Manage users and teams for Synthetic Monitoring
Note
Synthetic Monitoring RBAC is currently in private preview. Grafana Labs offers support on a best-effort basis, and breaking changes might occur prior to the feature being made generally available.
Depending on the size of your team or organization, you might reach a point where you have a large number of checks, and you want to control who gets access to the information they need. Grafana provides two ways to manage user access: basic role authorization, and role-based access control (RBAC).
You can use both mechanisms to give users in your organization the access they need to view, edit, and manage resources in Synthetic Monitoring.
Before you begin
- Ensure you have organization administrator privileges.
Note
User roles and teams are managed at the organization level of your Grafana instance. They can’t be configured via the Synthetic Monitoring application. For more details, refer to Manage users in an organization.
User roles and permissions
There are two ways to manage user roles and permissions for Synthetic Monitoring.
Basic role authorization
By default, authorization within Synthetic Monitoring relies on the basic user roles configured at the organization level. All users are assigned a basic role by the
organization administrator. There are three available roles: Viewer
, Editor
, and Admin
.
Role-based access control (RBAC)
RBAC for Grafana plugins provides fine-grained access control, allowing you to define custom roles and actions for users in Synthetic Monitoring. You can use RBAC to grant specific permissions without modifying the user’s basic role at the organization level. Additionally, you can fine-tune basic roles to add or remove specific Synthetic Monitoring RBAC roles.
For example, a user with the basic Viewer
role at the organization level may need to edit checks. By assigning the Checks Writer
role from Grafana Synthetic Monitoring’s RBAC, you can allow the user to view everything in Synthetic Monitoring, as well as allow them to edit checks.
To learn more about how RBAC works in Grafana, refer to Role-based access control (RBAC).
Synthetic Monitoring RBAC
To access and use Synthetic Monitoring, a user needs permissions to the following data sources:
- The Synthetic Monitoring data source
- The metrics data source (Prometheus)
- The logs data sources (Loki)
By default, if a user has a basic role assigned of Viewer
, Editor
, or Admin
, they already have the necessary query permissions.
Configure query permissions
To manually configure query permissions, you have two options:
- Configure the query permissions for each data source in your stack by going to Connections > Data sources.
- Assign the
datasources:query
role using file-based provisioning.
Assign permissions via the Grafana Cloud stack UI
To configure query permissions for a data source in your Grafana Cloud stack:
- Open your Grafana Cloud stack.
- On the main menu, click Connections > Data sources.
- For each data source (Loki, Prometheus, and Synthetic Monitoring):
- Click on the data source to open its configuration page.
- Click the Permissions tab.
- Check that your user role has the Query permission. If your user doesn’t have that permission configured, click + Add a permission to add a new permission for your RBAC configuration.
Assign permissions using file-based provisioning
You can give a user the required data sources access by assigning them the datasources:query
permission. For more fine-grained access, you can scope it to the data source UIDs.
For metrics and logs, the permissions are:
"action": "datasources:query",
"scope": "datasources:uid:grafanacloud-prom" //metrics datasource
"action": "datasources:query",
"scope": "datasources:uid:grafanacloud-logs" //logs datasource
For the Synthetic Monitoring data source, the UID is variable:
"action": "datasources:query",
"scope": "datasources:uid:<SM_DS_UID>"
To find the UID value for your stack:
- Open your Grafana Cloud stack.
- On the main menu, click Testing & synthetics > Synthetics > Config.
- Click Synthetic Monitoring under Data sources.
- Copy the UID value from the URL, after “/edit/”. For example:
https://<stack_name>.grafana.net/connections/datasources/edit/<SM_DS_UID>
.
Synthetic Monitoring RBAC roles
Note
Granting any of the following roles also grants the user the
plugins.app:access
action with a scope ofplugins:id:grafana-synthethic-monitoring-app
, which gives the user access to the Synthetic Monitoring plugin. Additionally, none of the following RBAC roles support scopes.
The following table provides details about the available Synthetic Monitoring roles and the actions each role grants to users or teams. Some roles may require additional permissions external to Synthetic Monitoring. In such scenarios, the required permissions are explicitly detailed.
For details on how to assign roles to a user or team, refer to Assign RBAC roles.