Documentation Grafana Cloud Testing and synthetics Performance testing Manage projects and users Configure RBAC Manage roles and permissions

Manage roles and permissions

This topic describes how you can manage users and teams roles, and project access.

Manager user or team role

You can manage Performance Testing roles similarly to how you manage roles for other applications in Grafana Cloud.

To manage a user or a team role:

1. Log in to your Grafana Cloud Stack.
2. On the left-side menu, click Administration > Users and access, and then Users, Teams, or Service accounts.
3. In the Role column, select the fixed role that you want to assign to the user, team, or service account.
4. Click Update.

Manage user or team project access

In your Performance Testing application, you can manage user or team access on a per-project basis.

To manage user or team access to a project:

1. Log in to your Grafana Cloud Stack.
2. On the left-side menu, click Testing & synthetics > Performance > Projects.
3. Click the Open project menu button next to the project you want to manage.
4. Click Manage permissions.

On this menu, you can add or remove a user or team, or edit their permissions.

Add a user or team

To add a user or team:

1. Click Add a permission.
2. Choose User or Team.
3. Choose the user or team you would like to add.
4. Choose the permission level.
5. Click Save.

Edit a user or team

To edit a user or team’s permissions:

1. Click on the user’s current permission level.
2. Choose a new permission level.

Remove a user or team

To remove a user or team from the project:

1. Click on the red cross next to the user’s current permission.

Manage project access using Grafana folders

As mentioned in Configure RBAC, Performance Testing projects use the same mechanism as Grafana folders for assigning user and team permissions. That means, in addition to the UI, you can use the Grafana API or Terraform to manage project access.

Manage project access using the Grafana API

To manage project access using the Grafana API:

1. Use the Grafana Cloud k6 REST API to retrieve the Grafana folder ID associated with the project:
   1. Get an API token.
   2. Use the Get a project by ID endpoint, and save the grafana_folder_uid value.
2. Use the Grafana HTTP API to update the folder permissions:
   1. Authenticate with the Grafana API.
   2. Use the Get permissions for a folder endpoint. This step is optional. If a folder already has permissions configured, you must include the existing permissions in your update request or they’ll be removed.
   3. Use the Update permissions for a folder endpoint to add, update, or remove permissions for your project.

Manage project access using Terraform

Each Performance Testing project includes the grafana_folder_uid property, which can be used with the grafana_folder_permission_item resource.

For example, to set “Admin” permissions for a user, you can use the following code:

terraform Copy

resource "grafana_k6_project" "k6_tf_demo_k6_project" {
  provider = grafana.k6

  name = "Terraform k6 example"
}

resource "grafana_folder_permission_item" "admin_member" {
  provider   = grafana.k6

  folder_uid = grafana_k6_project.k6_tf_demo_k6_project.grafana_folder_uid
  user       = 123  # can also be configured for a team or role
  permission = "Admin"
}

Best practices

Use Grafana Cloud Teams

With RBAC, you can manage access to Performance testing projects by assigning roles to individual users or teams. We recommend creating teams to help you manage project access, even with a small number of users.

You can also refer to Plan your Grafana RBAC rollout strategy for more details on how to manage RBAC for your Grafana Cloud account.

Set up team access for new and existing projects

As mentioned in the Manage project access using Grafana folders section, you can use the Grafana folders API to manage RBAC access to Performance Testing projects.

Each Performance Testing project automatically gets its own associated Grafana folder, created as a sub-folder under the parent “k6-app” folder. While the “k6-app” folder and its sub-folders are hidden from the Grafana UI and Grafana List Folders API, you can still update their permissions via the API. When you grant a team access to the “k6-app” folder, that team gets access to any existing and newly created projects. That can be useful, for example, if you have a team that must have Viewer access to all projects, and you don’t want to manually update projects one by one after they’re created.

To give a team access to the “k6-app” folder:

1. Authenticate with the Grafana API.

2. Use the Grafana RBAC API to update the k6-app folder permissions:

   1. Retrieve the team Id by using the Team Search endpoint.
   2. Use the RBAC Folders endpoint to update the k6-app folder permissions. For example:
   Bash Copy

   curl 'https://<STACK_NAME>.grafana.net/api/access-control/folders/k6-app/teams/<TEAM_ID>' \
      -H 'accept: application/json' \
      -H 'content-type: application/json' \
      -H 'Authorization: Bearer <API_TOKEN>' \
      --data-raw '{"permission":"<PERMISSION_TYPE>"}'

   1. Make sure to replace the variables for your request:
      1. <STACK_NAME>: Replace it with the name of your stack.
      2. <TEAM_ID: Replace it with the team Id you retrieved on the previous step.
      3. <API_TOKEN>: Replace it with the Grafana API token you retrieved on the first step.
      4. <PERMISSION_TYPE>: Replace it with the type of permission you want to assign to your team. The options are: View, Edit, or Admin.

References

For more details on managing your Grafana Cloud account and stack roles:

• Refer to Configure user roles for details on how to assign a role to a user in your Grafana Cloud instance.
• Refer to Assign RBAC roles for details on how to assign a role to a user in your Grafana Cloud Stack.
• Refer to Configure Grafana Teams for details on how to create a team, add members to it, and assign roles to it in your Grafana Cloud Stack.