This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Administrationbreadcrumb arrow Roles and permissionsbreadcrumb arrow Role-based access control (RBAC)breadcrumb arrow RBAC for app plugins
Grafana Cloud Enterprise

RBAC for app plugins

Note

Available in Grafana Enterprise and Grafana Cloud.

RBAC can be used to manage access to app plugins. Each app plugin grants the basic Viewer, Editor and Admin organization roles a default set of plugin permissions. You can use RBAC to restrict which app plugins a basic organization role has access to. Some app plugins have fine-grained RBAC support, which allows you to grant additional access to these app plugins to teams and users regardless of their basic organization roles.

Restricting access to app plugins

By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access. To change this default behavior and prevent a basic organization role from accessing an App plugin, you must update the basic role’s permissions. See an example of preventing Viewers from accessing an app plugin to learn more. To grant access to a limited set of app plugins, you will need plugin IDs. You can find them in plugin.json files or in the URL when you open the app plugin in the Grafana Cloud UI.

Note that unless an app plugin has fine-grained RBAC support, it is not possible to grant access to this app plugin for a user whose organization role does not have access to that app plugin.

Fine-grained access to app plugins

Plugins with fine-grained RBAC support allow you to manage access to plugin features at a more granular level. For instance, you can grant admin access to an app plugin to a user with Viewer organization role. Or restrict the Editor organization role from being able to edit plugin resources.

For a centralized reference of all Grafana Cloud app plugin roles, default permissions by basic role, and available plugin roles, refer to Grafana Cloud app plugin role definitions. Some plugins also have dedicated RBAC documentation with additional context and use cases, linked in the table below.

The following table lists app plugins that have fine-grained RBAC support:

App pluginApp plugin IDApp plugin permission documentation
Access policiesgrafana-auth-appPlugin role definitions
Adaptive Logsgrafana-adaptivelogs-appPlugin role definitions
Adaptive Metricsgrafana-adaptive-metrics-appPlugin role definitions
Adaptive Tracesgrafana-adaptivetraces-appPlugin role definitions
Application Observabilitygrafana-app-observability-appPlugin role definitions
Attributionsgrafana-attributions-appPlugin role definitions
Cloud Providergrafana-csp-appCloud Provider Observability role-based access control
Collectorgrafana-collector-appPlugin role definitions
Cost Management and Billinggrafana-cmab-appPlugin role definitions
Frontend Observabilitygrafana-kowalski-appPlugin role definitions
Grafana Assistantgrafana-assistant-appPlugin role definitions
Incidentgrafana-incident-appPlugin role definitions
Integrations and Connectionsgrafana-easystart-appPlugin role definitions
IRMgrafana-irm-appPlugin role definitions
IRM Labelsgrafana-labels-appPlugin role definitions
Knowledge Graphgrafana-asserts-appPlugin role definitions
Kubernetes Monitoringgrafana-k8s-appKubernetes Monitoring role-based access control
Machine Learninggrafana-ml-appPlugin role definitions
OnCallgrafana-oncall-appConfigure RBAC for OnCall
Performance Testing (k6)k6-appConfigure RBAC for k6
Private data source connect (PDC)grafana-pdc-appPlugin role definitions
Service Level Objective (SLO)grafana-slo-appConfigure RBAC for SLO
Synthetic Monitoringgrafana-synthetic-monitoring-appConfigure RBAC for Synthetic Monitoring

Revoke fine-grained access from app plugins

To list all the permissions granted to a basic role, use the HTTP API endpoint to query for the role. Basic role UIDs are listed in RBAC role definitions list. To remove the undesired plugin permissions from a basic role, you must update the basic role’s permissions.

Grant additional access to app plugins

To grant access to app plugins, you can use the predefined fixed plugin roles or create custom roles with specific plugin permissions. To learn about how to assign an RBAC role, refer to the documentation on assigning RBAC roles.