Enterprise Grafana Cloud

Configure RBAC

Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.

A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.

Each permission contains one or more actions and a scope.

Permissions

Grafana Alerting has the following permissions.

ActionApplicable scopeDescription
alert.instances.external:readdatasources:*
datasources:uid:*
Read alerts and silences in data sources that support alerting.
alert.instances.external:writedatasources:*
datasources:uid:*
Manage alerts and silences in data sources that support alerting.
alert.instances:createn/aCreate silences in the current organization.
alert.instances:readn/aRead alerts and silences in the current organization.
alert.instances:writen/aUpdate and expire silences in the current organization.
alert.notifications.external:readdatasources:*
datasources:uid:*
Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:writedatasources:*
datasources:uid:*
Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications:writen/aManage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:readn/aRead all templates, contact points, notification policies, and mute timings in the current organization.
alert.rules.external:readdatasources:*
datasources:uid:*
Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:writedatasources:*
datasources:uid:*
Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.rules:createfolders:*
folders:uid:*
Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:deletefolders:*
folders:uid:*
Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder.
alert.rules:readfolders:*
folders:uid:*
Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder.
alert.rules:writefolders:*
folders:uid:*
Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder. To allow query modifications add datasources:query in the scope of data sources the user can query.
alert.silences:createfolders:*
folders:uid:*
Create rule-specific silences in a folder and its subfolders.
alert.silences:readfolders:*
folders:uid:*
Read all general silences and rule-specific silences in a folder and its subfolders.
alert.silences:writefolders:*
folders:uid:*
Update and expire rule-specific silences in a folder and its subfolders.
alert.provisioning:readn/aRead all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
alert.provisioning.secrets:readn/aSame as alert.provisioning:read plus ability to export resources with decrypted secrets.
alert.provisioning:writen/aUpdate all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
alert.provisioning.provenance:writen/aSet provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources
alert.notifications.receivers:readreceivers:*
receivers:uid:*
Read contact points.
alert.notifications.receivers.secrets:readreceivers:*
receivers:uid:*
Export contact points with decrypted secrets.
alert.notifications.receivers:createn/aCreate a new contact points. The creator is automatically granted full access to the created contact point.
alert.notifications.receivers:writereceivers:*
receivers:uid:*
Update existing contact points.
alert.notifications.receivers:deletereceivers:*
receivers:uid:*
Update and delete existing contact points.
receivers.permissions:readreceivers:*
receivers:uid:*
Read permissions for contact points.
receivers.permissions:writereceivers:*
receivers:uid:*
Manage permissions for contact points.
alert.notifications.time-intervals:readn/aRead mute time intervals.
alert.notifications.time-intervals:writen/aCreate new or update existing mute time intervals.
alert.notifications.time-intervals:deleten/aDelete existing time intervals.
alert.notifications.templates:readn/aRead templates.
alert.notifications.templates:writen/aCreate new or update existing templates.
alert.notifications.templates:deleten/aDelete existing templates.
alert.notifications.routes:readn/aRead notification policies.
alert.notifications.routes:writen/aCreate new, update and update notification policies.

To help plan your RBAC rollout strategy, refer to Plan your RBAC rollout strategy.