Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Fleet Managementbreadcrumb arrow Set upbreadcrumb arrow Role-based access control (RBAC)
Grafana Cloud

Role-based access control for Fleet Management

Grafana Fleet Management supports role-based access control (RBAC). RBAC provides a way of granting and revoking access to viewing and modifying Fleet Management resources, such as collectors and configuration pipelines.

Refer to the Grafana Cloud RBAC documentation to learn more about controlling access to Cloud with RBAC.

Fine-grained app access

Fleet Management offers two custom plugin roles that help reduce security risks by giving users only the permissions they actually need. You can assign specific roles to users who need only to view or make changes to Fleet Management, instead of granting them broad administrator access in Grafana Cloud.

Support for additional Fleet Management plugin roles is under active development.

Fleet Management plugin roles and permissions

Fleet Management offers two roles to control access to the application and your Grafana Cloud stack: Collector App Reader and Collector App Admin. The Collector App Reader role enforces read-only access for assigned users, with all editing controls disabled. Granting a user the Collector App Admin role gives them full edit access to the Fleet Management application.

Note

The Collector App Reader role does not grant permission to view dashboards. If you want to grant a user read access that includes permission to view collector health dashboards in Fleet Management, you must also assign the Viewer basic role for all of Grafana Cloud.

Fleet Management rolePermissions
Collector App ReaderRead access to Fleet Management. Read access includes viewing collectors, attributes, configuration pipelines.
Collector App AdminRead and write access to Fleet Management. Write access includes registering, modifying, assigning, or deleting collectors, attributes, and pipelines.

Grafana Cloud basic roles and permissions

Grafana Cloud basic roles can be assigned to users to provide them with the access they need to perform actions within Grafana Cloud. In addition to other permissions, certain roles can provide users the ability to view or edit Fleet Management collectors, attributes, and configuration pipelines.

The following table describes the permissions each Grafana Cloud basic role provides for users of Fleet Management:

Basic rolePermissions in Fleet Management
Grafana AdminRead and write access to all collectors, attributes, and configuration pipelines.
AdminRead and write access to all collectors, attributes, and configuration pipelines.
EditorNone.
ViewerRead access to Fleet Management.

Assign a Fleet Management plugin role in the UI

To assign a role to an existing user or team, follow these steps:

  1. In your Grafana Cloud stack, click Administration > Users and access in the left-side menu.
  2. Click Users to find an individual or Teams to find a team.
  3. Search for the user or team.
  4. Click in the box in the Role column.
  5. Scroll through the list to reach the Fixed roles section.
  6. In the Data sources menu, select the checkbox for Writers.
  7. Continue scrolling through the list to reach the Plugin roles section.
  8. In the Collector menu, select the checkbox for Collector App Admin or Collector App Reader.
  9. Click Apply.

Note

The plugins:grafana-collector-app:admin and plugins:grafana-collector-app:reader roles must be granted alongside the fixed:datasources:writer role for the permissions to take effect.

After a browser refresh, the newly authorized user has role-based access to Fleet Management.

If you want to assign a role to users not yet in your stack, you can add new users from your Grafana Cloud Portal on grafana.com.