This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Alerting

Set up

Configure RBAC

Manage access using roles

Enterprise Grafana Cloud

Manage access using roles

In Grafana Enterprise and Grafana Cloud, there are Basic, Fixed, and Custom roles.

Basic roles

There are four basic roles: Admin, Editor, Viewer, and No basic role. Each basic role contains a number of fixed roles.

The No basic role allows you to further customize access by assigning fixed roles to users, which you can also modify. You can also create and assign custom roles to a user with No basic role.

Details of the basic roles and the access they provide for Grafana Alerting are below.

Role	Access
Admin	Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning.
Editor	Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning.
Viewer	Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).
No basic role	A blank canvas to assign fixed or custom roles and craft permissions more precisely. For example, if you want to give a user the ability to see alert rules, but not notification settings, add No basic role and then the fixed role Rules reader.

Fixed roles

A fixed role is a group of multiple permissions.

Fixed roles provide users more granular access to create, view, and update Alerting resources than you would have with basic roles alone.

Details of the fixed roles and the access they provide for Grafana Alerting are below.

Fixed role	Permissions	Description
`fixed:alerting.instances:writer`	All permissions from `fixed:alerting.instances:reader` and `alert.instances:create` `alert.instances:write` for organization scope `alert.instances.external:write` for scope `datasources:*`	Create, update and expire all silences.
`fixed:alerting.instances:reader`	`alert.instances:read` for organization scope `alert.instances.external:read` for scope `datasources:*`	Read all alerts and silences.
`fixed:alerting.notifications:writer`	All permissions from `fixed:alerting.notifications:reader` and `alert.notifications:write`for organization scope `alert.notifications.external:read` for scope `datasources:*`	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.
`fixed:alerting.notifications:reader`	`alert.notifications:read` for organization scope `alert.notifications.external:read` for scope `datasources:*`	Read all Grafana and Alertmanager contact points, templates, and notification policies.
`fixed:alerting.rules:writer`	All permissions from `fixed:alerting.rules:reader` and `alert.rule:create` `alert.rule:write` `alert.rule:delete` `alert.silences:create` `alert.silences:write` for scope `folders:` `alert.rules.external:write` for scope `datasources:`	Create, update, and delete all alert rules and manage rule-specific silences.
`fixed:alerting.rules:reader`	`alert.rule:read`, `alert.silences:read` for scope `folders:` `alert.rules.external:read` for scope `datasources:` `alert.notifications.time-intervals:read` `alert.notifications.receivers:list`	Read all alert rules and read rule-specific silences.
`fixed:alerting:writer`	All permissions from `fixed:alerting.rules:writer` `fixed:alerting.instances:writer` `fixed:alerting.notifications:writer`	Create, update, and delete all alert rules, silences, contact points, templates, mute timings, and notification policies.
`fixed:alerting:reader`	All permissions from `fixed:alerting.rules:reader` `fixed:alerting.instances:reader` `fixed:alerting.notifications:reader`	Read-only permissions for all alert rules, alerts, contact points, and notification policies.
`fixed:alerting.provisioning.secrets:reader`	`alert.provisioning:read` and `alert.provisioning.secrets:read`	Read-only permissions for Provisioning API and let export resources with decrypted secrets.
`fixed:alerting.provisioning:writer`	`alert.provisioning:read` and `alert.provisioning:write`	Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API.
`fixed:alerting.provisioning.status:writer`	`alert.provisioning.provenance:write`	Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles.

Create custom roles

Create custom roles of your own to manage permissions. Custom roles contain unique combinations of permissions, actions and scopes. Create a custom role when basic roles and fixed roles do not meet your permissions requirements.

For more information on creating custom roles, refer to Create custom roles.

Examples

The following examples give you an idea of how you can combine permissions for Grafana Alerting.

A custom role for read access to alert rules that uses data source DS1 and DS2 in folder F:

PUT access-control/roles
{
	"name": "custom:alert_rules_reader",
	"displayName": "Alert rule reader in folder F",
	"description": "Read access to rules in folder F that use DS1 and DS2",
	"permissions": [
    	{
        	"action": "datasources:query",
        	"scope": "datasources:uid:UID_DS1"
    	},
    	{
        	"action": "datasources:query",
        	"scope": "datasources:uid:UID_DS2"
    	},
    	{
        	"action": "alert.rules:read",
        	"scope": "folders:uid:UID_F"
    	},
    	{
        	"action": "folders:read",
        	"scope": "folders:uid:UID_F"
    	}
	]
}

A custom role for write access to alert rules that uses simplified routing:

PUT access-control/roles
{
	"name": "custom:alert_rules_updater",
	"displayName": "Alert rules editor in folder F",
	"description": "Edit access to rules in folder F that use DS1 and DS2",
	"permissions": [
    	{
        	"action": "datasources:query",
        	"scope": "datasources:uid:UID_DS1"
    	},
    	{
        	"action": "datasources:query",
        	"scope": "datasources:uid:UID_DS2"
    	},
    	{
        	"action": "alert.rules:read",
        	"scope": "folders:uid:UID_F"
    	},
    	{
        	"action": "alert.rules:read",
        	"scope": "folders:uid:UID_F"
    	},
    	{
        	"action": "alert.rules:write",
        	"scope": "folders:uid:UID_F"
    	},
    	{
        	"action": "alert.rules:create",
        	"scope": "folders:uid:UID_F"
    	},
    	{
        	"action": "alert.notifications.receivers:list",
    	},
{
        	"action": "alert.notifications.time-intervals:read",
    	},
	]
}

Note
Delete the last two permissions if you aren’t using simplified notification routing.

Assign roles

To assign roles, complete the following steps.

Navigate to Administration > Users and access > Users, Teams, or Service Accounts.
Search for the user, team or service account you want to add a role for.
Select the role you want to assign.