AdministrationRoles and permissionsGrafana Role-based access control (RBAC)Grafana RBAC permissions, actions, and scopes

RBAC permissions, actions, and scopes

A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.

To learn more about the Grafana resources to which you can apply RBAC, refer to Resources with RBAC permissions.

  • Action: An action describes what tasks a user can perform on a resource.
  • Scope: A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains role-based access control actions.

Action Applicable scope Description
alert.instances.external:read datasources:*
datasources:uid:*
Read alerts and silences in data sources that support alerting.
alert.instances.external:write datasources:*
datasources:uid:*
Manage alerts and silences in data sources that support alerting.
alert.instances:create n/a Create silences in the current organization.
alert.instances:read n/a Read alerts and silences in the current organization.
alert.instances:write n/a Update and expire silences in the current organization.
alert.notifications.external:read datasources:*
datasources:uid:*
Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:write datasources:*
datasources:uid:*
Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications:write n/a Manage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:read n/a Read all templates, contact points, notification policies, and mute timings in the current organization.
alert.rules.external:read datasources:*
datasources:uid:*
Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:write datasources:*
datasources:uid:*
Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.rules:create folders:*
folders:uid:*
Create Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:delete folders:*
folders:uid:*
Delete Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:read folders:*
folders:uid:*
Read Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:write folders:*
folders:uid:*
Update Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.provisioning:read n/a Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
alert.provisioning:write n/a Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
annotations:create annotations:*
annotations:type:*
Create annotations.
annotations:delete annotations:*
annotations:type:*
Delete annotations.
annotations:read annotations:*
annotations:type:*
Read annotations and annotation tags.
annotations:write annotations:*
annotations:type:*
Update annotations.
apikeys:create n/a Create API keys.
apikeys:read apikeys:*
apikeys:id:*
Read API keys.
apikeys:delete apikeys:*
apikeys:id:*
Delete API keys.
dashboards.permissions:read dashboards:*
dashboards:uid:*
folders:*
folders:uid:*
Read permissions for one or more dashboards.
dashboards.permissions:write dashboards:*
dashboards:uid:*
folders:*
folders:uid:*
Update permissions for one or more dashboards.
dashboards:create folders:*
folders:uid:*
Create dashboards in one or more folders.
dashboards:delete dashboards:*
dashboards:uid:*
folders:*
folders:uid:*
Delete one or more dashboards.
dashboards:read dashboards:*
dashboards:uid:*
folders:*
folders:uid:*
Read one or more dashboards.
dashboards:write dashboards:*
dashboards:uid:*
folders:*
folders:uid:*
Update one or more dashboards.
datasources.id:read datasources:*
datasources:uid:*
Read data source IDs.
datasources.permissions:read datasources:*
datasources:uid:*
List data source permissions.
datasources.permissions:write datasources:*
datasources:uid:*
Update data source permissions.
datasources:create n/a Create data sources.
datasources:delete datasources:*
datasources:uid:*
Delete data sources.
datasources:explore n/a Enable access to the Explore tab.
datasources:query datasources:*
datasources:uid:*
Query data sources.
datasources:read datasources:*
datasources:uid:*
List data sources.
datasources:write datasources:*
datasources:uid:*
Update data sources.
folders.permissions:read folders:*
folders:uid:*
Read permissions for one or more folders.
folders.permissions:write folders:*
folders:uid:*
Update permissions for one or more folders.
folders:create n/a Create folders.
folders:delete folders:*
folders:uid:*
Delete one or more folders.
folders:read folders:*
folders:uid:*
Read one or more folders.
folders:write folders:*
folders:uid:*
Update one or more folders.
ldap.config:reload n/a Reload the LDAP configuration.
ldap.status:read n/a Verify the availability of the LDAP server or servers.
ldap.user:read n/a Read users via LDAP.
ldap.user:sync n/a Sync users via LDAP.
licensing.reports:read n/a Get custom permission reports.
licensing:delete n/a Delete the license token.
licensing:read n/a Read licensing information.
licensing:write n/a Update the license token.
org.users:write users:*
users:id:*
Update the organization role (Viewer, Editor, or Admin) of a user.
org.users:add users:* Add a user to an organization.
org.users:read users:*
users:id:*
Get user profiles within an organization.
org.users:remove users:*
users:id:*
Remove a user from an organization.
org:create n/a Create an organization.
orgs.preferences:read orgs:*
orgs:id:*
Read organization preferences.
orgs.preferences:write orgs:*
orgs:id:*
Update organization preferences.
orgs.quotas:read orgs:*
orgs:id:*
Read organization quotas.
orgs.quotas:write orgs:*
orgs:id:*
Update organization quotas.
orgs:delete orgs:*
orgs:id:*
Delete one or more organizations.
orgs:read orgs:*
orgs:id:*
Read one or more organizations.
orgs:write orgs:*
orgs:id:*
Update one or more organizations.
provisioning:reload provisioners:* Reload provisioning files. To find the exact scope for specific provisioner, see Scope definitions.
reports:create n/a Create reports.
reports:write reports:*
reports:id:*
Update reports.
reports.settings:read n/a Read report settings.
reports.settings:write n/a Update report settings.
reports:delete reports:*
reports:id:*
Delete reports.
reports:read reports:* List all available reports or get a specific report.
reports:send reports:* Send a report email.
roles:delete permissions:type:delegate Delete a custom role.
roles:read roles:*
roles:uid:*
List roles and read a specific with its permissions.
roles:write permissions:type:delegate Create or update a custom role.
roles:write permissions:type:escalate Reset basic roles to their default permissions.
server.stats:read n/a Read Grafana instance statistics.
settings:read settings:*
settings:auth.saml:*
settings:auth.saml:enabled (property level)
Read the Grafana configuration settings
settings:write settings:*
settings:auth.saml:*
settings:auth.saml:enabled (property level)
Update any Grafana configuration settings that can be updated at runtime.
status:accesscontrol services:accesscontrol Get access-control enabled status.
teams.permissions:read teams:*
teams:id:*
Read members and External Group Synchronization setup for teams.
teams.permissions:write teams:*
teams:id:*
Add, remove and update members and manage External Group Synchronization setup for teams.
teams.roles:add permissions:type:delegate Assign a role to a team.
teams.roles:read teams:* List roles assigned directly to a team.
teams.roles:remove permissions:type:delegate Unassign a role from a team.
teams:create n/a Create teams.
teams:delete teams:*
teams:id:*
Delete one or more teams.
teams:read teams:*
teams:id:*
Read one or more teams and team preferences.
teams:write teams:*
teams:id:*
Update one or more teams and team preferences.
users.authtoken:read global.users:*
global.users:id:*
List authentication tokens that are assigned to a user.
users.authtoken:write global.users:*
global.users:id:*
Update authentication tokens that are assigned to a user.
users.password:write global.users:*
global.users:id:*
Update a user’s password.
users.permissions:read users:* List permissions of a user.
users.permissions:write global.users:*
global.users:id:*
Update a user’s organization-level permissions.
users.quotas:read global.users:*
global.users:id:*
List a user’s quotas.
users.quotas:write global.users:*
global.users:id:*
Update a user’s quotas.
users.roles:add permissions:type:delegate Assign a role to a user.
users.roles:read users:* List roles assigned directly to a user.
users.roles:remove permissions:type:delegate Unassign a role from a user.
users:create n/a Create a user.
users:delete global.users:*
global.users:id:*
Delete a user.
users:disable global.users:*
global.users:id:*
Disable a user.
users:enable globa.users:*
global.users:id:*
Enable a user.
users:logout global.users:*
global.users:id:*
Sign out a user.
users:read global.users:* Read or search user profiles.
users:write global.users:*
global.users:id:*
Update a user’s profile.

Scope definitions

The following list contains role-based access control scopes.

Scopes Descriptions
annotations:*
annotations:type:*
Restrict an action to a set of annotations. For example, annotations:* matches any annotation, annotations:type:dashboard matches annotations associated with dashboards and annotations:type:organization matches organization annotations.
apikeys:*
apikeys:id:*
Restrict an action to a set of API keys. For example, apikeys:* matches any API key, apikey:id:1 matches the API key whose id is 1.
dashboards:*
dashboards:uid:*
Restrict an action to a set of dashboards. For example, dashboards:* matches any dashboard, and dashboards:uid:1 matches the dashboard whose UID is 1.
datasources:*
datasources:uid:*
Restrict an action to a set of data sources. For example, datasources:* matches any data source, and datasources:uid:1 matches the data source whose UID is 1.
folders:*
folders:uid:*
Restrict an action to a set of folders. For example, folders:* matches any folder, and folders:uid:1 matches the folder whose UID is 1.
global.users:*
global.users:id:*
Restrict an action to a set of global users. For example, global.users:* matches any user and global.users:id:1 matches the user whose ID is 1.
orgs:*
orgs:id:*
Restrict an action to a set of organizations. For example, orgs:* matches any organization and orgs:id:1 matches the organization whose ID is 1.
permissions:type:delegate The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
permissions:type:escalate The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.
provisioners:* Restrict an action to a set of provisioners. For example, provisioners:* matches any provisioner, and provisioners:accesscontrol matches the role-based access control provisioner.
reports:*
reports:id:*
Restrict an action to a set of reports. For example, reports:* matches any report and reports:id:1 matches the report whose ID is 1.
roles:*
roles:uid:*
Restrict an action to a set of roles. For example, roles:* matches any role and roles:uid:randomuid matches only the role whose UID is randomuid.
services:accesscontrol Restrict an action to target only the role-based access control service. You can use this in conjunction with the status:accesscontrol actions.
settings:* Restrict an action to a subset of settings. For example, settings:* matches all settings, settings:auth.saml:* matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.
teams:*
teams:id:*
Restrict an action to a set of teams from an organization. For example, teams:* matches any team and teams:id:1 matches the team whose ID is 1.
users:*
users:id:*
Restrict an action to a set of users from an organization. For example, users:* matches any user and users:id:1 matches the user whose ID is 1.