Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

DocumentationGrafana documentationAdministrationRoles and permissionsRole-based access control (RBAC)Troubleshooting RBAC
Grafana Cloud Enterprise

Troubleshooting RBAC

In this section, you’ll learn about logs that are available for RBAC and you’ll find the most common RBAC issues.

Enable debug logging

You can enable debug log messages for RBAC in the Grafana configuration file. Debug logs are added to the Grafana server logs.

bash 
[log]
filters = accesscontrol:debug accesscontrol.evaluator:debug dashboard.permissions:debug

Enable audit logging

Note

Available in Grafana Enterprise version 7.3 and later, and Grafana Cloud.

You can enable auditing in the Grafana configuration file.

bash 
[auditing]
enabled = true

All permission and role updates, and role assignments are added to audit logs. Learn more about access control audit logs.

Missing dashboard, folder or data source permissions

Dashboard and folder permissions and data source permissions can go out of sync if a Grafana instance version is upgraded, downgraded and then upgraded again. This happens when an instance is downgraded from a version that uses RBAC to a version that uses the legacy access control, and dashboard, folder or data source permissions are updated. These permission updates will not be applied to RBAC, so permissions will be out of sync when the instance is next upgraded to a version with RBAC.

Note

the steps provided below will set all dashboard, folder and data source permissions to what they are set to with the legacy access control. If you have made dashboard, folder or data source permission updates with RBAC enabled, these updates will be wiped.

To resynchronize the permissions:

  1. make a backup of your database
  2. run the following SQL queries
    sql 
    DELETE
FROM builtin_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM team_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM user_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM permission
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM role
WHERE name LIKE 'managed:%';
DELETE
FROM migration_log
WHERE migration_id IN ('teams permissions migration',
                       'dashboard permissions',
                       'dashboard permissions uid scopes',
                       'data source permissions',
                       'data source uid permissions',
                       'managed permissions migration',
                       'managed folder permissions alert actions repeated migration',
                       'managed permissions migration enterprise');
  3. restart your Grafana instance