Configure RBAC
Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
Each permission contains one or more actions and a scope.
Permissions
Grafana Alerting has the following permissions.
Action | Applicable scope | Description |
---|---|---|
alert.instances.external:read | datasources:* datasources:uid:* | Read alerts and silences in data sources that support alerting. |
alert.instances.external:write | datasources:* datasources:uid:* | Manage alerts and silences in data sources that support alerting. |
alert.instances:create | n/a | Create silences in the current organization. |
alert.instances:read | n/a | Read alerts and silences in the current organization. |
alert.instances:write | n/a | Update and expire silences in the current organization. |
alert.notifications.external:read | datasources:* datasources:uid:* | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
alert.notifications.external:write | datasources:* datasources:uid:* | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
alert.notifications:write | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
alert.notifications:read | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
alert.rules.external:read | datasources:* datasources:uid:* | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
alert.rules.external:write | datasources:* datasources:uid:* | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
alert.rules:create | folders:* folders:uid:* | Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.rules:delete | folders:* folders:uid:* | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.rules:read | folders:* folders:uid:* | Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder. |
alert.rules:write | folders:* folders:uid:* | Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.silences:create | folders:* folders:uid:* | Create rule-specific silences in a folder and its subfolders. |
alert.silences:read | folders:* folders:uid:* | Read all general silences and rule-specific silences in a folder and its subfolders. |
alert.silences:write | folders:* folders:uid:* | Update and expire rule-specific silences in a folder and its subfolders. |
alert.provisioning:read | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required. |
alert.provisioning.secrets:read | n/a | Same as alert.provisioning:read plus ability to export resources with decrypted secrets. |
alert.provisioning:write | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required. |
alert.provisioning.provenance:write | n/a | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources |
Contact point permissions. To enable these permissions, enable the alertingApiServer
feature toggle.
Action | Applicable scope | Description |
---|---|---|
alert.notifications.receivers:read | receivers:* receivers:uid:* | Read contact points. |
alert.notifications.receivers.secrets:read | receivers:* receivers:uid:* | Export contact points with decrypted secrets. |
alert.notifications.receivers:create | n/a | Create a new contact points. The creator is automatically granted full access to the created contact point. |
alert.notifications.receivers:write | receivers:* receivers:uid:* | Update existing contact points. |
alert.notifications.receivers:delete | receivers:* receivers:uid:* | Update and delete existing contact points. |
receivers.permissions:read | receivers:* receivers:uid:* | Read permissions for contact points. |
receivers.permissions:write | receivers:* receivers:uid:* | Manage permissions for contact points. |
Mute time interval permissions. To enable these permissions, enable the alertingApiServer
feature toggle.
Action | Applicable scope | Description |
---|---|---|
alert.notifications.time-intervals:read | n/a | Read mute time intervals. |
alert.notifications.time-intervals:write | n/a | Create new or update existing mute time intervals. |
alert.notifications.time-intervals:delete | n/a | Delete existing time intervals. |
Notification template permissions. To enable these permissions, enable the alertingApiServer
feature toggle.
Action | Applicable scope | Description |
---|---|---|
alert.notifications.templates:read | n/a | Read templates. |
alert.notifications.templates:write | n/a | Create new or update existing templates. |
alert.notifications.templates:delete | n/a | Delete existing templates. |
To help plan your RBAC rollout strategy, refer to Plan your RBAC rollout strategy.