Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Grafana Cloud

RBAC for app plugins

Note

Available in Grafana Cloud.

RBAC can be used to manage access to app plugins. Each app plugin grants the basic Viewer, Editor and Admin organization roles a default set of plugin permissions. You can use RBAC to restrict which app plugins a basic organization role has access to. Some app plugins have fine-grained RBAC support, which allows you to grant additional access to these app plugins to teams and users regardless of their basic organization roles.

Restricting access to app plugins

By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access. To change this default behavior and prevent a basic organization role from accessing an App plugin, you must update the basic role’s permissions. See an example of preventing Viewers from accessing an app plugin to learn more. To grant access to a limited set of app plugins, you will need plugin IDs. You can find them in plugin.json files or in the URL when you open the app plugin in the Grafana Cloud UI.

Note that unless an app plugin has fine-grained RBAC support, it is not possible to grant access to this app plugin for a user whose organization role does not have access to that app plugin.

Fine-grained access to app plugins

Plugins with fine-grained RBAC support allow you to manage access to plugin features at a more granular level. For instance, you can grant admin access to an app plugin to a user with Viewer organization role. Or restrict the Editor organization role from being able to edit plugin resources.

Please refer to plugin documentation to see what RBAC permissions the plugin has and what default access the plugin grants to Viewer, Editor and Admin organization roles.

The following list contains app plugins that have fine-grained RBAC support.

App pluginApp plugin IDApp plugin permission documentation
Access policiesgrafana-auth-appn/a
Adaptive metricsgrafana-adaptive-metrics-appRBAC actions for Adaptive Metrics
Incidentgrafana-incident-appn/a
OnCallgrafana-oncall-appConfigure RBAC for OnCall
Performance Testing (K6)k6-appConfigure RBAC for K6
Private data source connect (PDC)grafana-pdc-appn/a
Service Level Objective (SLO)grafana-slo-appConfigure RBAC for SLO

Revoke fine-grained access from app plugins

To list all the permissions granted to a basic role, use the HTTP API endpoint to query for the role. Basic role UIDs are listed in RBAC role definitions list. To remove the undesired plugin permissions from a basic role, you must update the basic role’s permissions.

Grant additional access to app plugins

To grant access to app plugins, you can use the predefined fixed plugin roles or create custom roles with specific plugin permissions. To learn about how to assign an RBAC role, refer to the documentation on assigning RBAC roles.