Synthetic Monitoring RBAC is currently in private preview. Grafana Labs offers support on a best-effort basis, and breaking changes might occur prior to the feature being made generally available.
Depending on the size of your team or organization, you might reach a point where you have a large number of checks, and you want to control who gets access to the information they need. Grafana provides two ways to manage user access: basic role authorization, and role-based access control (RBAC).
You can use both mechanisms to give users in your organization the access they need to view, edit, and manage resources in Synthetic Monitoring.
Before you begin
Ensure you have organization administrator privileges.
Note
User roles and teams are managed at the organization level of your Grafana instance. They can’t be configured via the Synthetic Monitoring application. For more details, refer to Manage users in an organization.
User roles and permissions
There are two ways to manage user roles and permissions for Synthetic Monitoring.
Basic role authorization
By default, authorization within Synthetic Monitoring relies on the basic user roles configured at the organization level. All users are assigned a basic role by the
organization administrator. There are three available roles: Viewer, Editor, and Admin.
Role-based access control (RBAC)
RBAC for Grafana plugins provides fine-grained access control, allowing you to define custom roles and actions for users in Synthetic Monitoring. You can use RBAC to grant specific permissions without modifying the user’s basic role at the organization level. Additionally, you can fine-tune basic roles to add or remove specific Synthetic Monitoring RBAC roles.
For example, a user with the basic Viewer role at the organization level may need to edit checks. By assigning the Checks Writer role from Grafana Synthetic Monitoring’s RBAC, you can allow the user to view everything in Synthetic Monitoring, as well as allow them to edit checks.
Granting any of the following roles also grants the user the plugins.app:access action with a scope of
plugins:id:grafana-synthethic-monitoring-app, which gives the user access to the Synthetic Monitoring plugin. Additionally, none of the following RBAC roles support scopes.
The following table provides details about the available Synthetic Monitoring roles and the actions each role grants to users or teams.
In order to get access to the Synthetic Monitoring datasource and use the plugin, the datasources:read permission must be assigned when No basic role is set.
Some other roles may require additional permissions that are external to Synthetic Monitoring. In such scenarios, the required permission will be explicitly detailed.
For details on how to assign roles to a user or team, refer to Assign RBAC roles.
Role
Description
Granted Actions
Basic Roles Granted To
Checks reader
Read checks in the Synthetic Monitoring app
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app.checks:read
Viewer
Checks writer
Create, edit, and delete checks in the Synthetic Monitoring app
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app:write
grafana-synthetic-monitoring-app.checks:write
grafana-synthetic-monitoring-app.checks:read
grafana-synthetic-monitoring-app.checks:delete
Admin, Editor
Probes reader
Read probes in the Synthetic Monitoring app
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app.probes:read
Viewer
Probes writer
Create, edit, and delete probes in the Synthetic Monitoring app
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app:write
grafana-synthetic-monitoring-app.probes:write
grafana-synthetic-monitoring-app.probes:read
grafana-synthetic-monitoring-app.probes:delete
Admin, Editor
Alerts reader
Read alerts in the Synthetic Monitoring app. Also requires alert.instances.external:read
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app.alerts:read
Viewer
Alerts writer
Create, edit, and delete alerts in the Synthetic Monitoring app. Also requires alert.instances.external:write
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app:write
grafana-synthetic-monitoring-app.alerts:write
grafana-synthetic-monitoring-app.alerts:read
grafana-synthetic-monitoring-app.alerts:delete
Admin, Editor
Thresholds reader
Read thresholds in the Synthetic Monitoring app
grafana-synthetic-monitoring-app:read
grafana-synthetic-monitoring-app.thresholds:read
Viewer
Thresholds writer
Read and edit thresholds in the Synthetic Monitoring app
Full access to write and manage checks, probes, alerts, thresholds, and access tokens, as well as enabling/disabling the Synthetic Monitoring plugin. When enabling the datasource, datasources:create must also be granted.