Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
In this section, you’ll learn about logs that are available for RBAC and you’ll find the most common RBAC issues.
Enable debug logging
You can enable debug log messages for RBAC in the Grafana configuration file. Debug logs are added to the Grafana server logs.
[log] filters = accesscontrol:debug accesscontrol.evaluator:debug dashboard.permissions:debug
Enable audit logging
You can enable auditing in the Grafana configuration file.
[auditing] enabled = true
All permission and role updates, and role assignments are added to audit logs. Learn more about access control audit logs.
Missing dashboard, folder or data source permissions
Dashboard and folder permissions and data source permissions can go out of sync if a Grafana instance version is upgraded, downgraded and then upgraded again. This happens when an instance is downgraded from a version that uses RBAC to a version that uses the legacy access control, and dashboard, folder or data source permissions are updated. These permission updates will not be applied to RBAC, so permissions will be out of sync when the instance is next upgraded to a version with RBAC.
Note: the steps provided below will set all dashboard, folder and data source permissions to what they are set to with the legacy access control. If you have made dashboard, folder or data source permission updates with RBAC enabled, these updates will be wiped.
To resynchronize the permissions:
- make a backup of your database
- run the following SQL queriessql
DELETE FROM builtin_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM team_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM user_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM permission where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM role WHERE name LIKE 'managed:%'; DELETE FROM migration_log WHERE migration_id IN ('teams permissions migration', 'dashboard permissions', 'dashboard permissions uid scopes', 'data source permissions', 'data source uid permissions', 'managed permissions migration', 'managed folder permissions alert actions repeated migration', 'managed permissions migration enterprise');
- restart your Grafana instance