Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Fleet Managementbreadcrumb arrow Set upbreadcrumb arrow Role-based access control (RBAC)
Grafana Cloud

Role-based access control for Fleet Management

Grafana Fleet Management supports role-based access control (RBAC). RBAC provides a way of granting and revoking access to viewing and modifying Fleet Management resources, such as collectors and configuration pipelines.

Refer to the Grafana Cloud RBAC documentation to learn more about controlling access to Cloud with RBAC.

Fine-grained app access

Fleet Management offers two custom plugin roles that help reduce security risks by giving users only the permissions they actually need. You can assign specific roles to users who need only to view or make changes to Fleet Management, instead of granting them broad administrator access in Grafana Cloud.

Support for additional Fleet Management plugin roles is under active development.

Grafana Cloud basic roles

You can assign Grafana Cloud basic roles to users to allow them to perform certain actions within Grafana Cloud. In addition to other Cloud permissions, the following roles provide users the ability to view or edit Fleet Management collectors, attributes, and configuration pipelines.

Basic roleAccess in Fleet Management
Grafana AdminRead and write access to all collectors, attributes, and configuration pipelines.
AdminRead and write access to all collectors, attributes, and configuration pipelines.
EditorNone.
ViewerRead access to Fleet Management.

Fleet Management plugin roles

Fleet Management offers two custom roles to control access to the application and your Grafana Cloud stack: Collector App Reader and Collector App Admin. The Collector App Reader role enforces read-only access for assigned users, with all editing controls disabled. Granting a user the Collector App Admin role gives them full edit access to the Fleet Management application.

Note

The Collector App Reader role does not grant permission to view dashboards. If you want to grant a user read access that includes permission to view collector health dashboards in Fleet Management, you must also assign the Viewer basic role for all of Grafana Cloud.

Fleet Management roleAccess
Collector App ReaderRead access to Fleet Management. Read access includes viewing collectors, attributes, configuration pipelines.
Collector App AdminRead and write access to Fleet Management. Write access includes registering, modifying, assigning, or deleting collectors, attributes, and pipelines.

Assign a Fleet Management plugin role in the UI

To assign a role to an existing user or team, follow these steps:

  1. In your Grafana Cloud stack, click Administration > Users and access in the left-side menu.
  2. Click Users to find an individual or Teams to find a team.
  3. Search for the user or team.
  4. Click in the box in the Role column.
  5. Scroll through the list to reach the Plugin roles section.
  6. In the Collector menu, select the checkbox for Collector App Admin or Collector App Reader.
  7. Click Apply.

After a browser refresh, the newly authorized user has role-based access to Fleet Management.

If you want to assign a role to users not yet in your stack, you can add new users from your Grafana Cloud Portal on grafana.com.

RBAC permissions

You can assign and manage RBAC roles with API calls or provisioning. Fleet Management supports the following RBAC permissions:

ActionDescriptionIncluded in rolesScopes
grafana-collector-app:readRead access to Fleet ManagementCollector App Readerplugins:id:grafana-collector-app
grafana-collector-app:adminRead and write access to Fleet ManagementCollector App AdminNone