Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Set upbreadcrumb arrow Configure securitybreadcrumb arrow Configure group attribute sync
Grafana Cloud Enterprise

Configure group attribute sync

Group attribute sync allows you to manage user permissions in Grafana based on group membership sourced from the user’s identity provider (IdP). Groups are mapped to fixed and custom role-based access control roles in Grafana.

Note: Available in Grafana Enterprise and Grafana Cloud.

Note

This feature is behind the groupAttributeSync feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.

When a user logs in, Grafana checks the user’s external group memberships and the configured group to role mappings to assign the corresponding roles to the user. If the user’s group memberships change or a new mapping is created, the user’s role assignments are updated the next time the user logs in. If a group mapping is removed, the role assignment to users for the group mapping is revoked immediately.

Role mappings are tied to organizations, so you can have different mappings for different organizations.

Supported providers

Create role mappings for a new group

For information about creating group mappings via the API, refer to create group mappings reference.

Before you begin

Ensure you have permission to create and update group mappings. By default, the organization administrator role is required to create and edit group mappings. For more information about user permissions, refer to roles and permissions.

To create mappings between an external group and RBAC roles

  1. Sign in to Grafana and click Administration in the left-side menu.
  2. Click Users and access.
  3. Click External group sync.
  4. Click New.
  5. Insert the group identifier for the group that you want to map.
  6. Use the role picker to select the roles that you want to map to the group and click Update.
  7. Click Save.

Update role mappings for a group

For information about updating group mappings via the API, refer to update group mappings reference.

Before you begin

Ensure you have permission to update group mappings. By default, the organization administrator role is required to edit group mappings. For more information about user permissions, refer to roles and permissions.

To update role mappings for an external group

  1. Sign in to Grafana and click Administration in the left-side menu.
  2. Click Users and access.
  3. Click External group sync.
  4. Find the group whose mappings you want to update.
  5. Click on the role picker corresponding to the group and select the roles that you want to map.
  6. Click Apply.

Remove role mappings for a group

For information about deleting group mappings via the API, refer to delete group mappings reference.

Before you begin

Ensure you have permission to update group mappings. By default, the organization administrator role is required to edit group mappings. For more information about user permissions, refer to roles and permissions.

To remove role mappings for an external group

  1. Sign in to Grafana and click Administration in the left-side menu.
  2. Click Users and access.
  3. Click External group sync.
  4. Find the group whose mappings you want to remove.
  5. Click on the trash bin icon corresponding to the group mappings you want to remove.