This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Developer resourcesbreadcrumb arrow Grafana MCP serverbreadcrumb arrow Referencebreadcrumb arrow MCP tools
Enterprise Open source

MCP tools reference

Use the table to confirm minimum Grafana RBAC permissions and scopes for each MCP tool. The sections after the table summarize RBAC patterns, optional categories, and a few operational notes.

Note

The tool list and behavior reflect the current server release. This page is not a roadmap or a commitment to future features.

What you’ll achieve

You can verify that a service account has the right permissions before you enable tools in production, and you can apply common scope patterns without rereading Grafana’s RBAC docs.

Before you begin

  • Grafana 9.0 or later for full API support.
  • Optional: a service account whose permissions match the tools you enable.

Review the tools table

The following table lists MCP tools, required RBAC permissions, and typical scopes. Categories marked with * are off until you add them to --enabled-tools (refer to Command-line flags). The table does not include proxied tools from external MCP servers (for example Grafana Tempo).

ToolCategoryDescriptionRequired RBAC PermissionsRequired Scopes
list_teamsAdmin*List all teamsteams:readteams:* or teams:id:1
list_users_by_orgAdmin*List all users in an organizationusers:readglobal.users:* or global.users:id:123
list_all_rolesAdmin*List all Grafana rolesroles:readroles:*
get_role_detailsAdmin*Get details for a Grafana roleroles:readroles:uid:editor
get_role_assignmentsAdmin*List assignments for a roleroles:readroles:uid:editor
list_user_rolesAdmin*List roles for usersroles:readglobal.users:id:123
list_team_rolesAdmin*List roles for teamsroles:readteams:id:7
get_resource_permissionsAdmin*List permissions for a resourcepermissions:readdashboards:uid:abcd1234
get_resource_descriptionAdmin*Describe a Grafana resource typepermissions:readdashboards:*
search_dashboardsSearchSearch for dashboardsdashboards:readdashboards:* or dashboards:uid:abc123
search_foldersSearchSearch for folders by query stringfolders:readfolders:* or folders:uid:xyz789
get_dashboard_by_uidDashboardGet a dashboard by uiddashboards:readdashboards:uid:abc123
update_dashboardDashboardUpdate or create a new dashboarddashboards:create, dashboards:writedashboards:*, folders:* or folders:uid:xyz789
get_dashboard_panel_queriesDashboardGet panel title, queries, datasource UID and type from a dashboarddashboards:readdashboards:uid:abc123
run_panel_queryRunPanelQuery*Execute one or more dashboard panel queriesdashboards:read, datasources:querydashboards:uid:*, datasources:uid:*
get_dashboard_propertyDashboardExtract specific parts of a dashboard using JSONPath expressionsdashboards:readdashboards:uid:abc123
get_dashboard_summaryDashboardGet a compact summary of a dashboard without full JSONdashboards:readdashboards:uid:abc123
create_folderFolderCreate a Grafana folder with a title and optional UIDfolders:createfolders:*
list_datasourcesDatasourcesList datasourcesdatasources:readdatasources:*
get_datasourceDatasourcesGet a datasource by UID or namedatasources:readdatasources:uid:prometheus-uid
get_query_examplesExamples*Get example queries for a datasource typedatasources:readdatasources:*
query_prometheusPrometheusExecute a query against a Prometheus datasourcedatasources:querydatasources:uid:prometheus-uid
list_prometheus_metric_metadataPrometheusList metric metadatadatasources:querydatasources:uid:prometheus-uid
list_prometheus_metric_namesPrometheusList available metric namesdatasources:querydatasources:uid:prometheus-uid
list_prometheus_label_namesPrometheusList label names matching a selectordatasources:querydatasources:uid:prometheus-uid
list_prometheus_label_valuesPrometheusList values for a specific labeldatasources:querydatasources:uid:prometheus-uid
query_prometheus_histogramPrometheusCalculate histogram percentile valuesdatasources:querydatasources:uid:prometheus-uid
list_incidentsIncidentList incidents in Grafana IncidentViewer roleN/A
create_incidentIncidentCreate an incident in Grafana IncidentEditor roleN/A
add_activity_to_incidentIncidentAdd an activity item to an incident in Grafana IncidentEditor roleN/A
get_incidentIncidentGet a single incident by IDViewer roleN/A
query_loki_logsLokiQuery and retrieve logs using LogQL (either log or metric queries)datasources:querydatasources:uid:loki-uid
list_loki_label_namesLokiList all available label names in logsdatasources:querydatasources:uid:loki-uid
list_loki_label_valuesLokiList values for a specific log labeldatasources:querydatasources:uid:loki-uid
query_loki_statsLokiGet statistics about log streamsdatasources:querydatasources:uid:loki-uid
query_loki_patternsLokiQuery detected log patterns to identify common structuresdatasources:querydatasources:uid:loki-uid
list_clickhouse_tablesClickHouse*List tables in a ClickHouse databasedatasources:querydatasources:uid:*
describe_clickhouse_tableClickHouse*Get table schema with column typesdatasources:querydatasources:uid:*
query_clickhouseClickHouse*Execute SQL queries with macro substitutiondatasources:querydatasources:uid:*
list_cloudwatch_namespacesCloudWatch*List available AWS CloudWatch namespacesdatasources:querydatasources:uid:*
list_cloudwatch_metricsCloudWatch*List metrics in a namespacedatasources:querydatasources:uid:*
list_cloudwatch_dimensionsCloudWatch*List dimensions for a metricdatasources:querydatasources:uid:*
query_cloudwatchCloudWatch*Execute CloudWatch metric queriesdatasources:querydatasources:uid:*
search_logsSearchLogs*Search logs across ClickHouse and Lokidatasources:querydatasources:uid:*
query_elasticsearchElasticsearch*Query Elasticsearch using Lucene syntax or Query DSLdatasources:querydatasources:uid:elasticsearch-uid
alerting_manage_rulesAlertingManage alert rules (list, get, versions, create, update, delete)alert.rules:read + alert.rules:write for mutationsfolders:* or folders:uid:alerts-folder
alerting_manage_routingAlertingManage notification policies, contact points, and time intervalsalert.notifications:readGlobal scope
list_oncall_schedulesOnCallList schedules from Grafana OnCallgrafana-oncall-app.schedules:readPlugin-specific scopes
get_oncall_shiftOnCallGet details for a specific OnCall shiftgrafana-oncall-app.schedules:readPlugin-specific scopes
get_current_oncall_usersOnCallGet users currently on-call for a specific schedulegrafana-oncall-app.schedules:readPlugin-specific scopes
list_oncall_teamsOnCallList teams from Grafana OnCallgrafana-oncall-app.user-settings:readPlugin-specific scopes
list_oncall_usersOnCallList users from Grafana OnCallgrafana-oncall-app.user-settings:readPlugin-specific scopes
list_alert_groupsOnCallList alert groups from Grafana OnCall with filtering optionsgrafana-oncall-app.alert-groups:readPlugin-specific scopes
get_alert_groupOnCallGet a specific alert group from Grafana OnCall by its IDgrafana-oncall-app.alert-groups:readPlugin-specific scopes
get_sift_investigationSiftRetrieve an existing Sift investigation by its UUIDViewer roleN/A
get_sift_analysisSiftRetrieve a specific analysis from a Sift investigationViewer roleN/A
list_sift_investigationsSiftRetrieve a list of Sift investigations with an optional limitViewer roleN/A
find_error_pattern_logsSiftFinds elevated error patterns in Loki logs.Editor roleN/A
find_slow_requestsSiftFinds slow requests from the relevant tempo datasources.Editor roleN/A
list_pyroscope_label_namesPyroscopeList label names matching a selectordatasources:querydatasources:uid:pyroscope-uid
list_pyroscope_label_valuesPyroscopeList label values matching a selector for a label namedatasources:querydatasources:uid:pyroscope-uid
list_pyroscope_profile_typesPyroscopeList available profile typesdatasources:querydatasources:uid:pyroscope-uid
fetch_pyroscope_profilePyroscopeFetches a profile in DOT format for analysisdatasources:querydatasources:uid:pyroscope-uid
get_assertionsAssertsGet assertion summary for a given entityPlugin-specific permissionsPlugin-specific scopes
generate_deeplinkNavigationGenerate accurate deeplink URLs for Grafana resourcesNone (read-only URL generation)N/A
get_annotationsAnnotationsFetch annotations with filtersannotations:readannotations:* or annotations:id:123
create_annotationAnnotationsCreate a new annotation (standard or Graphite format)annotations:writeannotations:*
update_annotationAnnotationsUpdate specific fields of an annotation (partial update)annotations:writeannotations:*
get_annotation_tagsAnnotationsList annotation tags with optional filteringannotations:readannotations:*
get_panel_imageRenderingRender a dashboard panel or full dashboard as a PNG imagedashboards:readdashboards:uid:abc123

* Categories marked with * are off until you add them to --enabled-tools.

Dashboard tools and context window

update_dashboard supports full JSON replacement and patch-style updates (uid plus operations). Prefer patches for small changes so you do not send large dashboard JSON to the model.

To limit context use when working with dashboards (issue #101):

  • Use get_dashboard_summary for an overview before edits.
  • Use get_dashboard_property with JSONPath when you only need part of a dashboard.
  • Avoid get_dashboard_by_uid unless you need the full dashboard JSON.

RBAC permissions

Each tool requires specific RBAC permissions. When you create a service account for the MCP server, grant the minimum actions for the tools you enable. You often need matching scopes as well (for example datasources:*, dashboards:*, folders:*).

Tip: If you want a faster setup instead of tuning many scopes, assign a built-in role such as Editor to the service account. Editor grants broad read and write access for most MCP operations; it is less granular than least privilege.

Grafana Incident and Sift tools use basic Grafana roles instead of fine-grained RBAC permissions:

  • Viewer: read-only operations (for example list incidents, get investigations).
  • Editor: write operations (for example create incidents, run analyses that modify state).

Refer to Grafana RBAC for full detail.

RBAC scopes

Scopes define which resources a permission applies to. You need the right permission and scope together.

Broad access (organization-wide) often uses * wildcards:

  • datasources:*
  • dashboards:*
  • folders:*
  • teams:*

Limited access uses specific UIDs or IDs:

  • datasources:uid:prometheus-uid
  • dashboards:uid:abc123
  • folders:uid:xyz789
  • teams:id:5
  • global.users:id:123

Examples:

Full MCP access (typical broad grants):

datasources:* (datasources:read, datasources:query)
dashboards:* (dashboards:read, dashboards:create, dashboards:write)
folders:* (for dashboard creation and alert rules)
teams:* (teams:read)
global.users:* (users:read)

Limited datasource access (only specific Prometheus and Loki instances):

datasources:uid:prometheus-prod (datasources:query)
datasources:uid:loki-prod (datasources:query)

Dashboard-only read access:

dashboards:uid:monitoring-dashboard (dashboards:read)
dashboards:uid:alerts-dashboard (dashboards:read)

Enable or disable tools

You can limit which tools the server exposes with --enabled-tools, --disable-<category>, and --disable-write. Refer to Enable and disable tools and Command-line flags.

Panel and dashboard images

get_panel_image needs the Grafana Image Renderer service installed and configured in Grafana.

Next steps