---
title: "Configure team LBAC for data sources for Tempo | Grafana documentation"
description: "Use label-based access control (LBAC) to restrict Cloud Traces data by team and attribute rules."
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# Configure team label-based access control for Tempo or Cloud Traces

> Note
> 
> Label-based access control for traces is currently in [public preview](/docs/release-life-cycle/). Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available.

Team label-based access control (LBAC) for Cloud Traces or Tempo lets you restrict which spans teams can access by defining rules using trace attributes. LBAC provides fine-grained, team-based access control within a single tenant and mirrors the experience used for logs and metrics LBAC in Grafana Cloud.

> Note
> 
> Unlike logs and metrics, which also support data source-level LBAC through cloud access policies, traces LBAC is currently available only at the team level.

Grafana uses the term LBAC as an umbrella term for label-based access control for all data sources. Traces use **attributes**, not labels, for access control, but the Grafana UI surfaces this functionality as LBAC for consistency.

This feature only applies to Grafana Cloud Traces, specifically, the Cloud-provisioned tracing data source.

## How LBAC works

When a user queries tracing data source, Grafana evaluates the user’s team memberships and the LBAC rules assigned to those teams. These rules are added to the request so the Cloud Traces data source returns only permitted spans or attributes.

LBAC rules use **attribute selectors**, such as:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{ resource.service.name="checkout", resource.env="prod" }
```

Multiple conditions in the same rule use **AND** (`,`), while multiple rules across teams use **OR**.

## Before you begin

- Be sure that you have the permission setup to create a Tempo or Cloud Traces tenant in Grafana Cloud.
- Be sure that you have administrator permissions for Grafana.
- Be sure that you have a team setup in Grafana.

### Known limitations

- LBAC for traces is available only at the team level. Data source-level LBAC rules (configured through cloud access policies) aren’t currently supported for traces. This differs from logs and metrics LBAC, which supports both team-level and data source-level rules.
- Autocomplete in search is still under development.
- LBAC is restricted to only contain resource scope attributes.
- There is a slight performance degradation for users with multiple rules.

## Configure team LBAC for traces

Follow this workflow when adding a new data source. The data source must be hosted by Grafana and not self-managed.

01. Start your Grafana Cloud instance.
02. Access Tempo or Cloud Traces data sources details for your stack.
03. Copy Tempo or Cloud Traces details and create a Cloud Access Policy.
    
    - Copy the [details of your Tempo or Cloud Traces setup](/docs/grafana-cloud/send-data/traces/set-up/locate-url-user-password/).
04. In Grafana Cloud, navigate to **Administration &gt; Users and access &gt; Cloud Access Policies**.
    
    - Create an access policy for the Tempo or Cloud Traces data source.
    - Ensure the access policy includes `traces:read` permissions.
    - Ensure the access policy doesn’t include `labels` rules. Data source-level LBAC isn’t supported for traces, so any `labels` rules in the access policy are ignored.
05. In Grafana, select Tempo or Cloud Traces or create new data source.
06. Navigate back to the Tempo or Cloud Traces data source.
    
    - Set up the Tempo or Cloud Traces data source using basic authentication. Use the [userID/tenantID](/docs/grafana-cloud/send-data/traces/set-up/locate-url-user-password/) as the username. Use the token from your access policy as the password.
    - Select **Save and connect**.
07. Go to the **Permissions** tab of the newly created Tempo or Cloud Traces data source. Here, you find the LBAC for data sources rules section.
08. Choose a team from the **Team** dropdown.
09. Enter attribute selectors such as:
    
    ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
    
    ```none
    { resource.service.name="checkout", resource.env="prod" }
    ```
    
    Refer to the Examples section below for more examples.
10. Select **Save**.

### Examples of LBAC rules

An LBAC rule is a `logql` query that filters logs or metrics based on labels. LBAC rules for traces also use some TraceQL syntax for attribute selection. Each rule operates independently as its own filter, separate from other rules within a team.

LBAC rules guidelines:

- Use only resource scope attributes, for example `{ resource.env="prod" }`.
- Only string values are supported.
- Use double quotes for string values, for example: `{ resource.env="prod" }`.
- You can use regular expressions matching with `=~` operator, for example: `{ resource.team =~ "team-a|team-b" }`.
- You can have up to two conditions in the same rule using a comma (`,`) as an `AND` operator, for example: `{ resource.env="prod", resource.team="frontend" }`.

Refer to [Create LBAC for data sources rules for a supported data source](/docs/grafana/next/administration/data-source-management/teamlbac/create-teamlbac-rules/) for more information.

#### Single rule

Limit users to only see spans from the `payments` API.

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{ resource.service.name="payments-api" }
```

This example matches spans with team A **or** team B. This single example is faster than using multiple rules with the same label.

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{ resource.team =~ "team-a|team-b" }
```

#### Multiple rules

Two rules combined to give user access to spans from `prod` environment or the `billing` team.

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{ resource.env="prod" }
{ resource.team="billing" }
```

This example gives users access to spans from the `frontend` team in the `prod` environment or the `checkout` team but doesn’t enforce additional conditions. The comma (`,`) acts as an `AND` operator within the same rule.

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
{ resource.env="prod", resource.team="frontend" }
{ resource.team="checkout" }
```

#### User on multiple teams

Users on multiple teams receive access based on all combined LBAC rules assigned to each team.

Team A → `{ resource.cluster="us-east-1" }` Team B → `{ resource.service.name="frontend" }`

## How LBAC affects returned data

Cloud Traces supports three redaction modes that control how unauthorized spans are handled in trace by ID search responses. The active mode is configured per tenant. To change the mode for your organization, contact Grafana Support.

### Attributes mode (default)

Non-matching spans are included in the response but have their attributes and intrinsics redacted. Only the following minimal fields remain visible on redacted spans:

- `traceId`, `spanId`, `parentId`
- `name`, `kind`
- `timestamps`
- `status`

You can extend the set of always-visible fields by configuring `allowed_attributes`, which sets a list of scoped attributes and intrinsics that are never redacted, For example, you can set `span:name`, `resource.service.name`, `event:name`, or `scope.version` so they are never redacted, even from non-matching spans. Contact Grafana Support to configure `allowed_attributes` for your organization.

### Spans mode

Non-matching spans are removed from the response entirely. This can result in broken traces where a returned span has no matching parent, creating gaps in the span tree.

### Error mode

If any span in a requested trace does not match the LBAC policy, the entire request returns a 404 error. This is the strictest mode and is suited for environments where partial trace visibility is not acceptable.

For Search, metrics, and autocomplete endpoints, only spans matching the LBAC rules appear regardless of the configured redaction mode.

## Manage LBAC rules

To edit an existing LBAC rule, follow these steps:

1. Open your stack and select your **Tempo** or **Cloud Traces** data source.
2. Select **Permissions**.
3. Scroll to **Data access**.
4. Select the rule you want to edit and click the Pencil (Edit) icon.
5. Modify **Attribute filters**.
6. Select **Save**.

To delete an existing LBAC rule, follow these steps:

Open your stack and select your **Tempo** or **Cloud Traces** data source.

1. Select **Permissions**.
2. Scroll to **Data access**.
3. Select the rule you want to edit.
4. Select the **X** (Delete) icon.
5. Confirm deletion.
