Grafana Role-based access control (RBAC) on Grafana Labs

Plan your Grafana RBAC rollout strategy

Tue, 17 Mar 2026 00:33:57 +0000

Plan your RBAC rollout strategy

Note
Available in Grafana Enterprise and Grafana Cloud.

An RBAC rollout strategy helps you determine how you want to implement RBAC prior to assigning RBAC roles to users and teams.

Your rollout strategy should help you answer the following questions:

Should I assign basic roles to users, or should I assign fixed roles or custom roles to users?
When should I create custom roles?
To which entities should I apply fixed and custom roles? Should I apply them to users, teams? Should I modify the basic roles permissions instead?
How do I roll out permissions in a way that makes them easy to manage?
Which approach should I use when assigning roles? Should I use the Grafana UI, provisioning, or the API?

Review basic role and fixed role definitions

As a first step in determining your permissions rollout strategy, we recommend that you become familiar with basic role and fixed role definitions. In addition to assigning fixed roles to any user and team, you can also modify basic roles permissions, which changes what a Viewer, Editor, or Admin can do. This flexibility means that there are many combinations of role assignments for you to consider. If you have a large number of Grafana users and teams, we recommend that you make a list of which fixed roles you might want to use. Keep in mind that No Basic Role, which is a role without permissions, cannot be modified or updated.

To learn more about basic roles and fixed roles, refer to the following documentation:

User and team considerations

RBAC is a flexible and powerful feature with many possible permissions assignment combinations available. Consider the follow guidelines when assigning permissions to users and teams.

Assign roles to users when you have a one-off scenario where a small number of users require access to a resource or when you want to assign temporary access. If you have a large number of users, this approach can be difficult to manage as you scale your use of Grafana. For example, a member of your IT department might need the fixed:licensing:reader and fixed:licensing:writer roles so that they can manage your Grafana Enterprise license.
Assign roles to teams when you have a subset of users that align to your organizational structure, and you want all members of the team to have the same level of access. For example, all members of a particular engineering team might need the fixed:reports:reader and fixed:reports:writer roles to be able to manage reports.

When you assign additional users to a team, the system automatically assigns permissions to those users.

Authentication provider considerations

You can take advantage of your current authentication provider to manage user and team permissions in Grafana. When you map users and teams to SAML and LDAP groups, you can synchronize those assignments with Grafana.

For example:

Map SAML, LDAP, or Oauth roles to Grafana basic roles (viewer, editor, or admin).
Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or Oauth provider to Grafana. For more information about team sync, refer to Team sync.
Within Grafana, assign RBAC permissions to users and teams.

When to modify basic roles or create custom roles

Consider the following guidelines when you determine if you should modify basic roles or create custom roles.

Modify basic roles when Grafana’s definitions of what viewers, editors, and admins can do does not match your definition of these roles. You can add or remove permissions from any basic role.

Note
Changes that you make to basic roles impact the role definition for all organizations in the Grafana instance. For example, when you add the fixed:users:writer role’s permissions to the viewer basic role, all viewers in any org in the Grafana instance can create users within that org.

Note
You cannot modify the No Basic Role permissions.
Create custom roles when fixed role definitions don’t meet you permissions requirements. For example, the fixed:dashboards:writer role allows users to delete dashboards. If you want some users or teams to be able to create and update but not delete dashboards, you can create a custom role with a name like custom:dashboards:creator that lacks the dashboards:delete permission.

How to assign RBAC roles

Use any of the following methods to assign RBAC roles to users and teams.

Grafana UI: Use the Grafana UI when you want to assign a limited number of RBAC roles to users and teams. The UI contains a role picker that you can use to select roles.
Grafana HTTP API: Use the Grafana HTTP API if you would like to automate role assignment.
Terraform: Use Terraform to assign and manage user and team role assignments if you use Terraform for provisioning.
Grafana provisioning: Grafana provisioning provides a robust approach to assigning, removing, and deleting roles. Within a single YAML file you can include multiple role assignment and removal entries.

Permissions scenarios

We’ve compiled the following permissions rollout scenarios based on current Grafana implementations.

Note
If you have a use case that you’d like to share, feel free to contribute to this docs page. We’d love to hear from you!

Provide internal viewer employees with the ability to use Explore, but prevent external viewer contractors from using Explore

In Grafana, create a team with the name Internal employees.
Assign the fixed:datasources:explorer role to the Internal employees team.
Add internal employees to the Internal employees team, or map them from a SAML, LDAP, or Oauth team using Team Sync.
Assign the viewer role to both internal employees and contractors.

Limit viewer, editor, or admin permissions

Review the list of permissions associated with the basic role.
Change the permissions of the basic role.

Allow only members of one team to manage Alerts

Create an Alert Managers team, and assign that team all applicable Alerting fixed roles.
Add users to the Alert Managers team.
Remove all permissions with actions prefixed with alert. from the Viewer, Editor, and Admin basic roles.

Provide dashboards to users in two or more geographies

Create a folder for each geography, for example, create a US folder and an EU folder.
Add dashboards to each folder.
Use folder permissions to add US-based users as Editors to the US folder and assign EU-based users as Editors to the EU folder.

Assign a user specific set of roles

Create a user with the No Basic Role selected under organization roles.
Assign the user a set of fixed roles that meet your requirements.

Create a custom role to access alerts in a specific folder

To see an alert rule in Grafana, the user must have read access to the folder that stores the alert rule, permission to read alerts in the folder, and permission to query all data sources that the rule uses.

The API command in this example is based on the following:

A Test-Folder with ID 92
Two data sources: DS1 with UID _oAfGYUnk, and DS2 with UID YYcBGYUnk
An alert rule that is stored in Test-Folder and queries the two data sources.

The following request creates a custom role that includes permissions to access the alert rule:

curl --location --request POST '<grafana_url>/api/access-control/roles/' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
    "version": 1,
    "name": "custom:alerts.reader.in.folder.123",
    "displayName": "Read-only access to alerts in folder Test-Folder",
    "description": "Let user query DS1 and DS2, and read alerts in folder Test-Folders",
    "group":"Custom",
    "global": true,
    "permissions": [
        {
            "action": "folders:read",
            "scope": "folders:uid:YEcBGYU22"
        },
        {
            "action": "alert.rules:read",
            "scope": "folders:uid:YEcBGYU22"
        },
        {
            "action": "datasources:query",
            "scope": "datasources:uid:_oAfGYUnk"
        },
        {
            "action": "datasources:query",
            "scope": "datasources:uid:YYcBGYUnk"
        }
    ]
}'

Enable an editor to create custom roles

By default, only a Grafana Server Admin can create and manage custom roles. If you want your Editors to do the same, update the Editor basic role permissions. There are two ways to achieve this:

Add the fixed:roles:writer role permissions to the basic:editor role using the role > from list of your provisioning file:

apiVersion: 2

roles:
  - name: 'basic:editor'
    global: true
    version: 3
    from:
      - name: 'basic:editor'
        global: true
      - name: 'fixed:roles:writer'
        global: true

Or add the following permissions to the basic:editor role, using provisioning or the RBAC HTTP API:

action	scope
`roles:read`	`roles:*`
`roles:write`	`permissions:type:delegate`
`roles:delete`	`permissions:type:delegate`

Note: Any user or service account with the ability to modify roles can only create, update, or delete roles with permissions they have been granted. For example, a user with the Editor role would be able to create and manage roles only with the permissions they have or with a subset of them.

Enable viewers to create reports

If you want your Viewers to create reports, update the Viewer basic role permissions. There are two ways to achieve this:

Add the fixed:reports:writer role permissions to the basic:viewer role using the role > from list of your provisioning file:

apiVersion: 2

roles:
  - name: 'basic:viewer'
    global: true
    version: 3
    from:
      - name: 'basic:viewer'
        global: true
      - name: 'fixed:reports:writer'
        global: true

Note: The fixed:reports:writer role assigns more permissions than just creating reports. For more information about fixed role permission assignments, refer to Fixed role definitions.

Add the following permissions to the basic:viewer role, using provisioning or the RBAC HTTP API:

Action	Scope
`reports:create`	n/a
`reports:write`	`reports:` `reports:id:`
`reports:read`	`reports:*`
`reports:send`	`reports:*`

Prevent a Grafana Admin from creating and inviting users

To prevent a Grafana Admin from creating users and inviting them to join an organization, you must update a basic role permission. The permissions to remove are:

Action	Scope
`users:create`
`org.users:add`	`users:*`

There are two ways to achieve this:

Use the role > from list and permission > state option of your provisioning file:

apiVersion: 2

roles:
  - name: 'basic:editor'
    global: true
    version: 3
    from:
      - name: 'basic:editor'
        global: true
    permissions:
      - action: 'users:create'
        state: 'absent'
      - action: 'org.users:add'
        scope: 'users:*'
        state: 'absent'

Or use RBAC HTTP API.

Prevent Viewers from accessing an App Plugin

By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access. To change this default behavior and prevent Viewers from accessing an App plugin, you must update a basic role’s permissions.

In this example, three App plugins have been installed and enabled:

Name	ID	Required Org role
On Call	grafana-oncall-app	Viewer
Kentik Connect Pro	kentik-connect-app	Viewer
Enterprise logs	grafana-enterprise-logs-app	Admin

By default, Viewers will hence be able to see both, On Call and Kentik Connect Pro App plugins. If you want to revoke their access to the On Call App plugin, you need to:

Remove the permission to access all application plugins:

Action Scope

plugins.app:access plugins:*
Grant the permission to access the Kentik Connect Pro App plugin only:

Action Scope

plugins.app:access plugins:id:kentik-connect-app

Action	Scope
`plugins.app:access`	`plugins:*`

Action	Scope
`plugins.app:access`	`plugins:id:kentik-connect-app`

Here are two ways to achieve this:

Use the role > from list and permission > state option of your provisioning file:

---
apiVersion: 2

roles:
  - name: 'basic:viewer'
    version: 8
    global: true
    from:
      - name: 'basic:viewer'
        global: true
    permissions:
      - action: 'plugins.app:access'
        scope: 'plugins:*'
        state: 'absent'
      - action: 'plugins.app:access'
        scope: 'plugins:id:kentik-connect-app'
        state: 'present'

Or use RBAC HTTP API.

Manage user permissions through teams

In the scenario where you want users to grant access by the team they belong to, we recommend to set users role to No Basic Role and let the team assignment assign the role instead.

In Grafana, ensure the following configuration settings are enabled.

[users]
# Set to true to automatically assign new users to the default organization (id 1)
auto_assign_org = true

# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
auto_assign_org_id = <org_id>

# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
auto_assign_org_role = None

Restart the Grafana instance.
Create a team with the desired name.
Assign fixed roles to the team.
Add users to the team.

A user will be added to the default organization automatically but won’t have any permissions until assigned to a team.

Reduce scope of service accounts

Using Service Accounts is an efficient way to facilitate M2M communications. However, they can pose a security threat if not scoped appropriately. To limit the scope of a service account, you can begin by creating a Service Account with No Basic Role and then assign the necessary permissions for the account.

Refer to Service Accounts and add a new Service Account.
Set the basic role to No Basic Role.
Set the fixed roles needed for the Service Account.

This will reduce the required permissions for the Service Account and minimize the risk of compromise.

Configure RBAC in Grafana

Tue, 17 Mar 2026 00:33:57 +0000

Configure RBAC in Grafana

Note
Available in Grafana Enterprise and Grafana Cloud.

The table below describes all RBAC configuration options. Like any other Grafana configuration, you can apply these options as environment variables.

Setting	Required	Description	Default
`permission_cache`	No	Enable to use in memory cache for loading and evaluating users’ permissions.	`true`
`permission_validation_enabled`	No	Grafana enforces validation for permissions when a user creates or updates a role. The system checks the internal list of scopes and actions for each permission to determine they are valid. By default, if a scope or action is not recognized, Grafana logs a warning message. When set to `true`, Grafana returns an error.	`true`
`reset_basic_roles`	No	Reset Grafana’s basic roles’ (Viewer, Editor, Admin, Grafana Admin) permissions to their default. Warning, if this configuration option is left to `true` this will be done on every reboot.	`true`

Example RBAC configuration

[rbac]

permission_cache = true

Assign Grafana RBAC roles

Tue, 17 Mar 2026 00:33:57 +0000

Assign RBAC roles

Note
Available in Grafana Enterprise and Grafana Cloud.

In this topic you’ll learn how to use the role picker, provisioning, and the HTTP API to assign fixed and custom roles to users and teams.

Assign fixed roles in the UI using the role picker

This section describes how to:

Assign a fixed role to a user, team or service account as an organization administrator.
Assign a fixed role to a user as a server administrator. This approach enables you to assign a fixed role to a user in multiple organizations, without needing to switch organizations.

In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the Data source editor role in the Main organization, then the user can edit data sources in the Main organization, but not in other organizations.

Before you begin:

Plan your RBAC rollout strategy.
Identify the fixed roles that you want to assign to the user, team or service account.

For more information about available fixed roles, refer to RBAC role definitions.
Ensure that your own user account has the correct permissions:
- If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
- If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
- Your Grafana user can also assign fixed role if it has either the fixed:roles:writer fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with users.roles:add and users.roles:remove permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the fixed:users:writer role to a team, you must have that role yourself.

To assign a fixed role to a user, team or service account:

Sign in to Grafana.
Switch to the organization that contains the user, team or service account.

For more information about switching organizations, refer to Switch organizations.
In the left-side menu, click Administration, Users and access, and then Users, Teams, or Service accounts.
In the Role column, select the fixed role that you want to assign to the user, team, or service account.
Click Update.

To assign a fixed role as a server administrator:

Sign in to Grafana as a server administrator.
Click Administration in the left-side menu, Users and access, and then Users.
Click a user.
In the Organizations section, click Change role.
Select a role within an organization that you want to assign to the user.
Click Save.

Assign fixed or custom roles to a team using provisioning

Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.

Before you begin:

Refer to Role provisioning
Ensure that the team to which you are adding the fixed role exists. For more information about creating teams, refer to Manage teams

To assign a role to a team:

Open the YAML configuration file.

Refer to the following table to add attributes and values.

Attribute	Description
`roles`	Enter the custom role or custom roles you want to create/update.
`roles > name`	Enter the name of the custom role.
`roles > version`	Enter the custom role version number. Role assignments are independent of the role version number.
`roles > global`	Enter `true`. You can specify the `orgId` otherwise.
`roles > permissions`	Enter the permissions `action` and `scope` values. For more information about permissions actions and scopes, refer to RBAC permissions, actions, and scopes
`teams`	Enter the team or teams to which you are adding the custom role.
`teams > orgId`	Because teams belong to organizations, you must add the `orgId` value.
`teams > name`	Enter the name of the team.
`teams > roles`	Enter the custom or fixed role or roles that you want to grant to the team.
`teams > roles > name`	Enter the name of the role.
`teams > roles > global`	Enter `true`, or specify `orgId` of the role you want to assign to the team. Fixed roles are global.

For more information about managing custom roles, refer to Create custom roles using provisioning.

Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

The following example creates the custom:users:writer role and assigns it to the user writers and user admins teams along with the fixed:users:writer role:

The following example:

Creates the custom:users:writer role.
Assigns the custom:users:writer role and the fixed:users:writer role to the user admins and user writers teams.

# config file version
apiVersion: 2

# Roles to insert/update in the database
roles:
  - name: 'custom:users:writer'
    description: 'List/update other users in the organization'
    version: 1
    global: true
    permissions:
      - action: 'org.users:read'
        scope: 'users:*'
      - action: 'org.users:write'
        scope: 'users:*'

# Assignments to teams
teams:
  - name: 'user writers'
    orgId: 1
    roles:
      # Custom role assignment
      - name: 'custom:users:writer'
        global: true
      # Fixed role assignment
      - name: 'fixed:users:writer'
        global: true
  - name: 'user admins'
    orgId: 1
    roles:
      - name: 'custom:users:writer'
        global: true
      - name: 'fixed:users:writer'
        global: true

Note: The roles don’t have to be defined in the provisioning configuration files to be assigned. If roles exist in the database, they can be assigned.

Remove a role assignment from a team:

If you want to remove an assignment from a team, add state: absent to the teams > roles section, and reload the configuration file.

The following example:

Creates the custom:users:writer role
Assigns the custom:users:writer role and the fixed:users:writer role to the user admins team
Removes the custom:users:writer and the fixed:users:writer assignments from the user writers team, if those assignments exist.

# config file version
apiVersion: 2

# Roles to insert/update in the database
roles:
  - name: 'custom:users:writer'
    description: 'List/update other users in the organization'
    version: 1
    global: true
    permissions:
      - action: 'org.users:read'
        scope: 'users:*'
      - action: 'org.users:write'
        scope: 'users:*'

# Assignments to teams
teams:
  - name: 'user writers'
    orgId: 1
    roles:
      - name: 'fixed:users:writer'
        global: true
        state: 'absent' # Remove assignment
      - name: 'custom:users:writer'
        global: true
        state: 'absent' # Remove assignment
  - name: 'user admins'
    orgId: 1
    roles:
      - name: 'fixed:users:writer'
        global: true
      - name: 'custom:users:writer'
        global: true

Note: The roles don’t have to be defined in the provisioning configuration files to be revoked. If roles exist in the database, they can be revoked.

Manage Grafana RBAC roles

Tue, 17 Mar 2026 00:33:57 +0000

Manage RBAC roles

Note
Available in Grafana Enterprise and Grafana Cloud.

This section includes instructions for how to view permissions associated with roles, create custom roles, and update and delete roles.

The following example includes the base64 username:password Basic Authorization. You cannot use authorization tokens in the request.

List permissions associated with roles

Use a GET command to see the actions and scopes associated with a role. For more information about seeing a list of permissions for each role, refer to Get a role.

To see the permissions associated with basic roles, refer to the following basic role UIDs:

Basic role	UID
`None`	`basic_none`
`Viewer`	`basic_viewer`
`Editor`	`basic_editor`
`Admin`	`basic_admin`
`Grafana Admin`	`basic_grafana_admin`

Example request

curl --location --request GET '<grafana_url>/api/access-control/roles/qQui_LCMk' --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='

Example response

{
    "version": 2,
    "uid": "qQui_LCMk",
    "name": "fixed:users:writer",
    "displayName": "User writer",
    "description": "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.",
    "global": true,
    "permissions": [
        {
            "action": "org.users:add",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:read",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:remove",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:write",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        }
    ],
    "updated": "2021-05-17T20:49:18+02:00",
    "created": "2021-05-13T16:24:26+02:00"
}

Refer to the RBAC HTTP API for more details.

Create custom roles

This section shows you how to create a custom RBAC role using Grafana provisioning and the HTTP API.

Create a custom role when basic roles and fixed roles do not meet your permissions requirements.

Before you begin:

Plan your RBAC rollout strategy.
Determine which permissions you want to add to the custom role. To see a list of actions and scope, refer to RBAC permissions, actions, and scopes.
Enable role provisioning.
Ensure that you have permissions to create a custom role.
- By default, the Grafana Admin role has permission to create custom roles.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the permissions:type:delegate scope.

Create custom roles using provisioning

File-based provisioning is one method you can use to create custom roles.

Open the YAML configuration file and locate the roles section.
Refer to the following table to add attributes and values.

Attribute	Description
`name`	A human-friendly identifier for the role that helps administrators understand the purpose of a role. `name` is required and cannot be longer than 190 characters. We recommend that you use ASCII characters. Role names must be unique within an organization.
`uid`	A unique identifier associated with the role. The UID enables you to change or delete the role. You can either generate a UID yourself, or let Grafana generate one for you. You cannot use the same UID within the same Grafana instance.
`orgId`	Identifies the organization to which the role belongs. The default org ID is used if you do not specify `orgId`.
`global`	Global roles are not associated with any specific organization, which means that you can reuse them across all organizations. This setting overrides `orgId`.
`displayName`	Human-friendly text that is displayed in the UI. Role display name cannot be longer than 190 ASCII-based characters. For fixed roles, the display name is shown as specified. If you do not set a display name the display name replaces `':'` (a colon) with `' '` (a space).
`description`	Human-friendly text that describes the permissions a role provides.
`group`	Organizes roles in the role picker.
`version`	A positive integer that defines the current version of the role, which prevents overwriting newer changes.
`hidden`	Hidden roles do not appear in the role picker.
`state`	State of the role. Defaults to `present`, but if set to `absent` the role will be removed.
`force`	Can be used in addition to state `absent`, to force the removal of a role and all its assignments.
`from`	An optional list of roles from which you want to copy permissions.
`permissions`	Provides users access to Grafana resources. For a list of permissions, refer to RBAC permissions actions and scopes. If you do not know which permissions to assign, you can create and assign roles without any permissions as a placeholder. Using the `from` attribute, you can specify additional permissions or permissions to remove by adding a `state` to your permission list.

Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

The following example creates a local role:

# config file version
apiVersion: 2

roles:
  - name: custom:users:writer
    description: 'List, create, or update other users.'
    version: 1
    orgId: 1
    permissions:
      - action: 'users:read'
        scope: 'global.users:*'
      - action: 'users:write'
        scope: 'global.users:*'
      - action: 'users:create'

The following example creates a hidden global role. The global: true option creates a global role, and the hidden: true option hides the role from the role picker.

# config file version
apiVersion: 2

roles:
  - name: custom:users:writer
    description: 'List, create, or update other users.'
    version: 1
    global: true
    hidden: true
    permissions:
      - action: 'users:read'
        scope: 'global.users:*'
      - action: 'users:write'
        scope: 'global.users:*'
      - action: 'users:create'

The following example creates a global role based on other fixed roles. The from option contains the roles from which we want to copy permissions. The permission state: absent option can be used to specify permissions to exclude from the copy.

# config file version
apiVersion: 2

roles:
  - name: custom:org.users:writer
    description: 'List and remove other users from the organization.'
    version: 1
    global: true
    from:
      - name: 'fixed:org.users:reader'
        global: true
      - name: 'fixed:org.users:writer'
        global: true
    permissions:
      - action: 'org.users:write'
        scope: 'users:*'
        state: 'absent'
      - action: 'org.users:add'
        scope: 'users:*'
        state: 'absent'

Create custom roles using the HTTP API

The following examples show you how to create a custom role using the Grafana HTTP API. For more information about the HTTP API, refer to Create a new custom role.

Note
You cannot create a custom role with permissions that you do not have. For example, if you only have users:create permissions, then you cannot create a role that includes other permissions.

The following example creates a custom:users:admin role and assigns the users:create action to it.

Example request

curl --location --request POST '<grafana_url>/api/access-control/roles/' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
    "version": 1,
    "uid": "jZrmlLCkGksdka",
    "name": "custom:users:admin",
    "displayName": "custom users admin",
    "description": "My custom role which gives users permissions to create users",
    "global": true,
    "permissions": [
        {
            "action": "users:create"
        }
    ]
}'

Example response

{
    "version": 1,
    "uid": "jZrmlLCkGksdka",
    "name": "custom:users:admin",
    "displayName": "custom users admin",
    "description": "My custom role which gives users permissions to create users",
    "global": true,
    "permissions": [
        {
            "action": "users:create"
            "updated": "2021-05-17T22:07:31.569936+02:00",
            "created": "2021-05-17T22:07:31.569935+02:00"
        }
    ],
    "updated": "2021-05-17T22:07:31.564403+02:00",
    "created": "2021-05-17T22:07:31.564403+02:00"
}

Refer to the RBAC HTTP API for more details.

Update basic role permissions

If the default basic role definitions do not meet your requirements, you can change their permissions.

Before you begin:

Determine the permissions you want to add or remove from a basic role. For more information about the permissions associated with basic roles, refer to RBAC role definitions.

Note
You cannot modify the No Basic Role permissions.

To change permissions from a basic role:

Open the YAML configuration file and locate the roles section.

Refer to the following table to add attributes and values.

Attribute	Description
`name`	The name of the basic role you want to update. You can specify a `uid` instead of a role name. The role `name` or the `uid` are required.
`orgId`	Identifies the organization to which the role belongs. `global` can be used instead to specify it’s a global role.
`version`	Identifies the version of the role, which prevents overwriting newer changes.
`from`	List of roles from which to copy permissions.
`permissions > state`	The state of the permission. You can set it to `absent` to ensure it exclusion from the copy list.

Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

The following example modifies the Grafana Admin basic role permissions.

Permissions to list, grant, and revoke roles to teams are removed.
Permission to read and write Grafana folders is added.

# config file version
apiVersion: 2

roles:
  - name: 'basic:grafana_admin'
    global: true
    version: 3
    from:
      - name: 'basic:grafana_admin'
        global: true
    permissions:
      # Permissions to remove
      - action: 'teams.roles:read'
        scope: 'teams:*'
        state: 'absent'
      - action: 'teams.roles:remove'
        scope: 'permissions:type:delegate'
        state: 'absent'
      - action: 'teams.roles:add'
        scope: 'permissions:type:delegate'
        state: 'absent'
      # Permissions to add
      - action: 'folders:read'
        scope: 'folder:*'
      - action: 'folders:write'
        scope: 'folder:*'

Note
You can add multiple fixed, basic or custom roles to the from section. Their permissions will be copied and added to the basic role. Make sure to increment the role version for the changes to be accounted for.

You can also change basic roles’ permissions using the API. Refer to the RBAC HTTP API for more details.

Reset basic roles to their default

This section describes how to reset the basic roles to their default.

You have two options to reset the basic roles permissions to their default.

Use the configuration option

Note: Available as of Grafana Enterprise 9.4.

Warning: If this option is left to true, permissions will be reset on every boot.

Use the reset_basic_roles option to reset basic roles permissions to their default on Grafana instance boot up.

Open you configuration file and update the rbac section as follow:

[rbac]
reset_basic_roles = true

Use the http endpoint

An alternative to the configuration option is to use the HTTP endpoint.

Open the YAML configuration file and locate the roles section.

Grant the action: "roles:write", scope: "permissions:type:escalate permission to Grafana Admin. Note that this permission has not been granted to any basic roles by default, because users could acquire more permissions than they previously had through the basic role permissions reset.

apiVersion: 2
roles:
  - name: 'basic:grafana_admin'
    global: true
    version: 3
    from:
      - name: 'basic:grafana_admin'
        global: true
    permissions:
      # Permission allowing to reset basic roles
      - action: 'roles:write'
        scope: 'permissions:type:escalate'

As a Grafana Admin, call the API endpoint to reset the basic roles to their default. Refer to the RBAC HTTP API for more details.

Delete a custom role using Grafana provisioning

Delete a custom role when you no longer need it. When you delete a custom role, the custom role is removed from users and teams to which it is assigned.

Before you begin:

Identify the role or roles that you want to delete.
Ensure that you have access to the YAML configuration file.

To delete a custom role:

Open the YAML configuration file and locate the roles section.

Refer to the following table to add attributes and values.

Attribute	Description
`name`	The name of the custom role you want to delete. You can specify a `uid` instead of a role name. The role `name` or the `uid` are required.
`orgId`	Identifies the organization to which the role belongs.
`state`	The state of the role set to `absent` to trigger its removal.
`force`	When set to `true`, the roles are removed even if there are existing assignments.

Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

The following example deletes a custom role:

# config file version
apiVersion: 2

roles:
  - name: 'custom:reports:editor'
    orgId: 1
    state: 'absent'
    force: true

You can also delete a custom role using the API. Refer to the RBAC HTTP API for more details.

Provisioning RBAC with Grafana

Tue, 17 Mar 2026 00:33:57 +0000

Provisioning RBAC with Grafana

Note
Available in Grafana Enterprise and Grafana Cloud.

You can create, change or remove Custom roles and create or remove basic role assignments, by adding one or more YAML configuration files in the provisioning/access-control/ directory.

Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.

Before you begin:

Ensure that you have access to files on the server where Grafana is running.

To manage and assign RBAC roles using provisioning:

Sign in to the Grafana server.
Locate the Grafana provisioning folder.
Create a new YAML in the following folder: provisioning/access-control. For example, provisioning/access-control/custom-roles.yml
Add RBAC provisioning details to the configuration file.

Refer to Manage RBAC roles and Assign RBAC roles for instructions.

Refer to example role provisioning file for a complete example of a provisioning file.
Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

Example role configuration file using Grafana provisioning

The following example shows a complete YAML configuration file that:

Create custom roles
Delete custom roles
Update basic roles permissions
Assign roles to teams
Revoke assignments of roles to teams

Example

---
# config file version
apiVersion: 2

# <list> list of roles to insert/update/delete
roles:
  # <string, required> name of the role you want to create or update. Required.
  - name: 'custom:users:writer'
    # <string> uid of the role. Has to be unique for all orgs.
    uid: customuserswriter1
    # <string> description of the role, informative purpose only.
    description: 'Create, read, write users'
    # <int> version of the role, Grafana will update the role when increased.
    version: 2
    # <int> org id. Defaults to Grafana's default if not specified.
    orgId: 1
    # <list> list of the permissions granted by this role.
    permissions:
      # <string, required> action allowed.
      - action: 'users:read'
        #<string> scope it applies to.
        scope: 'users:*'
      - action: 'users:write'
        scope: 'users:*'
      - action: 'users:create'
  - name: 'custom:global:users:reader'
    # <bool> overwrite org id and creates a global role.
    global: true
    # <string> state of the role. Defaults to 'present'. If 'absent', role will be deleted.
    state: 'absent'
    # <bool> force deletion revoking all grants of the role.
    force: true
  - uid: 'basic_editor'
    version: 2
    global: true
    # <list> list of roles to copy permissions from.
    from:
      - uid: 'basic_editor'
        global: true
      - name: 'fixed:users:writer'
        global: true
    # <list> list of the permissions to add/remove on top of the copied ones.
    permissions:
      - action: 'users:read'
        scope: 'users:*'
      - action: 'users:write'
        scope: 'users:*'
        # <string> state of the permission. Defaults to 'present'. If 'absent', the permission will be removed.
        state: absent

# <list> list role assignments to teams to create or remove.
teams:
  # <string, required> name of the team you want to assign roles to. Required.
  - name: 'Users writers'
    # <int> org id. Will default to Grafana's default if not specified.
    orgId: 1
    # <list> list of roles to assign to the team
    roles:
      # <string> uid of the role you want to assign to the team.
      - uid: 'customuserswriter1'
        # <int> org id. Will default to Grafana's default if not specified.
        orgId: 1
      # <string> name of the role you want to assign to the team.
      - name: 'fixed:users:writer'
        # <bool> overwrite org id to specify the role is global.
        global: true
        # <string> state of the assignment. Defaults to 'present'. If 'absent', the assignment will be revoked.
        state: absent

Useful Links

Provisioning RBAC setup with Terraform

Grafana provisioning

Provisioning RBAC with Terraform

Tue, 17 Mar 2026 00:33:57 +0000

Provisioning RBAC with Terraform

Note
Available in Grafana Enterprise and Grafana Cloud.

You can create, change or remove Custom roles and create or remove basic and custom role assignments, by using Terraform’s Grafana provider.

Before you begin

Ensure you have the grafana/grafana Terraform provider 1.29.0 or higher.
Ensure you are using Grafana 9.2 or higher.

Create a Service Account Token for provisioning

We recommend using service account tokens for provisioning. Service accounts support fine grained permissions, which allows you to easily authenticate and use the minimum set of permissions needed to provision your RBAC infrastructure.

To create a service account token for provisioning, complete the following steps.

Create a new service account for your CI pipeline.
Assign permissions to service account:
- You will need roles “Role reader”, “Role writer” and roles including any permissions that will be provisioned. For example, to create or assign a role that allows creating users, a service account needs permissions to create users.
- Alternatively, you can assign “Admin” basic role to the service account.
Create a new service account token for use in Terraform.

Alternatively, you can use basic authentication. To view all the supported authentication formats, see here.

Configure the Terraform provider

RBAC support is included as part of the Grafana Terraform provider.

The following is an example you can use to configure the Terraform provider.

terraform {
    required_providers {
        grafana = {
            source = "grafana/grafana"
            version = ">= 1.29.0"
        }
    }
}

provider "grafana" {
    url = <YOUR_GRAFANA_URL>
    auth = <YOUR_GRAFANA_SERVICE_ACCOUNT_TOKEN>
}

Provision custom roles

The following example shows how to provision a custom role with some permissions.

Copy this code block into a .tf file on your local machine.

resource "grafana_role" "my_new_role" {
  name  = "my_new_role"
  description = "My test role"
  version = 1
  uid = "newroleuid"
  global = true

  permissions {
    action = "org.users:add"
    scope = "users:*"
  }
  permissions {
    action = "org.users:write"
    scope = "users:*"
  }
  permissions {
    action = "org.users:read"
    scope = "users:*"
  }
  permissions {
	  action = "teams:create"
  }
  permissions {
	  action = "teams:read"
	  scope = "teams:*"
  }
  permissions {
	  action = "teams:write"
	  scope = "teams:*"
  }
}

Run the command terraform apply.
Go to Grafana’s UI and check that the new role appears in the role picker:

Provision role assignments

The following example shows how to provision role assignments. In this example a team, user and service account are provisioned, and the custom role from the previous example is assigned to them.

Extend the configuration file from the previous example with the following:

resource "grafana_team" "test_team" {
	name = "terraform_test_team"
}

resource "grafana_user" "test_user" {
	email = "terraform_user@test.com"
	login    = "terraform_test_user"
	password = <TEST_PASSWORD>
}

resource "grafana_service_account" "test_sa" {
  name = "terraform_test_sa"
  role = "Viewer"
}

resource "grafana_role_assignment" "my_new_role_assignment" {
  role_uid = grafana_role.my_new_role.uid
  users = [grafana_user.test_user.id]
  teams = [grafana_team.test_team.id]
  service_accounts = [grafana_service_account.test_sa.id]
}

Substitute <TEST_PASSWORD> with a test password for your test user.
Run the command terraform apply.
Go to Grafana’s UI and check that a user, team and service account have been created, and that the role has been assigned to them:

Note that instead of using a provisioned role, you can also look up the uid of an already existing fixed or custom role and use that instead. You can use the API endpoint for listing roles to look up role uids. Similarly, you can look up and use ids of users, teams and service accounts that have not been provisioned to assign roles to them.

Useful Links

RBAC setup with Grafana provisioning

Grafana Cloud Terraform provisioning

Grafana RBAC role definitions

Tue, 17 Mar 2026 00:33:57 +0000

RBAC role definitions

Note
Available in Grafana Enterprise and Grafana Cloud.

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role	Associated fixed roles	Description
Grafana Admin	`fixed:roles:reader` `fixed:roles:writer` `fixed:users:reader` `fixed:users:writer` `fixed:org.users:reader` `fixed:org.users:writer` `fixed:ldap:reader` `fixed:ldap:writer` `fixed:stats:reader` `fixed:settings:reader` `fixed:settings:writer` `fixed:provisioning:writer` `fixed:organization:reader` `fixed:organization:maintainer` `fixed:licensing:reader` `fixed:licensing:writer` `fixed:datasources.caching:reader` `fixed:datasources.caching:writer` `fixed:dashboards.insights:reader` `fixed:datasources.insights:reader` `fixed:plugins:maintainer` `fixed:authentication.config:writer` `fixed:library.panels:creator` `fixed:library.panels:reader` `fixed:library.panels:general.reader` `fixed:library.panels:writer` `fixed:library.panels:general.writer`	Default Grafana server administrator assignments.
Admin	`fixed:reports:reader` `fixed:reports:writer` `fixed:datasources:reader` `fixed:datasources:writer` `fixed:organization:writer` `fixed:datasources.permissions:reader` `fixed:datasources.permissions:writer` `fixed:teams:writer` `fixed:dashboards:reader` `fixed:dashboards:writer` `fixed:dashboards.permissions:reader` `fixed:dashboards.permissions:writer` `fixed:dashboards.public:writer` `fixed:folders:reader` `fixed:folders:writer` `fixed:folders.permissions:reader` `fixed:folders.permissions:writer` `fixed:alerting:writer` `fixed:apikeys:reader` `fixed:apikeys:writer` `fixed:alerting.provisioning.secrets:reader` `fixed:alerting.provisioning:writer` `fixed:datasources.caching:reader` `fixed:datasources.caching:writer` `fixed:dashboards.insights:reader` `fixed:datasources.insights:reader` `fixed:plugins:writer` `fixed:library.panels:creator` `fixed:library.panels:reader` `fixed:library.panels:general.reader` `fixed:library.panels:writer` `fixed:library.panels:general.writer`	Default Grafana organization administrator assignments.
Editor	`fixed:datasources:explorer` `fixed:dashboards:creator` `fixed:folders:creator` `fixed:annotations:writer` `fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled `fixed:alerting:writer` `fixed:dashboards.insights:reader` `fixed:datasources.insights:reader` `fixed:library.panels:creator` `fixed:library.panels:general.reader` `fixed:library.panels:general.writer`	Default Editor assignments.
Viewer	`fixed:datasources.id:reader` `fixed:organization:reader` `fixed:annotations:reader` `fixed:annotations.dashboard:writer` `fixed:alerting:reader` `fixed:plugins.app:reader` `fixed:dashboards.insights:reader` `fixed:datasources.insights:reader` `fixed:library.panels:general.reader`	Default Viewer assignments.
No Basic Role		Default No Basic Role

Fixed role definitions

Fixed role	Permissions	Description
`fixed:alerting.instances:writer`	All permissions from `fixed:alerting.instances:reader` and `alert.instances:create` `alert.instances:write` for organization scope `alert.instances.external:write` for scope `datasources:*`	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
`fixed:alerting.instances:reader`	`alert.instances:read` for organization scope `alert.instances.external:read` for scope `datasources:*`	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
`fixed:alerting.notifications:writer`	All permissions from `fixed:alerting.notifications:reader` and `alert.notifications:write`for organization scope `alert.notifications.external:read` for scope `datasources:*`	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
`fixed:alerting.notifications:reader`	`alert.notifications:read` for organization scope `alert.notifications.external:read` for scope `datasources:*`	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
`fixed:alerting.rules:writer`	All permissions from `fixed:alerting.rules:reader` and `alert.rule:create` `alert.rule:write` `alert.rule:delete` for scope `folders:` `alert.rules.external:write` for scope `datasources:`	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
`fixed:alerting.rules:reader`	`alert.rule:read` for scope `folders:` `alert.rules.external:read` for scope `datasources:`	Read all* Grafana, Mimir, and Loki alert rules.*
`fixed:alerting:writer`	All permissions from `fixed:alerting.rules:writer` `fixed:alerting.instances:writer` `fixed:alerting.notifications:writer`	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules, silences, contact points, templates, mute timings, and notification policies.
`fixed:alerting:reader`	All permissions from `fixed:alerting.rules:reader` `fixed:alerting.instances:reader` `fixed:alerting.notifications:reader`	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules, alerts, contact points, and notification policies.
`fixed:alerting.provisioning.secrets:reader`	`alert.provisioning:read` and `alert.provisioning.secrets:read`	Read-only permissions for Provisioning API and let export resources with decrypted secrets *
`fixed:alerting.provisioning:writer`	`alert.provisioning:read` and `alert.provisioning:write`	Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
`fixed:annotations.dashboard:writer`	`annotations:write` `annotations.create` `annotations:delete` for scope `annotations:type:dashboard`	Create, update and delete dashboard annotations and annotation tags.
`fixed:annotations:reader`	`annotations:read` for scopes `annotations:type:*`	Read all annotations and annotation tags.
`fixed:annotations:writer`	All permissions from `fixed:annotations:reader` `annotations:write` `annotations.create` `annotations:delete` for scope `annotations:type:*`	Read, create, update and delete all annotations and annotation tags.
`fixed:apikeys:reader`	`apikeys:read` for scope `apikeys:*`	Read all api keys.
`fixed:apikeys:writer`	All permissions from `fixed:apikeys:reader` and `apikeys:create` `apikeys:delete` for scope `apikeys:*`	Read, create, delete all api keys.
`fixed:authentication.config:writer`	`settings:read` for scope `settings:auth.saml:` `settings:write` for scope `settings:auth.saml:`	Read and update authentication and SAML settings.
`fixed:dashboards:creator`	`dashboards:create` `folders:read`	Create dashboards.
`fixed:dashboards.insights:reader`	`dashboards.insights:read`	Read dashboard insights data and see presence indicators.
`fixed:dashboards.permissions:reader`	`dashboards.permissions:read`	Read all dashboard permissions.
`fixed:dashboards.permissions:writer`	All permissions from `fixed:dashboards.permissions:reader` and `dashboards.permissions:write`	Read and update all dashboard permissions.
`fixed:dashboards.public:writer`	`dashboards.public:write`	Create, update, delete or pause a public dashboard.
`fixed:dashboards:reader`	`dashboards:read`	Read all dashboards.
`fixed:dashboards:writer`	All permissions from `fixed:dashboards:reader` and `dashboards:write` `dashboards:edit` `dashboards:delete` `dashboards:create` `dashboards.permissions:read` `dashboards.permissions:write`	Read, create, update, and delete all dashboards.
`fixed:datasources.caching:reader`	`datasources.caching:read`	Read data source query caching settings.
`fixed:datasources.caching:writer`	`datasources.caching:read` `datasources.caching:write`	Enable, disable, or update query caching settings.
`fixed:datasources:explorer`	`datasources:explore`	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
`fixed:datasources.id:reader`	`datasources.id:read`	Read the ID of a data source based on its name.
`fixed:datasources.insights:reader`	`datasources.insights:read`	Read data source insights data.
`fixed:datasources.permissions:reader`	`datasources.permissions:read`	Read data source permissions.
`fixed:datasources.permissions:writer`	All permissions from `fixed:datasources.permissions:reader` and `datasources.permissions:write`	Create, read, or delete permissions of a data source.
`fixed:datasources:creator`	`datasources:create`	Create data sources.
`fixed:datasources:reader`	`datasources:read` `datasources:query`	Read and query data sources.
`fixed:datasources:writer`	All permissions from `fixed:datasources:reader` and `datasources:create` `datasources:write` `datasources:delete`	Read, query, create, delete, or update a data source.
`fixed:folders.permissions:reader`	`folders.permissions:read`	Read all folder permissions.
`fixed:folders.permissions:writer`	All permissions from `fixed:folders.permissions:reader` and `folders.permissions:write`	Read and update all folder permissions.
`fixed:folders:creator`	`folders:create`	Create folders in the root level. If granted together with `folders:write` permission, also allows creating subfolders under all folders.
`fixed:folders:reader`	`folders:read` `dashboards:read`	Read all folders and dashboards.
`fixed:folders:writer`	All permissions from `fixed:dashboards:writer` and `folders:read` `folders:write` `folders:create` `folders:delete` `folders.permissions:read` `folders.permissions:write`	Read, create, update, and delete all folders and dashboards. If granted together with `fixed:folders:creator`, allows creating subfolders under all folders.
`fixed:ldap:reader`	`ldap.user:read` `ldap.status:read`	Read the LDAP configuration and LDAP status information.
`fixed:ldap:writer`	All permissions from `fixed:ldap:reader` and `ldap.user:sync` `ldap.config:reload`	Read and update the LDAP configuration, and read LDAP status information.
`fixed:library.panels:creator`	`library.panels:create` `folders:read`	Create library panel at the root level.
`fixed:library.panels:reader`	`library.panels:read`	Read all library panels.
`fixed:library.panels:general.reader`	`library.panels:read`	Read all library panels at the root level.
`fixed:library.panels:writer`	All permissions from `fixed:library.panels:reader` plus `library.panels:create` `library.panels:delete` `library.panels:write`	Create, read, write or delete all library panels and their permissions.
`fixed:library.panels:general.writer`	All permissions from `fixed:library.panels:general.reader` plus `library.panels:create` `library.panels:delete` `library.panels:write`	Create, read, write or delete all library panels and their permissions at the root level.
`fixed:licensing:reader`	`licensing:read` `licensing.reports:read`	Read licensing information and licensing reports.
`fixed:licensing:writer`	All permissions from `fixed:licensing:viewer` and `licensing:write` `licensing:delete`	Read licensing information and licensing reports, update and delete the license token.
`fixed:org.users:reader`	`org.users:read`	Read users within a single organization.
`fixed:org.users:writer`	All permissions from `fixed:org.users:reader` and `org.users:add` `org.users:remove` `org.users:write`	Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
`fixed:organization:maintainer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs:create` `orgs:delete` `orgs.quotas:write`	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
`fixed:organization:reader`	`orgs:read` `orgs.quotas:read`	Read an organization and its quotas.
`fixed:organization:writer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs.preferences:read` `orgs.preferences:write`	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
`fixed:plugins.app:reader`	`plugins.app:access`	Access application plugins (still enforcing the organization role).
`fixed:plugins:maintainer`	`plugins:install`	Install and uninstall plugins. Needs to be assigned globally.
`fixed:plugins:writer`	`plugins:write`	Enable and disable plugins and edit plugins’ settings.
`fixed:provisioning:writer`	`provisioning:reload`	Reload provisioning.
`fixed:reports:reader`	`reports:read` `reports:send` `reports.settings:read`	Read all reports and shared report settings.
`fixed:reports:writer`	All permissions from `fixed:reports:reader` and `reports:create` `reports:write` `reports:delete` `reports.settings:write`	Create, read, update, or delete all reports and shared report settings.
`fixed:roles:reader`	`roles:read` `teams.roles:read` `users.roles:read` `users.permissions:read`	Read all access control roles, roles and permissions assigned to users, teams.
`fixed:roles:writer`	All permissions from `fixed:roles:reader` and `roles:write` `roles:delete` `teams.roles:add` `teams.roles:remove` `users.roles:add` `users.roles:remove`	Create, read, update, or delete all roles, assign or unassign roles to users, teams.
`fixed:roles:resetter`	`roles:write` with scope `permissions:type:escalate`	Reset basic roles to their default.
`fixed:serviceaccounts:reader`	`serviceaccounts:read`	Read Grafana service accounts.
`fixed:serviceaccounts:creator`	`serviceaccounts:create`	Create Grafana service accounts.
`fixed:serviceaccounts:writer`	`serviceaccounts:read` `serviceaccounts:create` `serviceaccounts:write` `serviceaccounts:delete` `serviceaccounts.permissions:read` `serviceaccounts.permissions:write`	Create, update, read and delete all Grafana service accounts and manage service account permissions.
`fixed:settings:reader`	`settings:read`	Read Grafana instance settings.
`fixed:settings:writer`	All permissions from `fixed:settings:reader` and `settings:write`	Read and update Grafana instance settings.
`fixed:stats:reader`	`server.stats:read`	Read Grafana instance statistics.
`fixed:teams:reader`	`teams:read`	List all teams.
`fixed:teams:creator`	`teams:create` `org.users:read`	Create a team and list organization users (required to manage the created team).
`fixed:teams:writer`	`teams:create` `teams:delete` `teams:read` `teams:write` `teams.permissions:read` `teams.permissions:write`	Create, read, update and delete teams and manage team memberships.
`fixed:users:reader`	`users:read` `users.quotas:read` `users.authtoken:read` `	Read all users and their information, such as team memberships, authentication tokens, and quotas.
`fixed:users:writer`	All permissions from `fixed:users:reader` and `users:write` `users:create` `users:delete` `users:enable` `users:disable` `users.password:write` `users.permissions:write` `users:logout` `users.authtoken:write` `users.quotas:write`	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

You can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.

Grafana OnCall roles (beta)

Note
Available from Grafana 9.4 in early access.

Note
This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.

If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. For a detailed list of the available OnCall RBAC roles, refer to the table in Available Grafana OnCall RBAC roles and granted actions.

The following table lists the default RBAC OnCall role assignments to the basic roles:

Basic role	Associated fixed roles	Description
Grafana Admin	`plugins:grafana-oncall-app:admin`	Default Grafana server administrator assignments.
Admin	`plugins:grafana-oncall-app:admin`	Default Grafana organization administrator assignments.
Editor	`plugins:grafana-oncall-app:editor`	Default Editor assignments.
Viewer	`plugins:grafana-oncall-app:reader`	Default Viewer assignments.

Grafana RBAC permissions, actions, and scopes

Tue, 17 Mar 2026 00:33:57 +0000

RBAC permissions, actions, and scopes

Note
Available in Grafana Enterprise and Grafana Cloud.

A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.

To learn more about the Grafana resources to which you can apply RBAC, refer to Resources with RBAC permissions.

Action: An action describes what tasks a user can perform on a resource.
Scope: A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains role-based access control actions.

Action	Applicable scope	Description
`alert.instances.external:read`	`datasources:` `datasources:uid:`	Read alerts and silences in data sources that support alerting.
`alert.instances.external:write`	`datasources:` `datasources:uid:`	Manage alerts and silences in data sources that support alerting.
`alert.instances:create`	n/a	Create silences in the current organization.
`alert.instances:read`	n/a	Read alerts and silences in the current organization.
`alert.instances:write`	n/a	Update and expire silences in the current organization.
`alert.notifications.external:read`	`datasources:` `datasources:uid:`	Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
`alert.notifications.external:write`	`datasources:` `datasources:uid:`	Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
`alert.notifications:write`	n/a	Manage templates, contact points, notification policies, and mute timings in the current organization.
`alert.notifications:read`	n/a	Read all templates, contact points, notification policies, and mute timings in the current organization.
`alert.rules.external:read`	`datasources:` `datasources:uid:`	Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
`alert.rules.external:write`	`datasources:` `datasources:uid:`	Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
`alert.rules:create`	`folders:` `folders:uid:`	Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.
`alert.rules:delete`	`folders:` `folders:uid:`	Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.
`alert.rules:read`	`folders:` `folders:uid:`	Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.
`alert.rules:write`	`folders:` `folders:uid:`	Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.
`alert.provisioning:read`	n/a	Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
`alert.provisioning.secrets:read`	n/a	Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.
`alert.provisioning:write`	n/a	Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
`annotations:create`	`annotations:` `annotations:type:`	Create annotations.
`annotations:delete`	`annotations:` `annotations:type:`	Delete annotations.
`annotations:read`	`annotations:` `annotations:type:`	Read annotations and annotation tags.
`annotations:write`	`annotations:` `annotations:type:`	Update annotations.
`apikeys:create`	n/a	Create API keys.
`apikeys:read`	`apikeys:` `apikeys:id:`	Read API keys.
`apikeys:delete`	`apikeys:` `apikeys:id:`	Delete API keys.
`dashboards:create`	`folders:` `folders:uid:`	Create dashboards in one or more folders and their subfolders.
`dashboards:delete`	`dashboards:` `dashboards:uid:` `folders:` `folders:uid:`	Delete one or more dashboards.
`dashboards.insights:read`	n/a	Read dashboard insights data and see presence indicators.
`dashboards.permissions:read`	`dashboards:` `dashboards:uid:` `folders:` `folders:uid:`	Read permissions for one or more dashboards.
`dashboards.permissions:write`	`dashboards:` `dashboards:uid:` `folders:` `folders:uid:`	Update permissions for one or more dashboards.
`dashboards:read`	`dashboards:` `dashboards:uid:` `folders:` `folders:uid:`	Read one or more dashboards.
`dashboards:write`	`dashboards:` `dashboards:uid:` `folders:` `folders:uid:`	Update one or more dashboards.
`dashboards.public:write`	`dashboards:` `dashboards:uid:`	Write public dashboard configuration.
`datasources.caching:read`	`datasources:` `datasources:uid:`	Read data source query caching settings.
`datasources.caching:write`	`datasources:` `datasources:uid:`	Update data source query caching settings.
`datasources:create`	n/a	Create data sources.
`datasources:delete`	`datasources:` `datasources:uid:`	Delete data sources.
`datasources:explore`	n/a	Enable access to the Explore tab.
`datasources.id:read`	`datasources:` `datasources:uid:`	Read data source IDs.
`datasources.insights:read`	n/a	Read data sources insights data.
`datasources.permissions:read`	`datasources:` `datasources:uid:`	List data source permissions.
`datasources.permissions:write`	`datasources:` `datasources:uid:`	Update data source permissions.
`datasources:query`	`datasources:` `datasources:uid:`	Query data sources.
`datasources:read`	`datasources:` `datasources:uid:`	List data sources.
`datasources:write`	`datasources:` `datasources:uid:`	Update data sources.
`featuremgmt.read`	n/a	Read feature toggles.
`featuremgmt.write`	n/a	Write feature toggles.
`folders.permissions:read`	`folders:` `folders:uid:`	Read permissions for one or more folders and their subfolders.
`folders.permissions:write`	`folders:` `folders:uid:`	Update permissions for one or more folders and their subfolders.
`folders:create`	n/a	Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update.
`folders:delete`	`folders:` `folders:uid:`	Delete one or more folders and their subfolders.
`folders:read`	`folders:` `folders:uid:`	Read one or more folders and their subfolders.
`folders:write`	`folders:` `folders:uid:`	Update one or more folders and their subfolders. If granted together with `folders:create` permission, also allows creating subfolders under these folders.
`ldap.config:reload`	n/a	Reload the LDAP configuration.
`ldap.status:read`	n/a	Verify the availability of the LDAP server or servers.
`ldap.user:read`	n/a	Read users via LDAP.
`ldap.user:sync`	n/a	Sync users via LDAP.
`library.panels:create`	`folders:` `folders:uid:`	Create a library panel in one or more folders and their subfolders.
`library.panels:read`	`folders:` `folders:uid:` `library.panels:` `library.panels:uid:`	Read one or more library panels.
`library.panels:write`	`folders:` `folders:uid:` `library.panels:` `library.panels:uid:`	Update one or more library panels.
`library.panels:delete`	`folders:` `folders:uid:` `library.panels:` `library.panels:uid:`	Delete one or more library panels.
`licensing.reports:read`	n/a	Get custom permission reports.
`licensing:delete`	n/a	Delete the license token.
`licensing:read`	n/a	Read licensing information.
`licensing:write`	n/a	Update the license token.
`org.users:write`	`users:` `users:id:`	Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user.
`org.users:add`	`users:` `users:id:`	Add a user to an organization or invite a new user to an organization.
`org.users:read`	`users:` `users:id:`	Get user profiles within an organization.
`org.users:remove`	`users:` `users:id:`	Remove a user from an organization.
`orgs.preferences:read`	n/a	Read organization preferences.
`orgs.preferences:write`	n/a	Update organization preferences.
`orgs.quotas:read`	n/a	Read organization quotas.
`orgs.quotas:write`	n/a	Update organization quotas.
`orgs:create`	n/a	Create an organization.
`orgs:delete`	n/a	Delete one or more organizations.
`orgs:read`	n/a	Read one or more organizations.
`orgs:write`	n/a	Update one or more organizations.
`plugins.app:access`	`plugins:` `plugins:id:`	Access one or more application plugins (still enforcing the organization role)
`plugins:install`	n/a	Install and uninstall plugins.
`plugins:write`	`plugins:` `plugins:id:`	Edit settings for one or more plugins.
`provisioning:reload`	`provisioners:*`	Reload provisioning files. To find the exact scope for specific provisioner, see Scope definitions.
`reports:create`	n/a	Create reports.
`reports:write`	`reports:` `reports:id:`	Update reports.
`reports.settings:read`	n/a	Read report settings.
`reports.settings:write`	n/a	Update report settings.
`reports:delete`	`reports:` `reports:id:`	Delete reports.
`reports:read`	`reports:` `reports:id:`	List all available reports or get a specific report.
`reports:send`	`reports:` `reports:id:`	Send a report email.
`roles:delete`	`permissions:type:delegate`	Delete a custom role.
`roles:read`	`roles:` `roles:uid:`	List roles and read a specific role with its permissions.
`roles:write`	`permissions:type:delegate`	Create or update a custom role.
`roles:write`	`permissions:type:escalate`	Reset basic roles to their default permissions.
`server.stats:read`	n/a	Read Grafana instance statistics.
`server.usagestats.report:read`	n/a	View usage statistics report.
`serviceaccounts:write`	`serviceaccounts:*`	Create Grafana service accounts.
`serviceaccounts:create`	n/a	Update Grafana service accounts.
`serviceaccounts:delete`	`serviceaccounts:` `serviceaccounts:id:`	Delete Grafana service accounts.
`serviceaccounts:read`	`serviceaccounts:` `serviceaccounts:id:`	Read Grafana service accounts.
`serviceaccounts.permissions:write`	`serviceaccounts:` `serviceaccounts:id:`	Update Grafana service account permissions to control who can do what with the service account.
`serviceaccounts.permissions:read`	`serviceaccounts:` `serviceaccounts:id:`	Read Grafana service account permissions to see who can do what with the service account.
`settings:read`	`settings:` `settings:auth.saml:` `settings:auth.saml:enabled` (property level)	Read the Grafana configuration settings
`settings:write`	`settings:` `settings:auth.saml:` `settings:auth.saml:enabled` (property level)	Update any Grafana configuration settings that can be updated at runtime.
`support.bundles:create`	n/a	Create support bundles.
`support.bundles:delete`	n/a	Delete support bundles.
`support.bundles:read`	n/a	List and download support bundles.
`status:accesscontrol`	`services:accesscontrol`	Get access-control enabled status.
`teams.permissions:read`	`teams:` `teams:id:`	Read members and Team Sync setup for teams.
`teams.permissions:write`	`teams:` `teams:id:`	Add, remove and update members and manage Team Sync setup for teams.
`teams.roles:add`	`permissions:type:delegate`	Assign a role to a team.
`teams.roles:read`	`teams:` `teams:id:`	List roles assigned directly to a team.
`teams.roles:remove`	`permissions:type:delegate`	Unassign a role from a team.
`teams:create`	n/a	Create teams.
`teams:delete`	`teams:` `teams:id:`	Delete one or more teams.
`teams:read`	`teams:` `teams:id:`	Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to `teams:read`: `teams:write`, `teams.permissions:read` or `teams.permissions:write`.
`teams:write`	`teams:` `teams:id:`	Update one or more teams and team preferences.
`users.authtoken:read`	`global.users:` `global.users:id:`	List authentication tokens that are assigned to a user.
`users.authtoken:write`	`global.users:` `global.users:id:`	Update authentication tokens that are assigned to a user.
`users.password:write`	`global.users:` `global.users:id:`	Update a user’s password.
`users.permissions:read`	`users:*`	List permissions of a user.
`users.permissions:write`	`global.users:` `global.users:id:`	Update a user’s organization-level permissions.
`users.quotas:read`	`global.users:` `global.users:id:`	List a user’s quotas.
`users.quotas:write`	`global.users:` `global.users:id:`	Update a user’s quotas.
`users.roles:add`	`permissions:type:delegate`	Assign a role to a user or a service account.
`users.roles:read`	`users:*`	List roles assigned directly to a user or a service account.
`users.roles:remove`	`permissions:type:delegate`	Unassign a role from a user or a service account.
`users:create`	n/a	Create a user.
`users:delete`	`global.users:` `global.users:id:`	Delete a user.
`users:disable`	`global.users:` `global.users:id:`	Disable a user.
`users:enable`	`global.users:` `global.users:id:`	Enable a user.
`users:logout`	`global.users:` `global.users:id:`	Sign out a user.
`users:read`	`global.users:*`	Read or search user profiles.
`users:write`	`global.users:` `global.users:id:`	Update a user’s profile.

Grafana OnCall action definitions (beta)

Note: Available from Grafana 9.4 in early access.

Note: This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.

The following list contains role-based access control actions used by Grafana OnCall application plugin.

Action	Applicable scope	Description
`grafana-oncall-app.alert-groups:read`	n/a	Read OnCall alert groups.
`grafana-oncall-app.alert-groups:write`	n/a	Create, edit and delete OnCall alert groups.
`grafana-oncall-app.integrations:read`	n/a	Read OnCall integrations.
`grafana-oncall-app.integrations:write`	n/a	Create, edit and delete OnCall integrations.
`grafana-oncall-app.integrations:test`	n/a	Test OnCall integrations.
`grafana-oncall-app.escalation-chains:read`	n/a	Read OnCall escalation chains.
`grafana-oncall-app.escalation-chains:write`	n/a	Create, edit and delete OnCall escalation chains.
`grafana-oncall-app.schedules:read`	n/a	Read OnCall schedules.
`grafana-oncall-app.schedules:write`	n/a	Create, edit and delete OnCall schedules.
`grafana-oncall-app.schedules:export`	n/a	Export OnCall schedules.
`grafana-oncall-app.chatops:read`	n/a	Read OnCall ChatOps.
`grafana-oncall-app.chatops:write`	n/a	Edit OnCall ChatOps.
`grafana-oncall-app.chatops:update-settings`	n/a	Edit OnCall ChatOps settings.
`grafana-oncall-app.maintenance:read`	n/a	Read OnCall maintenance.
`grafana-oncall-app.maintenance:write`	n/a	Edit OnCall maintenance.
`grafana-oncall-app.api-keys:read`	n/a	Read OnCall API keys.
`grafana-oncall-app.api-keys:write`	n/a	Create, edit and delete OnCall API keys.
`grafana-oncall-app.notifications:read`	n/a	Receive OnCall notifications.
`grafana-oncall-app.notification-settings:read`	n/a	Read OnCall notification settings.
`grafana-oncall-app.notification-settings:write`	n/a	Edit OnCall notification settings.
`grafana-oncall-app.user-settings:read`	n/a	Read user’s own OnCall user settings.
`grafana-oncall-app.user-settings:write`	n/a	Edit user’s own OnCall user settings.
`grafana-oncall-app.user-settings:admin`	n/a	Read and edit all users’ OnCall user settings.
`grafana-oncall-app.other-settings:read`	n/a	Read OnCall settings.
`grafana-oncall-app.other-settings:write`	n/a	Edit OnCall settings.

Scope definitions

The following list contains role-based access control scopes.

Scopes	Descriptions
`annotations:` `annotations:type:`	Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations.
`apikeys:` `apikeys:id:`	Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`.
`dashboards:` `dashboards:uid:`	Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`.
`datasources:` `datasources:uid:`	Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`.
`folders:` `folders:uid:`	Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it
`global.users:` `global.users:id:`	Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`.
`library.panels:` `library.panels:uid:`	Restrict an action to a set of library panels. For example, `library.panels:*` matches any library panel, and `library.panel:uid:1` matches the library panel whose UID is `1`.
`orgs:` `orgs:id:`	Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`.
`permissions:type:delegate`	The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
`permissions:type:escalate`	The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.
`plugins:` `plugins:id:`	Restrict an action to a set of plugins. For example, `plugins:id:grafana-oncall-app` matches Grafana OnCall plugin, and `plugins:*` matches all plugins.
`provisioners:*`	Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control provisioner.
`reports:` `reports:id:`	Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`.
`roles:` `roles:uid:`	Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`.
`services:accesscontrol`	Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions.
`serviceaccounts:` `serviceaccounts:id:`	Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`.
`settings:*`	Restrict an action to a subset of settings. For example, `settings:` matches all settings, `settings:auth.saml:` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings.
`teams:` `teams:id:`	Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`.
`users:` `users:id:`	Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`.
`n/a`	`n/a` means not applicable. If an action has `n/a` specified for the scope, then the action does not require a scope. For example, the `teams:create` action does not require a scope and allows users to create teams.

Troubleshooting RBAC

Tue, 17 Mar 2026 00:33:57 +0000

Troubleshooting RBAC

In this section, you’ll learn about logs that are available for RBAC and you’ll find the most common RBAC issues.

Enable debug logging

You can enable debug log messages for RBAC in the Grafana configuration file. Debug logs are added to the Grafana server logs.

[log]
filters = accesscontrol:debug accesscontrol.evaluator:debug dashboard.permissions:debug

Enable audit logging

Note
Available in Grafana Enterprise version 7.3 and later, and Grafana Cloud.

You can enable auditing in the Grafana configuration file.

[auditing]
enabled = true

All permission and role updates, and role assignments are added to audit logs. Learn more about access control audit logs.

Missing dashboard, folder or data source permissions

Dashboard and folder permissions and data source permissions can go out of sync if a Grafana instance version is upgraded, downgraded and then upgraded again. This happens when an instance is downgraded from a version that uses RBAC to a version that uses the legacy access control, and dashboard, folder or data source permissions are updated. These permission updates will not be applied to RBAC, so permissions will be out of sync when the instance is next upgraded to a version with RBAC.

Note
the steps provided below will set all dashboard, folder and data source permissions to what they are set to with the legacy access control. If you have made dashboard, folder or data source permission updates with RBAC enabled, these updates will be wiped.

To resynchronize the permissions:

make a backup of your database

run the following SQL queries

DELETE
FROM builtin_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM team_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM user_role
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM permission
where role_id IN (SELECT id
                  FROM role
                  WHERE name LIKE 'managed:%');
DELETE
FROM role
WHERE name LIKE 'managed:%';
DELETE
FROM migration_log
WHERE migration_id IN ('teams permissions migration',
                       'dashboard permissions',
                       'dashboard permissions uid scopes',
                       'data source permissions',
                       'data source uid permissions',
                       'managed permissions migration',
                       'managed folder permissions alert actions repeated migration',
                       'managed permissions migration enterprise');

restart your Grafana instance