--- title: "Role-based access control for Fleet Management | Grafana Cloud documentation" description: "Learn how to use RBAC to control access to Grafana Fleet Management" --- # Role-based access control for Fleet Management Grafana Fleet Management supports role-based access control (RBAC). RBAC provides a way of granting and revoking access to viewing and modifying Fleet Management resources, such as collectors and configuration pipelines. Refer to the [Grafana Cloud RBAC documentation](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/) to learn more about controlling access to Cloud with RBAC. ## Fine-grained app access Fleet Management offers two custom `plugin` roles that help reduce security risks by giving users only the permissions they actually need. You can assign specific roles to users who need only to view or make changes to Fleet Management, instead of granting them broad administrator access in Grafana Cloud. Support for additional Fleet Management `plugin` roles is under active development. ## Grafana Cloud `basic` roles You can assign [Grafana Cloud `basic` roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/#basic-role-assignments) to users to allow them to perform certain actions within Grafana Cloud. In addition to other Cloud permissions, the following roles provide users the ability to view or edit Fleet Management collectors, attributes, and configuration pipelines. Expand table | Basic role | Access in Fleet Management | |---------------|-----------------------------------------------------------------------------------| | Grafana Admin | Read and write access to all collectors, attributes, and configuration pipelines. | | Admin | Read and write access to all collectors, attributes, and configuration pipelines. | | Editor | None. | | Viewer | Read access to Fleet Management. | ## Fleet Management `plugin` roles Fleet Management offers two custom roles to control access to the application and your Grafana Cloud stack: `Collector App Reader` and `Collector App Admin`. The `Collector App Reader` role enforces read-only access for assigned users, with all editing controls disabled. Granting a user the `Collector App Admin` role gives them full edit access to the Fleet Management application. > Note > > The `Collector App Reader` role does not grant permission to view dashboards. If you want to grant a user read access that includes permission to view collector health dashboards in Fleet Management, you must also assign the [`Viewer` basic role](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/rbac-fixed-basic-role-definitions/#basic-role-assignments) for all of Grafana Cloud. Expand table | Fleet Management role | Access | |-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| | Collector App Reader | Read access to Fleet Management. Read access includes viewing collectors, attributes, configuration pipelines. | | Collector App Admin | Read and write access to Fleet Management. Write access includes registering, modifying, assigning, or deleting collectors, attributes, and pipelines. | ## Assign a Fleet Management `plugin` role in the UI To assign a role to an existing user or team, follow these steps: 1. In your Grafana Cloud stack, click **Administration** > **Users and access** in the left-side menu. 2. Click **Users** to find an individual or **Teams** to find a team. 3. Search for the user or team. 4. Click in the box in the **Role** column. 5. Scroll through the list to reach the **Fixed roles** section. 6. In the **Data sources** menu, select the checkbox for **Writers**. 7. Continue scrolling through the list to reach the **Plugin roles** section. 8. In the **Collector** menu, select the checkbox for **Collector App Admin** or **Collector App Reader**. 9. Click **Apply**. > Note > > The `plugins:grafana-collector-app:admin` and `plugins:grafana-collector-app:reader` roles must be granted alongside the `fixed:datasources:writer` role for the permissions to take effect. After a browser refresh, the newly authorized user has role-based access to Fleet Management. If you want to assign a role to users not yet in your stack, you can add new users from your Grafana Cloud Portal on grafana.com. ## RBAC permissions You can [assign](/docs/grafana/latest/administration/roles-and-permissions/access-control/assign-rbac-roles/) and [manage](/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/) RBAC roles with API calls or provisioning. Fleet Management supports the following RBAC permissions: Expand table | Action | Description | Included in roles | Scopes | |-------------------------------|-------------------------------------------|----------------------|------------------------------------| | `grafana-collector-app:read` | Read access to Fleet Management | Collector App Reader | `plugins:id:grafana-collector-app` | | `grafana-collector-app:admin` | Read and write access to Fleet Management | Collector App Admin | None |