--- title: "Grafana RBAC permissions, actions, and scopes | Grafana documentation" description: "Learn about Grafana RBAC permissions, actions, and scopes." --- > For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt). # RBAC permissions, actions, and scopes > Note > > Available in [Grafana Enterprise](/docs/grafana/v12.4/introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/). A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resources on which they can perform those actions. To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions](/docs/grafana/v12.4/administration/roles-and-permissions/access-control/#fixed-roles). > Note > > **Before creating custom roles**, consider whether you can meet your access requirements using: > > - [**Folder permissions**](/docs/grafana/v12.4/administration/roles-and-permissions/folder-access-control/): Control access to dashboards, alert rules, and other resources by folder > - [**Fixed roles**](/docs/grafana/v12.4/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/): Pre-built roles for common access patterns > > Custom roles are most useful when you need fine-grained control that these options don’t provide. - **Action:** An action describes what tasks a user can perform on a resource. - **Scope:** A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope `users:` to the relevant role. ## Action definitions The following list contains role-based access control actions. Expand table ActionApplicable scopesDescription `alert.instances.external:read` - `datasources:*` - `datasources:uid:*` Read alerts and silences in data sources that support alerting. `alert.instances.external:write` - `datasources:*` - `datasources:uid:*` Manage alerts and silences in data sources that support alerting. `alert.instances:create`NoneCreate silences in the current organization. `alert.instances:read`NoneRead alerts and silences in the current organization. `alert.instances:write`NoneUpdate and expire silences in the current organization. `alert.notifications.external:read` - `datasources:*` - `datasources:uid:*` Read templates, contact points, notification policies, and mute timings in data sources that support alerting. `alert.notifications.external:write` - `datasources:*` - `datasources:uid:*` Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. `alert.notifications:write`NoneManage templates, contact points, notification policies, and mute timings in the current organization. `alert.notifications:read`NoneRead all templates, contact points, notification policies, and mute timings in the current organization. `alert.rules.external:read` - `datasources:*` - `datasources:uid:*` Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) `alert.rules.external:write` - `datasources:*` - `datasources:uid:*` Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). `alert.rules:create` - `folders:*` - `folders:uid:*` Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. `alert.rules:delete` - `folders:*` - `folders:uid:*` Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. `alert.rules:read` - `folders:*` - `folders:uid:*` Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. `alert.rules:write` - `folders:*` - `folders:uid:*` Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. `alert.silences:create` - `folders:*` - `folders:uid:*` Create rule-specific silences in a folder and its subfolders. `alert.silences:read` - `folders:*` - `folders:uid:*` Read all general silences and rule-specific silences in a folder and its subfolders. `alert.silences:write` - `folders:*` - `folders:uid:*` Update and expire rule-specific silences in a folder and its subfolders. `alert.provisioning:read`NoneRead all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. `alert.provisioning.secrets:read`NoneSame as `alert.provisioning:read` plus ability to export resources with decrypted secrets. `alert.provisioning:write`NoneUpdate all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. `alert.provisioning.provenance:write`NoneSet provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources `annotations:create` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Create annotations. `annotations:delete` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Delete annotations. `annotations:read` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read annotations and annotation tags. `annotations:write` - `annotations:*` - `annotations:type:*` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update annotations. `banners:write`NoneCreate [announcement banners](/docs/grafana-cloud/whats-new/2024-09-10-announcement-banner/). `dashboards:create` - `folders:*` - `folders:uid:*` Create dashboards in one or more folders and their subfolders. `dashboards:delete` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Delete one or more dashboards. `dashboards.insights:read`NoneRead dashboard insights data and see presence indicators. To view insights, `dashboards:read` on the dashboard is also needed. `dashboards.permissions:read` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read permissions for one or more dashboards. `dashboards.permissions:write` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update permissions for one or more dashboards. `dashboards:read` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Read one or more dashboards. `dashboards:write` - `dashboards:*` - `dashboards:uid:*` - `folders:*` - `folders:uid:*` Update one or more dashboards. `dashboards.public:write` - `dashboards:*` - `dashboards:uid:*` Write shared dashboard configuration. `datasources.caching:read` - `datasources:*` - `datasources:uid:*` Read data source query caching settings. `datasources.caching:write` - `datasources:*` - `datasources:uid:*` Update data source query caching settings. `datasources:create`NoneCreate data sources. `datasources:delete` - `datasources:*` - `datasources:uid:*` Delete data sources. `datasources:explore`NoneEnable access to the **Explore** tab. `datasources.id:read` - `datasources:*` - `datasources:uid:*` Read data source IDs. `datasources.insights:read`NoneRead data sources insights data. To view insights, `datasources:read` on the datasource is also needed. `datasources.permissions:read` - `datasources:*` - `datasources:uid:*` List data source permissions. `datasources.permissions:write` - `datasources:*` - `datasources:uid:*` Update data source permissions. `datasources:query` - `datasources:*` - `datasources:uid:*` Query data sources. `datasources:read` - `datasources:*` - `datasources:uid:*` List data sources. `datasources:write` - `datasources:*` - `datasources:uid:*` Update data sources. `featuremgmt.read`NoneRead feature toggles. `featuremgmt.write`NoneWrite feature toggles. `folders.permissions:read` - `folders:*` - `folders:uid:*` Read permissions for one or more folders and their subfolders. `folders.permissions:write` - `folders:*` - `folders:uid:*` Update permissions for one or more folders and their subfolders. `folders:create` - `folders:*` - `folders:uid:*` - `folders:uid:general` Create folders or subfolders. If granted with scope `folders:uid:general`, it allows to create root level folders. Otherwise, it allows creating subfolders under the specified folders. `folders:delete` - `folders:*` - `folders:uid:*` Delete one or more folders and their subfolders. `folders:read` - `folders:*` - `folders:uid:*` Read one or more folders and their subfolders. `folders:write` - `folders:*` - `folders:uid:*` Update one or more folders and their subfolders. `ldap.config:reload`NoneReload the LDAP configuration. `ldap.status:read`NoneVerify the availability of the LDAP server or servers. `ldap.user:read`NoneRead users via LDAP. `ldap.user:sync`NoneSync users via LDAP. `library.panels:create` - `folders:*` - `folders:uid:*` Create a library panel in one or more folders and their subfolders. `library.panels:read` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Read one or more library panels. `library.panels:write` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Update one or more library panels. `library.panels:delete` - `folders:*` - `folders:uid:*` - `library.panels:*` - `library.panels:uid:*` Delete one or more library panels. `licensing.reports:read`NoneGet custom permission reports. `licensing:delete`NoneDelete the license token. `licensing:read`NoneRead licensing information. `licensing:write`NoneUpdate the license token. `migrationassistant:migrate`NoneExecute on-prem to cloud migrations through the Migration Assistant. `org.users:write` - `users:*` - `users:id:*` Update the organization role (`None`, `Viewer`, `Editor`, or `Admin`) of a user. `org.users:add` - `users:*` - `users:id:*` Add a user to an organization or invite a new user to an organization. `org.users:read` - `users:*` - `users:id:*` Get user profiles within an organization. `org.users:remove` - `users:*` - `users:id:*` Remove a user from an organization. `orgs.preferences:read`NoneRead organization preferences. `orgs.preferences:write`NoneUpdate organization preferences. `orgs.quotas:read`NoneRead organization quotas. `orgs.quotas:write`NoneUpdate organization quotas. `orgs:create`NoneCreate an organization. `orgs:delete`NoneDelete one or more organizations. `orgs:read`NoneRead one or more organizations. `orgs:write`NoneUpdate one or more organizations. `plugins.app:access` - `plugins:*` - `plugins:id:*` Access one or more application plugins (still enforcing the organization role) `plugins:install`NoneInstall and uninstall plugins. `plugins:write` - `plugins:*` - `plugins:id:*` Edit settings for one or more plugins. `provisioning:reload``provisioners:*`Reload provisioning files. To find the exact scope for specific provisioner, refer to [Scope definitions](#scope-definitions). `reports:create`NoneCreate reports. `reports:write` - `reports:*` - `reports:id:*` Update reports. `reports.settings:read`NoneRead report settings. `reports.settings:write`NoneUpdate report settings. `reports:delete` - `reports:*` - `reports:id:*` Delete reports. `reports:read` - `reports:*` - `reports:id:*` List all available reports or get a specific report. `reports:send` - `reports:*` - `reports:id:*` Send a report email. `roles:delete` - `permissions:type:delegate` Delete a custom role. `roles:read` - `roles:*` - `roles:uid:*` List roles and read a specific role with its permissions. `roles:write` - `permissions:type:delegate` Create or update a custom role. `roles:write` - `permissions:type:escalate` Reset basic roles to their default permissions. `secret.securevalues:create` - `secret.securevalues:*` Create secure values. `secret.securevalues:read` - `secret.securevalues:*` Read and list secure values. `secret.securevalues:write` - `secret.securevalues:*` Update secure values. `secret.securevalues:delete` - `secret.securevalues:*` Delete secure values. `server.stats:read`NoneRead Grafana instance statistics. `server.usagestats.report:read`NoneView usage statistics report. `serviceaccounts:write` - `serviceaccounts:*` Create Grafana service accounts. `serviceaccounts:create`NoneUpdate Grafana service accounts. `serviceaccounts:delete` - `serviceaccounts:*` - `serviceaccounts:id:*` Delete Grafana service accounts. `serviceaccounts:read` - `serviceaccounts:*` - `serviceaccounts:id:*` Read Grafana service accounts. `serviceaccounts.permissions:write` - `serviceaccounts:*` - `serviceaccounts:id:*` Update Grafana service account permissions to control who can do what with the service account. `serviceaccounts.permissions:read` - `serviceaccounts:*` - `serviceaccounts:id:*` Read Grafana service account permissions to see who can do what with the service account. `settings:read` - `settings:*` - `settings:auth.saml:*` - `settings:auth.saml:enabled` (property level)Read the [Grafana configuration settings](/docs/grafana/v12.4/setup-grafana/configure-grafana/) `settings:write` - `settings:*` - `settings:auth.saml:*` - `settings:auth.saml:enabled` (property level)Update any Grafana configuration settings that can be [updated at runtime](/docs/grafana/v12.4/setup-grafana/configure-grafana/settings-updates-at-runtime/). `support.bundles:create`NoneCreate support bundles. `support.bundles:delete`NoneDelete support bundles. `support.bundles:read`NoneList and download support bundles. `snapshots:create`NoneCreate snapshots. `snapshots:delete`NoneDelete snapshots. `snapshots:read`NoneList snapshots. `status:accesscontrol` - `services:accesscontrol` Get access-control enabled status. `teams.permissions:read` - `teams:*` - `teams:id:*` Read members and Team Sync setup for teams. `teams.permissions:write` - `teams:*` - `teams:id:*` Add, remove and update members and manage Team Sync setup for teams. `teams.roles:add` - `permissions:type:delegate` Assign a role to a team. `teams.roles:read` - `teams:*` - `teams:id:*` List roles assigned directly to a team. `teams.roles:remove` - `permissions:type:delegate` Unassign a role from a team. `teams:create`NoneCreate teams. `teams:delete` - `teams:*` - `teams:id:*` Delete one or more teams. `teams:read` - `teams:*` - `teams:id:*` Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to `teams:read`: `teams:write`, `teams.permissions:read` or `teams.permissions:write`. `teams:write` - `teams:*` - `teams:id:*` Update one or more teams and team preferences. `users.authtoken:read` - `global.users:*` - `global.users:id:*` List authentication tokens that are assigned to a user. `users.authtoken:write` - `global.users:*` - `global.users:id:*` Update authentication tokens that are assigned to a user. `users.password:write` - `global.users:*` - `global.users:id:*` Update a user’s password. `users.permissions:read` - `users:*` List permissions of a user. `users.permissions:write` - `global.users:*` - `global.users:id:*` Update a user’s organization-level permissions. `users.quotas:read` - `global.users:*` - `global.users:id:*` List a user’s quotas. `users.quotas:write` - `global.users:*` - `global.users:id:*` Update a user’s quotas. `users.roles:add` - `permissions:type:delegate` Assign a role to a user or a service account. `users.roles:read` - `users:*` List roles assigned directly to a user or a service account. `users.roles:remove` - `permissions:type:delegate` Unassign a role from a user or a service account. `users:create`NoneCreate a user. `users:delete` - `global.users:*` - `global.users:id:*` Delete a user. `users:disable` - `global.users:*` - `global.users:id:*` Disable a user. `users:enable` - `global.users:*` - `global.users:id:*` Enable a user. `users:logout` - `global.users:*` - `global.users:id:*` Sign out a user. `users:read` - `global.users:*` Read or search user profiles. `users:write` - `global.users:*` - `global.users:id:*` Update a user’s profile. ### Grafana Alerting Notification action definitions Expand table | Action | Applicable scopes | Description | |-------------------------------------------------|-----------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `alert.notifications.receivers:read` | `receivers:*`
`receivers:uid:*` | Read contact points. | | `alert.notifications.receivers.secrets:read` | `receivers:*`
`receivers:uid:*` | Export contact points with decrypted secrets. | | `alert.notifications.receivers:create` | None | Create a new contact points. The creator is automatically granted full access to the created contact point. | | `alert.notifications.receivers:write` | `receivers:*`
`receivers:uid:*` | Update existing contact points. | | `alert.notifications.receivers.protected:write` | `receivers:*`
`receivers:uid:*` | Update [protected fields](/docs/grafana/v12.4/alerting/configure-notifications/manage-contact-points/#grafana-cloud-protected-fields) in contact points (such as target URLs for integrations). This scope only applies to Grafana Cloud. | | `alert.notifications.receivers:delete` | `receivers:*`
`receivers:uid:*` | Update and delete existing contact points. | | `alert.notifications.receivers:test` | None | Test contact point notification. Deprecated. Use “alert.notifications.receivers.test:create” | | `alert.notifications.receivers.test:create` | `receivers:*`
`receivers:uid:*`
`receivers:uid:-` | Test contact points to verify their configuration. Use scope `receivers:uid:-` to grant permission to test new integrations | | `receivers.permissions:read` | `receivers:*`
`receivers:uid:*` | Read permissions for contact points. | | `receivers.permissions:write` | `receivers:*`
`receivers:uid:*` | Manage permissions for contact points. | | `alert.notifications.time-intervals:read` | None | Read mute time intervals. | | `alert.notifications.time-intervals:write` | None | Create new or update existing mute time intervals. | | `alert.notifications.time-intervals:delete` | None | Delete existing time intervals. | | `alert.notifications.templates:read` | None | Read templates. | | `alert.notifications.templates:write` | None | Create new or update existing templates. | | `alert.notifications.templates:delete` | None | Delete existing templates. | | `alert.notifications.templates.test:write` | None | Test templates with custom payloads (preview and payload editor functionality). | | `alert.notifications.routes:read` | None | Read notification policies. | | `alert.notifications.routes:write` | None | Create new, update or delete notification policies | ## Scope definitions The following list contains role-based access control scopes. Expand table ScopesDescriptions - `annotations:*` - `annotations:type:*` Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. - `dashboards:*` - `dashboards:uid:*` Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. - `datasources:*` - `datasources:uid:*` Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. - `folders:*` - `folders:uid:*` Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it. - `global.users:*` - `global.users:id:*` Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. - `library.panels:*` - `library.panels:uid:*` Restrict an action to a set of library panels. For example, `library.panels:*` matches any library panel, and `library.panel:uid:1` matches the library panel whose UID is `1`. - `orgs:*` - `orgs:id:*` Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. - `permissions:type:delegate` The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. - `permissions:type:escalate` The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. - `plugins:*` - `plugins:id:*` Restrict an action to a set of plugins. For example, `plugins:id:grafana-oncall-app` matches Grafana OnCall plugin, and `plugins:*` matches all plugins. - `provisioners:*` Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner](/docs/grafana/v12.4/administration/roles-and-permissions/access-control/rbac-grafana-provisioning/). - `reports:*` - `reports:id:*` Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. - `roles:*` - `roles:uid:*` Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. - `services:accesscontrol` Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. - `serviceaccounts:*` - `serviceaccounts:id:*` Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`. - `settings:*` Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. - `teams:*` - `teams:id:*` Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. - `users:*` - `users:id:*` Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. - None If an action has “None” specified for the scope, then the action doesn’t require a scope. For example, the `teams:create` action doesn’t require a scope and allows users to create teams. ## Discovering plugin actions The action definitions table above lists actions for core Grafana features. App plugins can define their own actions, which follow the pattern `.:`. To discover which actions a plugin supports, query an existing role that has plugin permissions. For example, to see what actions are available for a plugin, you can query the basic Admin role: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl -X GET "https://your-grafana-instance/api/access-control/roles/basic_admin" \ -H "Authorization: Bearer " ``` The response includes all permissions granted to that role, including plugin-specific actions. Plugin actions typically use `None` for their scope because they operate at the organization level. For a centralized reference of plugin roles and their default permissions, refer to [Grafana Cloud app plugin role definitions](/docs/grafana/v12.4/administration/roles-and-permissions/access-control/plugin-role-definitions/).