--- title: "Provisioning RBAC with Grafana | Grafana Cloud documentation" description: "Learn about RBAC Grafana provisioning and view an example YAML provisioning file that configures Grafana role assignments." --- # Provisioning RBAC with Grafana > Note > > Available in [Grafana Enterprise](/docs/grafana/next/introduction/grafana-enterprise/) for self-managed instances. This feature is not available in Grafana Cloud. You can create, change or remove [Custom roles](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/manage-rbac-roles/#create-custom-roles-using-provisioning) and create or remove [basic role assignments](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/assign-rbac-roles/#%23assign-a-fixed-role-to-a-basic-role-using-provisioning), by adding one or more YAML configuration files in the `provisioning/access-control/` directory. Because this method requires access to the file system where Grafana is running, it’s only available for self-managed Grafana instances. To provision RBAC in Grafana Cloud, use [Terraform](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/rbac-terraform-provisioning/) or the [HTTP API](/docs/grafana-cloud/developer-resources/api-reference/http-api/access_control/#create-and-manage-custom-roles). Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect. **Before you begin:** - Ensure that you have access to files on the server where Grafana is running. **To manage and assign RBAC roles using provisioning:** 1. Sign in to the Grafana server. 2. Locate the Grafana provisioning folder. 3. Create a new YAML in the following folder: **provisioning/access-control**. For example, `provisioning/access-control/custom-roles.yml` 4. Add RBAC provisioning details to the configuration file. Refer to [Manage RBAC roles](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/manage-rbac-roles/) and [Assign RBAC roles](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/assign-rbac-roles/) for instructions. Refer to [example role provisioning file](#example-role-configuration-file-using-grafana-provisioning) for a complete example of a provisioning file. 5. Reload the provisioning configuration file. For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations](/docs/grafana/next/developers/http_api/admin/#reload-provisioning-configurations). ## Example role configuration file using Grafana provisioning The following example shows a complete YAML configuration file that: - Create custom roles - Delete custom roles - Update basic roles permissions - Assign roles to teams - Revoke assignments of roles to teams ### Example YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml --- # config file version apiVersion: 2 # list of roles to insert/update/delete roles: # name of the role you want to create or update. Required. - name: 'custom:users:writer' # uid of the role. Has to be unique for all orgs. uid: customuserswriter1 # description of the role, informative purpose only. description: 'Create, read, write users' # version of the role. Has to be greater than the stored role version to apply updates. Increase by 1 when you change the role. version: 2 # org id. Defaults to Grafana's default if not specified. orgId: 1 # list of the permissions granted by this role. permissions: # action allowed. - action: 'users:read' # scope it applies to. scope: 'users:*' - action: 'users:write' scope: 'users:*' - action: 'users:create' # Optional `datasourceType` for scopes `datasources:uid:`. # If you omit it, Grafana resolves the plugin type from the data source when this file is provisioned. # It is required if there are two datasources with the same uid. - action: 'datasources:query' scope: 'datasources:uid:loki-uid-here' datasourceType: loki - name: 'custom:global:users:reader' # overwrite org id and creates a global role. global: true # state of the role. Defaults to 'present'. If 'absent', role will be deleted. state: 'absent' # force deletion revoking all grants of the role. force: true - uid: 'basic_editor' # always apply the specified changes to the role, regardless of the role version in the database overrideRole: true global: true # list of roles to copy permissions from. from: - uid: 'basic_editor' global: true - name: 'fixed:users:writer' global: true # list of the permissions to add/remove on top of the copied ones. permissions: - action: 'users:read' scope: 'users:*' - action: 'users:write' scope: 'users:*' # state of the permission. Defaults to 'present'. If 'absent', the permission will be removed. state: absent # list role assignments to teams to create or remove. teams: # name of the team you want to assign roles to. Required. - name: 'Users writers' # org id. Will default to Grafana's default if not specified. orgId: 1 # list of roles to assign to the team roles: # uid of the role you want to assign to the team. - uid: 'customuserswriter1' # org id. Will default to Grafana's default if not specified. orgId: 1 # name of the role you want to assign to the team. - name: 'fixed:users:writer' # overwrite org id to specify the role is global. global: true # state of the assignment. Defaults to 'present'. If 'absent', the assignment will be revoked. state: absent ``` ## Useful Links [Provisioning RBAC setup with Terraform](/docs/grafana-cloud/account-management/authentication-and-permissions/access-control/rbac-terraform-provisioning/) [Grafana provisioning](/docs/grafana/latest/administration/provisioning/)