This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Administrationbreadcrumb arrow Roles and permissionsbreadcrumb arrow Folder access control
Enterprise Open source Grafana Cloud

Folder access control

Folders are the primary way to organize and control access to resources in Grafana. When you assign permissions to a folder, those permissions apply to all resources within that folder, including dashboards, alert rules, SLOs, and more.

This page explains how folder permissions work and how to use them effectively to manage access for teams and users.

Before you begin

  • You need Admin permission on a folder to manage its permissions
  • To create folders, you need the Folder Creator role or appropriate organization permissions
  • Folder permissions are available in all Grafana editions (OSS, Enterprise, and Cloud)

Folder limitations

  • Folders can be nested up to 4 levels deep
  • Folder names cannot contain underscores (_) or percent signs (%)
  • The General folder cannot have its permissions modified through RBAC
  • You cannot set permissions on individual dashboards if the user already has folder-level access

How folder permissions work

Folder permissions follow a simple principle: a user’s effective access to a resource is determined by their folder permission level.

When you grant a user or team permission on a folder:

  • The permission applies to the folder itself
  • The permission cascades to all subfolders
  • The permission applies to all resources in those folders (dashboards, alert rules, etc.)

Permission levels

Folders support three permission levels. Each level includes all capabilities of the levels below it.

PermissionFolder capabilitiesResource capabilities
ViewView folder and navigate its contentsView dashboards, read alert rules, read silences, read annotations, read library panels
EditCreate subfolders, modify folder propertiesCreate and edit dashboards, create and write alert rules, create and write silences, create and write annotations, create and manage library panels
AdminDelete folder, manage folder permissionsAll Edit capabilities plus manage dashboard permissions

Detailed action breakdown

View permission grants:

  • folders:read - View the folder in navigation
  • dashboards:read - View dashboards in the folder
  • alert.rules:read - View alert rules in the folder
  • alert.silences:read - View alert silences
  • annotations:read - View annotations
  • library.panels:read - View library panels

Edit permission grants (in addition to View):

  • folders:write - Modify folder name and properties
  • folders:create - Create subfolders
  • dashboards:create - Create new dashboards
  • dashboards:write - Edit existing dashboards
  • dashboards:delete - Delete dashboards
  • alert.rules:create - Create new alert rules
  • alert.rules:write - Edit alert rules
  • alert.rules:delete - Delete alert rules
  • alert.silences:create - Create silences
  • alert.silences:write - Edit silences
  • annotations:create - Create annotations
  • annotations:write - Edit annotations
  • annotations:delete - Delete annotations
  • library.panels:create - Create library panels
  • library.panels:write - Edit library panels
  • library.panels:delete - Delete library panels

Admin permission grants (in addition to Edit):

  • folders:delete - Delete the folder
  • folders.permissions:read - View folder permissions
  • folders.permissions:write - Modify folder permissions
  • dashboards.permissions:read - View dashboard permissions
  • dashboards.permissions:write - Modify dashboard permissions

Permission inheritance

Permissions cascade from parent folders to child folders. A user with Edit permission on a parent folder automatically has Edit permission on all subfolders.

Production/                    # User has Edit permission here
├── Team A Dashboards/         # User inherits Edit permission
│   └── Service Metrics/       # User inherits Edit permission
└── Team B Dashboards/         # User inherits Edit permission

Note

You cannot grant a user lower permissions on a subfolder than they have on a parent folder. Permission inheritance always flows downward.

Resources that use folder permissions

The following resources are stored in folders and respect folder permissions:

ResourceHow folder permissions apply
DashboardsView/Edit/Admin directly controlled by folder permission
SubfoldersInherit parent folder permissions, can add additional permissions
Alert rulesView/Edit controlled by folder permission
Alert silencesView/Create/Edit controlled by folder permission
Library panelsView/Create/Edit/Delete controlled by folder permission
SLOsFolder permission + SLO role determines effective access (refer to Plugin permissions)
AnnotationsStored on dashboards; inherit permissions from the dashboard’s parent folder

Plugin permissions

Some Grafana Cloud plugins use a two-layer permission model where effective access is determined by both folder permissions and a plugin-specific role:

Effective plugin access = minimum(folder permission, plugin role)

For example, with SLOs:

  • A user with folder Edit permission and SLO Writer role can create and edit SLOs in that folder
  • A user with folder View permission and SLO Writer role can only view SLOs (limited by folder)
  • A user with folder Edit permission and SLO Reader role can only view SLOs (limited by plugin role)

For more information, refer to SLO access control.

Manage folder permissions

Folders are accessed through the Dashboards section in Grafana. You can manage permissions from the folder’s context menu or from within the folder view.

View current permissions

  1. In the left navigation, click Dashboards.
  2. Navigate to the folder you want to inspect.
  3. Click the folder name to open it, or click the menu next to the folder.
  4. Select Manage permissions.

The permissions dialog shows all users, teams, and roles with access to this folder.

Add a permission

  1. Open the folder’s Manage permissions dialog.
  2. Click Add a permission.
  3. Select who to grant access to:
    • User - A specific user account
    • Team - All members of a team
    • Role - Users with a specific organization role (Viewer, Editor, Admin)
  4. Select the permission level (View, Edit, or Admin).
  5. Click Save.

Change a permission

  1. Open the folder’s Manage permissions dialog.
  2. Find the user, team, or role in the list.
  3. Use the permission dropdown to select a new level.
  4. The change saves automatically.

Remove a permission

  1. Open the folder’s Manage permissions dialog.
  2. Find the user, team, or role in the list.
  3. Click the × button to remove their access.
  4. Confirm the removal.

Warning

Removing a permission removes access to the folder and all its contents. The user or team will no longer see dashboards, alert rules, or other resources in that folder.

Design your folder structure to manage permissions

A well-designed folder structure makes permission management simpler. The recommended pattern is to create top-level folders for each team, with subfolders for organizing content:

SRE Team/                      # SRE team has Admin
├── Production Monitoring/     # Inherited Admin
├── On-Call Dashboards/        # Inherited Admin
└── Runbooks/                  # Inherited Admin

Platform Team/                 # Platform team has Admin
├── Infrastructure/            # Inherited Admin
└── Cost Tracking/             # Inherited Admin

Shared/                        # Everyone has View, specific teams have Edit
├── Company KPIs/              # Marketing team has Edit
└── Executive Dashboards/      # Leadership has View

This pattern provides:

  • Team ownership: Each team manages their own folder and contents
  • Clear boundaries: Resources are organized by responsibility
  • Collaboration: Shared folders enable cross-team visibility

For detailed guidance on folder organization patterns, including automation with Terraform and SCIM provisioning, refer to: