive-metrics-app:exemptions-editorEdit access to recommendation exemptions plugins:grafana-adaptive-metrics-app:exemptions-readerRead access to recommendation exemptions plugins:grafana-adaptive-metrics-app:segments-editorEdit access to segments plugins:grafana-adaptive-metrics-app:segments-readerRead access to segments plugins:grafana-adaptive-metrics-app:config-editorEdit access to plugin configuration plugins:grafana-adaptive-metrics-app:config-readerRead access to plugin configuration plugins:grafana-adaptive-metrics-app:plugin-accessAccess to the Adaptive Metrics plugin
Adaptive Traces plugin Plugin ID: grafana-adaptivetraces-app
Expand table
Plugin role Description plugins:grafana-adaptivetraces-app:adminRead/write access to everything in Adaptive Traces
Application Observability plugin Plugin ID: grafana-app-observability-app
Expand table
Plugin role Description plugins:grafana-app-observability-app:adminRead/write access to everything in Application Observability plugin plugins:grafana-app-observability-app:viewerView access in Application Observability plugin
Cloud Provider plugin Plugin ID: grafana-csp-app
Expand table
Plugin role Description plugins:grafana-csp-app:aws-writerRead/Write access to AWS in Cloud provider plugin plugins:grafana-csp-app:azure-writerRead/Write access to Azure in Cloud provider plugin plugins:grafana-csp-app:gcp-writerRead/Write access to GCP in Cloud provider plugin plugins:grafana-csp-app:readerRead access in Cloud provider plugin
Collector App Plugin ID: grafana-collector-app
Expand table
Plugin role Description plugins:grafana-collector-app:collector-app-adminFull access to the Collector App plugins:grafana-collector-app:collector-app-readerRead-only access to Grafana Collector App
Cost Attributions plugin Plugin ID: grafana-attributions-app
Expand table
Plugin role Description plugins:grafana-attributions-app:cost-attributions-viewerView the Cost Attributions application and its data
Cost Management and Billing plugin Plugin ID: grafana-cmab-app
Expand table
Plugin role Description plugins:grafana-cmab-app:full-adminFull access to all features plugins:grafana-cmab-app:billing-and-usage-readerRead-only access to billing and usage data plugins:grafana-cmab-app:invoice-readerRead-only access to invoices, FOCUS & usage data plugins:grafana-cmab-app:cost-attribution-adminFull access to cost attributions plugins:grafana-cmab-app:cost-attribution-readerRead-only access to cost attributions plugins:grafana-cmab-app:usage-alerts-adminFull access to usage alerts plugins:grafana-cmab-app:usage-alerts-readerRead-only access to usage alerts
Easystart / Integrations plugin Plugin ID: grafana-easystart-app
Expand table
Plugin role Description plugins:grafana-easystart-app:integrations-writerAdminister integrations
Frontend Observability plugin Plugin ID: grafana-kowalski-app
Expand table
Plugin role Description plugins:grafana-kowalski-app:frontend-observability-adminRead/write access to everything in Frontend Observability plugin plugins:grafana-kowalski-app:frontend-observability-editorRead/write access to everything but app deletion plugins:grafana-kowalski-app:frontend-observability-viewerView access only plugins:grafana-kowalski-app:frontend-observability-sourcemap-uploaderView access with the ability to read settings and upload sourcemaps
Grafana Assistant plugin Plugin ID: grafana-assistant-app
Expand table
Plugin role Description plugins:grafana-assistant-app:assistant-adminManage both user and tenant-wide Assistant resources and settings plugins:grafana-assistant-app:assistant-mcp-userUse Grafana Assistant and add personal MCP servers plugins:grafana-assistant-app:assistant-userBasic access to Grafana Assistant with read-only capabilities plugins:grafana-assistant-app:assistant-investigation-userUse Assistant Backend Investigations
Grafana Auth plugin Plugin ID: grafana-auth-app
Expand table
Plugin role Description plugins:grafana-auth-app:writerWrite and manage access policies for Grafana Cloud
Incident plugin Plugin ID: grafana-incident-app
Expand table
Plugin role Description plugins:grafana-incident-app:incident-accessAccess to Grafana Incident
IRM plugin Plugin ID: grafana-irm-app
Core roles Expand table
Plugin role Description plugins:grafana-irm-app:adminRead/write access to everything in IRM plugins:grafana-irm-app:editorSimilar to Admin, minus abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general IRM settings plugins:grafana-irm-app:readerRead-only access to everything in IRM plugins:grafana-irm-app:oncallerRead access to everything in IRM, plus edit access to Alert Groups, Schedules, and own settings plugins:grafana-irm-app:notifications-receiverReceive alert notifications, plus edit own IRM settings plugins:grafana-irm-app:incident-accessAccess to Grafana IRM incidents
Alert groups Expand table
Plugin role Description plugins:grafana-irm-app:alert-groups-readerRead-only access to Alert Groups plugins:grafana-irm-app:alert-groups-editorRead access to Alert Groups + ability to act on Alert Groups (acknowledge, resolve, etc) plugins:grafana-irm-app:alert-groups-direct-pagingManually create new Alert Groups (Direct Paging)
Integrations Expand table
Plugin role Description plugins:grafana-irm-app:integrations-readerRead-only access to Integrations plugins:grafana-irm-app:integrations-editorRead/write access to Integrations
Escalation chains Expand table
Plugin role Description plugins:grafana-irm-app:escalation-chains-readerRead-only access to Escalation Chains plugins:grafana-irm-app:escalation-chains-editorRead/write access to Escalation Chains
Schedules Expand table
Plugin role Description plugins:grafana-irm-app:schedules-readerRead-only access to Schedules plugins:grafana-irm-app:schedules-editorRead/write access to Schedules
ChatOps Expand table
Plugin role Description plugins:grafana-irm-app:chatops-readerRead-only access to ChatOps settings plugins:grafana-irm-app:chatops-editorRead/write access to ChatOps settings
Outgoing webhooks Expand table
Plugin role Description plugins:grafana-irm-app:outgoing-webhooks-readerRead-only access to Outgoing Webhooks plugins:grafana-irm-app:outgoing-webhooks-editorRead/write access to Outgoing Webhooks
Maintenance Expand table
Plugin role Description plugins:grafana-irm-app:maintenance-readerRead-only access to Integration Maintenance plugins:grafana-irm-app:maintenance-editorRead/write access to Integration Maintenance
API keys Expand table
Plugin role Description plugins:grafana-irm-app:api-keys-readerRead-only access to OnCall API Keys plugins:grafana-irm-app:api-keys-editorRead/write access to OnCall API Keys + ability to consume the API
User settings Expand table
Plugin role Description plugins:grafana-irm-app:user-settings-readerRead-only access to own IRM User Settings plugins:grafana-irm-app:user-settings-editorRead/write access to own IRM User Settings + view basic info about other IRM users plugins:grafana-irm-app:user-settings-adminRead/write access to your own + other’s IRM User Settings
Notification and general settings Expand table
Plugin role Description plugins:grafana-irm-app:notification-settings-readerRead-only access to IRM Notification Settings plugins:grafana-irm-app:notification-settings-editorRead/write access to IRM Notification Settings plugins:grafana-irm-app:settings-readerRead-only access to IRM Settings plugins:grafana-irm-app:settings-editorRead/write access to IRM Settings
k6 Cloud plugin Plugin ID: k6-app
Expand table
Plugin role Description plugins:k6-app:adminAdmin access to everything in k6 plugins:k6-app:editorRead/write access to k6 with limited scopes plugins:k6-app:readerRead-only access to k6
Knowledge Graph plugin Plugin ID: grafana-asserts-app
Expand table
Plugin role Description plugins:grafana-asserts-app:knowledge-graph-writerRead/write/create in Knowledge Graph plugins:grafana-asserts-app:knowledge-graph-readerRead-only access to everything in Knowledge Graph plugins:grafana-asserts-app:knowledge-graph-accessAccess to Knowledge Graph
Kubernetes Monitoring plugin Plugin ID: grafana-k8s-app
Expand table
Plugin role Description plugins:grafana-k8s-app:adminAdmin access to everything in k8s plugin plugins:grafana-k8s-app:readerRead-only access to k8s plugin
Labels plugin Plugin ID: grafana-labels-app
Expand table
Plugin role Description plugins:grafana-labels-app:labels-writerRead/write/create/delete Labels plugins:grafana-labels-app:labels-readerRead-only access to Labels
Machine Learning plugin Plugin ID: grafana-ml-app
Expand table
Plugin role Description plugins:grafana-ml-app:ml-editorRead and write access to ML features plugins:grafana-ml-app:ml-viewerRead access to ML features plugins:grafana-ml-app:sift-editorRead and write access to Sift features plugins:grafana-ml-app:sift-viewerRead access to Sift features
OnCall plugin Plugin ID: grafana-oncall-app
Core roles Expand table
Plugin role Description plugins:grafana-oncall-app:adminRead/write access to everything in OnCall plugins:grafana-oncall-app:editorSimilar to Admin, minus abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general OnCall settings plugins:grafana-oncall-app:readerRead-only access to everything in OnCall plugins:grafana-oncall-app:oncallerRead access to everything in OnCall, plus edit access to Alert Groups, Schedules, and own settings plugins:grafana-oncall-app:notifications-receiverReceive OnCall alert notifications, plus edit own OnCall settings
Alert groups Expand table
Plugin role Description plugins:grafana-oncall-app:alert-groups-readerRead-only access to OnCall Alert Groups plugins:grafana-oncall-app:alert-groups-editorRead access to OnCall Alert Groups + ability to act on Alert Groups (acknowledge, resolve, etc) plugins:grafana-oncall-app:alert-groups-direct-pagingManually create new Alert Groups (Direct Paging)
Integrations Expand table
Plugin role Description plugins:grafana-oncall-app:integrations-readerRead-only access to OnCall Integrations plugins:grafana-oncall-app:integrations-editorRead/write access to OnCall Integrations
Escalation chains Expand table
Plugin role Description plugins:grafana-oncall-app:escalation-chains-readerRead-only access to OnCall Escalation Chains plugins:grafana-oncall-app:escalation-chains-editorRead/write access to OnCall Escalation Chains
Schedules Expand table
Plugin role Description plugins:grafana-oncall-app:schedules-readerRead-only access to OnCall Schedules plugins:grafana-oncall-app:schedules-editorRead/write access to OnCall Schedules
ChatOps Expand table
Plugin role Description plugins:grafana-oncall-app:chatops-readerRead-only access to OnCall ChatOps plugins:grafana-oncall-app:chatops-editorRead/write access to OnCall ChatOps
Outgoing webhooks Expand table
Plugin role Description plugins:grafana-oncall-app:outgoing-webhooks-readerRead-only access to OnCall Outgoing Webhooks plugins:grafana-oncall-app:outgoing-webhooks-editorRead/write access to OnCall Outgoing Webhooks
Maintenance Expand table
Plugin role Description plugins:grafana-oncall-app:maintenance-readerRead-only access to OnCall Maintenance plugins:grafana-oncall-app:maintenance-editorRead/write access to OnCall Maintenance
API keys Expand table
Plugin role Description plugins:grafana-oncall-app:api-keys-readerRead-only access to OnCall API Keys plugins:grafana-oncall-app:api-keys-editorRead/write access to OnCall API Keys + ability to consume the API
User settings Expand table
Plugin role Description plugins:grafana-oncall-app:user-settings-readerRead-only access to own OnCall User Settings plugins:grafana-oncall-app:user-settings-editorRead/write access to own OnCall User Settings + view basic info about other OnCall users plugins:grafana-oncall-app:user-settings-adminRead/write access to your own + other’s OnCall User Settings
Notification and general settings Expand table
Plugin role Description plugins:grafana-oncall-app:notification-settings-readerRead-only access to OnCall Notification Settings plugins:grafana-oncall-app:notification-settings-editorRead/write access to OnCall Notification Settings plugins:grafana-oncall-app:settings-readerRead-only access to OnCall Settings plugins:grafana-oncall-app:settings-editorRead/write access to OnCall Settings
Private Data Connect plugin Plugin ID: grafana-pdc-app
Expand table
Plugin role Description plugins:grafana-pdc-app:private-networks-readRead Private Networks plugins:grafana-pdc-app:private-networks-writeEdit Private Networks
SLO plugin Plugin ID: grafana-slo-app
Expand table
Plugin role Description plugins:grafana-slo-app:slo-readerView SLOs in folders where you have folder read permission plugins:grafana-slo-app:slo-writerManage SLOs in folders where you have folder edit permission plugins:grafana-slo-app:slo-adminSLO Writer, plus the ability to modify org preferences
Synthetic Monitoring plugin Plugin ID: grafana-synthetic-monitoring-app
Core roles Expand table
Plugin role Description plugins:grafana-synthetic-monitoring-app:adminFull access to write and manage checks, probes, alerts, thresholds, and access tokens as well as enabling/disabling the plugin plugins:grafana-synthetic-monitoring-app:editorAdd, update and delete checks, probes, alerts, and thresholds plugins:grafana-synthetic-monitoring-app:readerRead checks, probes, alerts, thresholds, and access tokens
Granular roles Expand table
Plugin role Description plugins:grafana-synthetic-monitoring-app:checks-readerRead checks plugins:grafana-synthetic-monitoring-app:checks-writerCreate, edit and delete checks plugins:grafana-synthetic-monitoring-app:probes-readerRead probes plugins:grafana-synthetic-monitoring-app:probes-writerCreate, edit and delete probes plugins:grafana-synthetic-monitoring-app:alerts-readerRead alerts plugins:grafana-synthetic-monitoring-app:alerts-writerCreate, edit and delete alerts plugins:grafana-synthetic-monitoring-app:thresholds-readerRead thresholds plugins:grafana-synthetic-monitoring-app:thresholds-writerRead and edit thresholds plugins:grafana-synthetic-monitoring-app:access-tokens-writerCreate and delete access tokens
Role assignment Plugin roles can be assigned to:
Users : Individual user accountsTeams : All members of a team inherit the roleBasic Roles : Can be added to Viewer, Editor, or Admin base rolesTo assign roles, use:
UI : Administration > Users/Teams > Select user/team > Roles tabAPI : PUT /api/access-control/users/{userId}/roles or PUT /api/access-control/teams/{teamId}/rolesFor more information about managing RBAC roles, refer to Manage RBAC roles .
Query plugin roles You can query your Grafana Cloud stack’s available plugin roles using the API:
curl -s -H "Authorization: Bearer YOUR_SERVICE_ACCOUNT_TOKEN" \
"https://YOUR_STACK.grafana.net/api/access-control/roles?includeHidden=true" | \
jq '[.[] | select(.name | startswith("plugins:"))]'
Grafana Cloud
