This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.
Configure team label-based access control for Tempo or Cloud Traces
Note
Label-based access control for traces is currently in public preview. Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available.
Team label-based access control (LBAC) for Cloud Traces or Tempo lets you restrict which spans teams can access by defining rules using trace attributes. LBAC provides fine-grained, team-based access control within a single tenant and mirrors the experience used for logs and metrics LBAC in Grafana Cloud.
Note
Unlike logs and metrics, which also support data source-level LBAC through cloud access policies, traces LBAC is currently available only at the team level.
Grafana uses the term LBAC as an umbrella term for label-based access control for all data sources. Traces use attributes, not labels, for access control, but the Grafana UI surfaces this functionality as LBAC for consistency.
This feature only applies to Grafana Cloud Traces, specifically, the Cloud-provisioned tracing data source.
How LBAC works
When a user queries tracing data source, Grafana evaluates the user’s team memberships and the LBAC rules assigned to those teams. These rules are added to the request so the Cloud Traces data source returns only permitted spans or attributes.
LBAC rules use attribute selectors, such as:
{ resource.service.name="checkout", resource.env="prod" }Multiple conditions in the same rule use AND (,), while multiple rules across teams use OR.
Before you begin
- Be sure that you have the permission setup to create a Tempo or Cloud Traces tenant in Grafana Cloud.
- Be sure that you have administrator permissions for Grafana.
- Be sure that you have a team setup in Grafana.
Known limitations
- LBAC for traces is available only at the team level. Data source-level LBAC rules (configured through cloud access policies) aren’t currently supported for traces. This differs from logs and metrics LBAC, which supports both team-level and data source-level rules.
- Autocomplete in search is still under development.
- LBAC is restricted to only contain resource scope attributes.
- There is a slight performance degradation for users with multiple rules.
Configure team LBAC for traces
Follow this workflow when adding a new data source. The data source must be hosted by Grafana and not self-managed.
Start your Grafana Cloud instance.
Access Tempo or Cloud Traces data sources details for your stack.
Copy Tempo or Cloud Traces details and create a Cloud Access Policy.
In Grafana Cloud, navigate to Administration > Users and access > Cloud Access Policies.
- Create an access policy for the Tempo or Cloud Traces data source.
- Ensure the access policy includes
traces:readpermissions. - Ensure the access policy doesn’t include
labelsrules. Data source-level LBAC isn’t supported for traces, so anylabelsrules in the access policy are ignored.
In Grafana, select Tempo or Cloud Traces or create new data source.
Navigate back to the Tempo or Cloud Traces data source.
- Set up the Tempo or Cloud Traces data source using basic authentication. Use the userID/tenantID as the username. Use the token from your access policy as the password.
- Select Save and connect.
Go to the Permissions tab of the newly created Tempo or Cloud Traces data source. Here, you find the LBAC for data sources rules section.
Choose a team from the Team dropdown.
Enter attribute selectors such as:
{ resource.service.name="checkout", resource.env="prod" }Refer to the Examples section below for more examples.
Select Save.
Examples of LBAC rules
An LBAC rule is a logql query that filters logs or metrics based on labels.
LBAC rules for traces also use some TraceQL syntax for attribute selection.
Each rule operates independently as its own filter, separate from other rules within a team.
LBAC rules guidelines:
- Use only resource scope attributes, for example
{ resource.env="prod" }. - Only string values are supported.
- Use double quotes for string values, for example:
{ resource.env="prod" }. - You can use regular expressions matching with
=~operator, for example:{ resource.team =~ "team-a|team-b" }. - You can have up to two conditions in the same rule using a comma (
,) as anANDoperator, for example:{ resource.env="prod", resource.team="frontend" }.
Refer to Create LBAC for data sources rules for a supported data source for more information.
Single rule
Limit users to only see spans from the payments API.
{ resource.service.name="payments-api" }This example matches spans with team A or team B. This single example is faster than using multiple rules with the same label.
{ resource.team =~ "team-a|team-b" }Multiple rules
Two rules combined to give user access to spans from prod environment or the billing team.
{ resource.env="prod" }
{ resource.team="billing" }This example gives users access to spans from the frontend team in the prod environment or the checkout team but doesn’t enforce additional conditions. The comma (,) acts as an AND operator within the same rule.
{ resource.env="prod", resource.team="frontend" }
{ resource.team="checkout" }User on multiple teams
Users on multiple teams receive access based on all combined LBAC rules assigned to each team.
Team A → { resource.cluster="us-east-1" }
Team B → { resource.service.name="frontend" }
How LBAC affects returned data
Cloud Traces supports three redaction modes that control how unauthorized spans are handled in trace by ID search responses. The active mode is configured per tenant. To change the mode for your organization, contact Grafana Support.
Attributes mode (default)
Non-matching spans are included in the response but have their attributes and intrinsics redacted. Only the following minimal fields remain visible on redacted spans:
traceId,spanId,parentIdname,kindtimestampsstatus
You can extend the set of always-visible fields by configuring allowed_attributes, which sets a list of scoped attributes and intrinsics that are never redacted, For example, you can set span:name, resource.service.name, event:name, or scope.version so they are never redacted, even from non-matching spans. Contact Grafana Support to configure allowed_attributes for your organization.
Spans mode
Non-matching spans are removed from the response entirely. This can result in broken traces where a returned span has no matching parent, creating gaps in the span tree.
Error mode
If any span in a requested trace does not match the LBAC policy, the entire request returns a 404 error. This is the strictest mode and is suited for environments where partial trace visibility is not acceptable.
For Search, metrics, and autocomplete endpoints, only spans matching the LBAC rules appear regardless of the configured redaction mode.
Manage LBAC rules
To edit an existing LBAC rule, follow these steps:
- Open your stack and select your Tempo or Cloud Traces data source.
- Select Permissions.
- Scroll to Data access.
- Select the rule you want to edit and click the Pencil (Edit) icon.
- Modify Attribute filters.
- Select Save.
To delete an existing LBAC rule, follow these steps:
Open your stack and select your Tempo or Cloud Traces data source.
- Select Permissions.
- Scroll to Data access.
- Select the rule you want to edit.
- Select the X (Delete) icon.
- Confirm deletion.


