Configure LBAC for data sources for Prometheus data source
Grafana Cloud
LBAC for data sources is available on Grafana Cloud using a new Prometheus data source with basic authentication configured. A new data source can be created as described in LBAC Configuration for New Prometheus Data Source.
Before you begin
To be able to use LBAC for Prometheus data sources, you need to enable the feature toggle teamHttpHeadersMimir on your Grafana instance. Go to the feature toggles page in setting to enable the feature.
- Be sure that you have the permission setup to create a Prometheus tenant in Grafana Cloud
- Be sure that you have admin data source permissions for Grafana.
Grafana Cloud
LBAC for data sources is available in private preview on Grafana Cloud for Prometheus created with basic authentication. Prometheus data sources for LBAC for data sources can only be created, provisioning is currently not available.
You cannot configure LBAC rules for Grafana-provisioned data sources from the UI. We recommend that you replicate the setting of the provisioned data source in a new data source as described in LBAC Configuration for New Prometheus Data Source and then add the LBAC configuration to the new data source.
Permissions
We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are Admin permission and only add the teams Query permissions that you want to add LBAC for data sources rules for.
Task 1: LBAC Configuration for new Prometheus data source
- Access Prometheus data sources details for your stack through grafana.com
- Copy Prometheus details and create a CAP- Copy the details of your Prometheus setup.
- Create a Cloud Access Policy (CAP) for the Prometheus data source in grafana.com.
- Ensure the CAP includes metrics:readpermissions.
- Ensure the CAP does not include labelsrules.
 
- Create a new Prometheus data source- In Grafana, proceed to add a new data source and select Prometheus as the type.
 
- Navigate back to the Prometheus data source- Set up the Prometheus data source using basic authentication. Use the userIDas the username. Use the generated CAPtokenas the password.
- Save and connect.
 
- Set up the Prometheus data source using basic authentication. Use the 
- Navigate to data source permissions- Go to the permissions tab of the newly created Prometheus data source. Here, you’ll find the LBAC for data sources rules section.
 
For more information on how to setup LBAC for data sources rules for a Prometheus data source, refer to Create LBAC for data sources rules for the Prometheus data source.
Grafana Enterprise
LBAC for data sources is available in Grafana Enterprise for Prometheus connected to GEM created with basic authentication.
You cannot configure LBAC rules for Grafana-provisioned data sources from the UI. Alternatively, you can replicate the setting of the provisioned data source in a new data source as described in LBAC Configuration for new Prometheus data source and then add the LBAC configuration to the new data source.
Before you begin
To be able to use LBAC for Prometheus data sources, you need to enable the feature toggle teamHttpHeadersMimir on your Grafana instance. Contact support to enable the feature toggle for you.
- Be sure that you have the permission setup to create a cluster in your Grafana
- Be sure that you have admin plugins permissions for Grafana.
- Be sure that you have admin data source permissions for Grafana.
Permissions
We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are Admin permission and only add the teams Query permissions that you want to add LBAC for data sources rules for.
Task 0: Setup Grafana Enterprise Metrics tenant and access policies
- Access the plugins page and install Grafana Enterprise Metrics plugins
- Connect your plugin and use app as the cluster
- Access the app Grafana Enterprise Metrics and configure a tenant
- Store the uidof the tenant to be used as the username for the basic authentication
- Access the policies page inside of the app and create a AP- Create a Access Policy (CAP) for the Prometheus data source.
- Ensure the CAP includes metrics:readpermissions.
- Ensure the CAP does not include labelsrules.
- Store the tokento be used as password for authentication.
 
Task 1: LBAC Configuration for new Prometheus data source
- Create a new Prometheus data source- In Grafana, proceed to add a new data source and select Prometheus as the type.
 
- Navigate back to the Prometheus data source- Set up the Prometheus data source using basic authentication. Use the uidas the username. Use the generatedtokenas the password.
- Save and connect.
 
- Set up the Prometheus data source using basic authentication. Use the 
- Navigate to data source permissions- Go to the permissions tab of the newly created Prometheus data source. Here, you’ll find the LBAC for data sources rules section.
 
For more information on how to setup LBAC for data sources rules for a Prometheus data source, refer to Create LBAC for data sources rules for the Prometheus data source.







