---
title: "Use label-based access control (LBAC) with access policies | Grafana Cloud documentation"
description: "Use label-based access controls with Grafana Cloud Access Policies"
---

# Use label-based access control (LBAC) with access policies

Label-based access control (LBAC) creates access policies that allow you to query only the metrics or logs data that meet specific label requirements. The feature allows you to associate multiple sets of [Prometheus label selectors](https://prometheus.io/docs/prometheus/latest/querying/basics/#time-series-selectors) with a policy. As a result, queries only return data that match at least one of the provided selectors. This correlates to the [disjunctive normal form](https://en.wikipedia.org/wiki/Disjunctive_normal_form), which allows you to express any required policy.

Label selectors for access policies can only be used with **read** permission for metrics and logs.

Label selectors can be configured using the [Grafana Cloud Access Policies API](../../../../developer-resources/api-reference/cloud-api/#access-policies-and-tokens) or [Grafana Cloud Access Policies page within a stack or on the Cloud Portal](./authorize-services/).

## Set up a label selector policy

Label selectors are set when you create or modify an access policy.

1. Click the **Create access policy** button.
2. Fill in the **Display name** field with the access policy name.
3. Select the `logs:read` and/or `metrics:read` scope.
4. Click the **Add label selector** button and add a label selector.
5. Click the **Create** button.

## Exclude a label

One common use case for creating a LBAC policy is to exclude logs or metrics that have a specific label. For example, you can create a label policy that excludes all log lines with the label `secret=true` by adding a selector with `secret!="true"` when you create an access policy:

[Use labels to filter for not secret](/static/img/docs/grafana-cloud/access-policies/policies-labels-not-secret.png)

## Use multiple selectors

To create a policy that allows someone to access the production and development environments and excludes logs and/or metrics with the label `secret=true` in the production environment, use multiple selectors.

[Use labels to filter for secret and environments](/static/img/docs/grafana-cloud/access-policies/policies-labels-secret-env.png)

The selectors `{secret!="true", env="prod"}` and `{env="dev"}` enforce the policy:

- The selector `{secret!="true", env="prod"}` matches and returns log and metrics lines from the production environment that do not have the `secret: true` label.
- The selector `{env="dev"}` matches and returns log and metrics lines from the development environment, even if they have the `secret: true` label.