Grafana EnterpriseFine-grained access controlFine-grained access control references

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed roles Permissions Descriptions
fixed:permissions:admin:read roles:read
roles:list
roles.builtin:list
Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:edit All permissions from fixed:permissions:admin:read and
roles:write
roles:delete
roles.builtin:add
roles.builtin:remove
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:reporting:admin:read reports:read
reports:send
reports.settings:read
Allows to read reports and report settings.
fixed:reporting:admin:edit All permissions from fixed:reporting:admin:read and
reports.admin:write
reports:delete
reports.settings:write
Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:read users.authtoken:list
users.quotas:list
users:read
users.teams:read
Allows to list and get users and related information.
fixed:users:admin:edit All permissions from fixed:users:admin:read and
users.password:update
users:write
users:create
users:delete
users:enable
users:disable
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Allows every read action for users and in addition allows to administer users.
fixed:users:org:read org.users:read Allows to get user organizations.
fixed:users:org:edit All permissions from fixed:users:org:read and
org.users:add
org.users:remove
org.users.role:update
Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:read ldap.user:read
ldap.status:read
Allows to read LDAP information and status.
fixed:ldap:admin:edit All permissions from fixed:ldap:admin:read and
ldap.user:sync
Allows every read action for LDAP and in addition allows to administer LDAP.

Default built-in role assignments

Built-in roles Associated roles Descriptions
Grafana Admin fixed:permissions:admin:edit
fixed:permissions:admin:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:users:admin:edit
fixed:users:admin:read
fixed:users:org:edit
fixed:users:org:read
fixed:ldap:admin:edit
fixed:ldap:admin:read
Allows access to resources which Grafana Server Admin has permissions by default.
Admin fixed:users:org:edit
fixed:users:org:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
Allows access to resource which Admin has permissions by default.