Manage users and teams for Synthetic Monitoring
Grafana Cloud

Manage users and teams for Synthetic Monitoring

Note

Synthetic Monitoring RBAC is currently in private preview. Grafana Labs offers support on a best-effort basis, and breaking changes might occur prior to the feature being made generally available.

Depending on the size of your team or organization, you might reach a point where you have a large number of checks, and you want to control who gets access to the information they need. Grafana provides two ways to manage user access: basic role authorization, and role-based access control (RBAC).

You can use both mechanisms to give users in your organization the access they need to view, edit, and manage resources in Synthetic Monitoring.

Before you begin

  • Ensure you have organization administrator privileges.

Note

User roles and teams are managed at the organization level of your Grafana instance. They can’t be configured via the Synthetic Monitoring application. For more details, refer to Manage users in an organization.

User roles and permissions

There are two ways to manage user roles and permissions for Synthetic Monitoring.

Basic role authorization

By default, authorization within Synthetic Monitoring relies on the basic user roles configured at the organization level. All users are assigned a basic role by the organization administrator. There are three available roles: Viewer, Editor, and Admin.

Role-based access control (RBAC)

RBAC for Grafana plugins provides fine-grained access control, allowing you to define custom roles and actions for users in Synthetic Monitoring. You can use RBAC to grant specific permissions without modifying the user’s basic role at the organization level. Additionally, you can fine-tune basic roles to add or remove specific Synthetic Monitoring RBAC roles.

For example, a user with the basic Viewer role at the organization level may need to edit checks. By assigning the Checks Writer role from Grafana Synthetic Monitoring’s RBAC, you can allow the user to view everything in Synthetic Monitoring, as well as allow them to edit checks.

To learn more about how RBAC works in Grafana, refer to Role-based access control (RBAC).

Synthetic Monitoring RBAC

To access and use Synthetic Monitoring, a user needs permissions to the following data sources:

  • The Synthetic Monitoring data source
  • The metrics data source (Prometheus)
  • The logs data sources (Loki)

By default, if a user has a basic role assigned of Viewer, Editor, or Admin, they already have the necessary query permissions.

Configure query permissions

To manually configure query permissions, you have two options:

  • Configure the query permissions for each data source in your stack by going to Connections > Data sources.
  • Assign the datasources:query role using file-based provisioning.

Assign permissions via the Grafana Cloud stack UI

To configure query permissions for a data source in your Grafana Cloud stack:

  • Open your Grafana Cloud stack.
  • On the main menu, click Connections > Data sources.
  • For each data source (Loki, Prometheus, and Synthetic Monitoring):
    • Click on the data source to open its configuration page.
    • Click the Permissions tab.
    • Check that your user role has the Query permission. If your user doesn’t have that permission configured, click + Add a permission to add a new permission for your RBAC configuration.

Assign permissions using file-based provisioning

You can give a user the required data sources access by assigning them the datasources:query permission. For more fine-grained access, you can scope it to the data source UIDs.

For metrics and logs, the permissions are:

  "action": "datasources:query",
  "scope": "datasources:uid:grafanacloud-prom" //metrics datasource

  "action": "datasources:query",
  "scope": "datasources:uid:grafanacloud-logs" //logs datasource

For the Synthetic Monitoring data source, the UID is variable:

  "action": "datasources:query",
  "scope": "datasources:uid:<SM_DS_UID>"

To find the UID value for your stack:

  • Open your Grafana Cloud stack.
  • On the main menu, click Testing & synthetics > Synthetics > Config.
  • Click Synthetic Monitoring under Data sources.
  • Copy the UID value from the URL, after “/edit/”. For example: https://<stack_name>.grafana.net/connections/datasources/edit/<SM_DS_UID>.

Synthetic Monitoring RBAC roles

Note

Granting any of the following roles also grants the user the plugins.app:access action with a scope of plugins:id:grafana-synthethic-monitoring-app, which gives the user access to the Synthetic Monitoring plugin. Additionally, none of the following RBAC roles support scopes.

The following table provides details about the available Synthetic Monitoring roles and the actions each role grants to users or teams. Some roles may require additional permissions external to Synthetic Monitoring. In such scenarios, the required permissions are explicitly detailed.

For details on how to assign roles to a user or team, refer to Assign RBAC roles.

RoleDescriptionGranted ActionsBasic Roles Granted To
Checks readerRead checks in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app.checks:read
Viewer
Checks writerCreate, edit, and delete checks in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.checks:write

grafana-synthetic-monitoring-app.checks:read

grafana-synthetic-monitoring-app.checks:delete
Admin, Editor
Probes readerRead probes in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app.probes:read
Viewer
Probes writerCreate, edit, and delete probes in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.probes:write

grafana-synthetic-monitoring-app.probes:read

grafana-synthetic-monitoring-app.probes:delete
Admin, Editor
Alerts readerRead alerts in the Synthetic Monitoring app.
Also requires alert.instances.external:read
grafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app.alerts:read
Viewer
Alerts writerCreate, edit, and delete alerts in the Synthetic Monitoring app.
Also requires alert.instances.external:write
grafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.alerts:write

grafana-synthetic-monitoring-app.alerts:read

grafana-synthetic-monitoring-app.alerts:delete
Admin, Editor
Thresholds readerRead thresholds in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app.thresholds:read
Viewer
Thresholds writerRead and edit thresholds in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.thresholds:write

grafana-synthetic-monitoring-app.thresholds:read

grafana-synthetic-monitoring-app.thresholds:delete
Admin, Editor
Access tokens writerCreate and delete access tokens in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.access-tokens:write
Admin
AdminFull access to write and manage checks, probes, alerts, thresholds, and access tokens, as well as enabling/disabling the Synthetic Monitoring plugin.
When enabling the datasource, datasources:create must also be granted.
grafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.plugin:write

grafana-synthetic-monitoring-app.checks:write

grafana-synthetic-monitoring-app.probes:write

grafana-synthetic-monitoring-app.alerts:write

grafana-synthetic-monitoring-app.thresholds:write

grafana-synthetic-monitoring-app.access-tokens:write

grafana-synthetic-monitoring-app.checks:read

grafana-synthetic-monitoring-app.probes:read

grafana-synthetic-monitoring-app.alerts:read

grafana-synthetic-monitoring-app.thresholds:read

grafana-synthetic-monitoring-app.checks:delete

grafana-synthetic-monitoring-app.probes:delete

grafana-synthetic-monitoring-app.alerts:delete

grafana-synthetic-monitoring-app.thresholds:delete
Admin
EditorAdd, update and delete checks, probes, alerts, thresholds, and access tokens in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app:write

grafana-synthetic-monitoring-app.checks:write

grafana-synthetic-monitoring-app.probes:write

grafana-synthetic-monitoring-app.alerts:write

grafana-synthetic-monitoring-app.thresholds:write

grafana-synthetic-monitoring-app.checks:read

grafana-synthetic-monitoring-app.probes:read

grafana-synthetic-monitoring-app.alerts:read

grafana-synthetic-monitoring-app.thresholds:read

grafana-synthetic-monitoring-app.checks:delete

grafana-synthetic-monitoring-app.probes:delete

grafana-synthetic-monitoring-app.alerts:delete

grafana-synthetic-monitoring-app.thresholds:delete
Admin, Editor
ReaderRead checks, probes, alerts, thresholds, and access tokens in the Synthetic Monitoring appgrafana-synthetic-monitoring-app:read

grafana-synthetic-monitoring-app.checks:read

grafana-synthetic-monitoring-app.probes:read

grafana-synthetic-monitoring-app.alerts:read

grafana-synthetic-monitoring-app.thresholds:read
Viewer