This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.
Configure group attribute sync
Group attribute sync allows you to manage user permissions in Grafana based on group membership sourced from the user’s identity provider (IdP). Groups are mapped to fixed and custom role-based access control roles in Grafana.
Note: Available in Grafana Enterprise and Grafana Cloud.
Note
This feature is behind thegroupAttributeSync
feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.
When a user logs in, Grafana checks the user’s external group memberships and the configured group to role mappings to assign the corresponding roles to the user. If the user’s group memberships change or a new mapping is created, the user’s role assignments are updated the next time the user logs in. If a group mapping is removed, the role assignment to users for the group mapping is revoked immediately.
Role mappings are tied to organizations, so you can have different mappings for different organizations.
Create role mappings for a new group
For information about creating group mappings via the API, refer to create group mappings reference.
Before you begin
Ensure you have permission to create and update group mappings. By default, the organization administrator role is required to create and edit group mappings. For more information about user permissions, refer to roles and permissions.
To create mappings between an external group and RBAC roles
- Sign in to Grafana and click Administration in the left-side menu.
- Click Users and access.
- Click External group sync.
- Click New.
- Insert the group identifier for the group that you want to map.
- Use the role picker to select the roles that you want to map to the group and click Update.
- Click Save.
Update role mappings for a group
For information about updating group mappings via the API, refer to update group mappings reference.
Before you begin
Ensure you have permission to update group mappings. By default, the organization administrator role is required to edit group mappings. For more information about user permissions, refer to roles and permissions.
To update role mappings for an external group
- Sign in to Grafana and click Administration in the left-side menu.
- Click Users and access.
- Click External group sync.
- Find the group whose mappings you want to update.
- Click on the role picker corresponding to the group and select the roles that you want to map.
- Click Apply.
Remove role mappings for a group
For information about deleting group mappings via the API, refer to delete group mappings reference.
Before you begin
Ensure you have permission to update group mappings. By default, the organization administrator role is required to edit group mappings. For more information about user permissions, refer to roles and permissions.
To remove role mappings for an external group
- Sign in to Grafana and click Administration in the left-side menu.
- Click Users and access.
- Click External group sync.
- Find the group whose mappings you want to remove.
- Click on the trash bin icon corresponding to the group mappings you want to remove.