Grafana EnterpriseFine-grained access controlFine-grained access control references

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed roles Permissions Descriptions
fixed:roles:reader roles:read
roles:list
users.roles:list
users.permissions:list
roles.builtin:list
Read all access control roles, roles and permissions assigned to users and built-in role assignments.
fixed:roles:writer All permissions from fixed:roles:reader and
roles:write
roles:delete
users.roles:add
users.roles:remove
roles.builtin:add
roles.builtin:remove
Create, read, update, or delete all roles, assign or unassign roles to users and built-in role assignments.
fixed:reports:reader reports:read
reports:send
reports.settings:read
Read all reports and shared report settings.
fixed:reports:writer All permissions from fixed:reports:reader and
reports.admin:write
reports:delete
reports.settings:write
Create, read, update, or delete all reports and shared report settings.
fixed:users:reader users:read
users.quotas:list
users.authtoken:list
users.teams:read
Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer All permissions from fixed:users:reader and
users:write
users:create
users:delete
users:enable
users:disable
users.password:update
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
fixed:org.users:reader org.users:read Read users within a single organization.
fixed:org.users:writer All permissions from fixed:org.users:reader and
org.users:add
org.users:remove
org.users.role:update
Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:ldap:reader ldap.user:read
ldap.status:read
Read the LDAP configuration and LDAP status information.
fixed:ldap:writer All permissions from fixed:ldap:reader and
ldap.user:sync
ldap.config:reload
Read and update the LDAP configuration, and read LDAP status information.
fixed:stats:reader server.stats:read Read Grafana instance statistics.
fixed:settings:reader settings:read Read Grafana instance settings.
fixed:settings:writer All permissions from fixed:settings:reader and
settings:write
Read and update Grafana instance settings.
fixed:datasources:explorer datasources:explore Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:reader datasources:read
datasources:query
Read and query data sources.
fixed:datasources:writer All permissions from fixed:datasources:reader and
datasources:create
datasources:write
datasources:delete
Read, query, create, delete, or update a data source.
fixed:datasources:id:reader datasources.id:read Read the ID of a data source based on its name.
fixed:datasources.permissions:reader datasources.permissions:read Read data source permissions.
fixed:datasources.permissions:writer All permissions from fixed:datasources.permissions:reader and
datasources.permissions:create
datasources.permissions:delete
datasources.permissions:toggle
Create, read, or delete permissions of a data source.
fixed:licensing:reader licensing:read
licensing.reports:read
Read licensing information and licensing reports.
fixed:licensing:writer All permissions from fixed:licensing:viewer and
licensing:update
licensing:delete
Read licensing information and licensing reports, update and delete the license token.
fixed:provisioning:writer provisioning:reload Reload provisioning.
fixed:organization:reader orgs:read
orgs.quotas:read
Read an organization and its quotas.
fixed:organization:writer All permissions from fixed:organization:reader and
orgs:write
orgs.preferences:read
orgs.preferences:write
Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:organization:maintainer All permissions from fixed:organization:reader and
orgs:write
orgs:create
orgs:delete
orgs.quotas:write
Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.

Default built-in role assignments

Built-in role Associated role Description
Grafana Admin fixed:roles:reader
fixed:roles:writer
fixed:users:reader
fixed:users:writer
fixed:org.users:reader
fixed:org.users:writer
fixed:ldap:reader
fixed:ldap:writer
fixed:stats:reader
fixed:settings:reader
fixed:settings:writer
fixed:provisioning:writer
fixed:organization:reader
fixed:organization:maintainer
fixed:licensing:reader
fixed:licensing:writer
Default Grafana server administrator assignments.
Admin fixed:reports:reader
fixed:reports:writer
fixed:datasources:reader
fixed:datasources:writer
fixed:organization:writer
fixed:datasources.permissions:reader
fixed:datasources.permissions:writer
Default Grafana organization administrator assignments.
Editor fixed:datasources:explorer Default Editor assignments.
Viewer fixed:datasources:id:reader
fixed:organization:reader
Default Viewer assignments.