Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Administrationbreadcrumb arrow Roles and permissionsbreadcrumb arrow Role-based access control (RBAC)breadcrumb arrow Plugin role definitions
Grafana Cloud

Grafana Cloud app plugin role definitions

Note

Available in Grafana Cloud.

This page lists the RBAC roles available for Grafana Cloud app plugins. Plugin roles control access to specific plugin features and can be assigned to users, teams, or basic roles.

For general information about how RBAC works with app plugins, refer to RBAC for app plugins.

Note

Third-party plugins can define their own RBAC roles. This page documents roles for Grafana Cloud app plugins only. Refer to the documentation for third-party plugins to learn about their available roles.

Default plugin permissions by basic role

When you assign a user a basic organization role (Viewer, Editor, or Admin), they automatically receive default plugin permissions. The following table summarizes the default access level for each Grafana Cloud plugin.

PluginViewerEditorAdmin
Adaptive LogsRead exemptionsRead exemptionsAdmin access
Adaptive MetricsRead recommendations, exemptionsRead recommendations, exemptionsAdmin access
Adaptive TracesRead recommendationsRead recommendationsAdmin access
Application ObservabilityView accessView accessAdmin access
AssistantChat access, user rules/quickstarts+ MCP servers, investigations+ Tenant-wide settings
Cloud ProviderRead accessRead accessProvider-specific write access
Cost AttributionsRead attributionsRead attributionsRead attributions
Cost Management and BillingFull access
Fleet Management (Collector)Read accessRead accessFull access
Frontend ObservabilityRead apps, source maps+ Write apps, source maps+ Delete apps
Grafana AuthWrite access policies
IRMRead all+ Write alert groups, schedules, maintenance, user settings+ Write integrations, escalation chains, etc.
k6Read settings+ Write settingsAdmin access
Knowledge GraphRead assertions+ Write configuration and rules+ Full write access
Kubernetes MonitoringRead allRead allAdmin access
LabelsRead labels+ Create, edit, delete labels+ Full write access
Machine LearningRead forecasting, outliers, sift+ Write forecasting, outliers, sift+ Full write access
OnCallRead all+ Write alert groups, schedules, maintenance, user settings+ Write integrations, escalation chains, etc.
Private Data ConnectFull access
SLORead SLOsCreate, edit, delete SLOs+ Modify org preferences
Synthetic MonitoringRead checks, probes, alerts, thresholds+ Create, edit, delete checks, probes, alerts, thresholds+ Manage access tokens

Note

The permissions above are automatically granted based on the user’s organization role. You can assign additional plugin-specific roles (listed below) to grant more granular access.

Adaptive Logs plugin

Plugin ID: grafana-adaptivelogs-app

Plugin roleDescription
plugins:grafana-adaptivelogs-app:adminRead/write access to everything in Adaptive Logs
plugins:grafana-adaptivelogs-app:patterns-editorRead/write access to recommendations and patterns
plugins:grafana-adaptivelogs-app:patterns-readerRead access to recommendations and patterns
plugins:grafana-adaptivelogs-app:segments-adminCreate and manipulate segments
plugins:grafana-adaptivelogs-app:expiring-exemptions-userUse the expiring exemptions button
plugins:grafana-adaptivelogs-app:plugin-accessAccess to the Adaptive Logs plugin

Adaptive Metrics plugin

Plugin ID: grafana-adaptive-metrics-app

Plugin roleDescription
plugins:grafana-adaptive-metrics-app:adminRead/write access to everything in Adaptive Metrics
plugins:grafana-adaptive-metrics-app:rules-editorRead/write access to recommendations and rules
plugins:grafana-adaptive-metrics-app:rules-readerRead access to recommendations and rules
plugins:grafana-adaptive-metrics-app:exemptions-editorEdit access to recommendation exemptions
plugins:grafana-adaptive-metrics-app:exemptions-readerRead access to recommendation exemptions
plugins:grafana-adaptive-metrics-app:segments-editorEdit access to segments
plugins:grafana-adaptive-metrics-app:segments-readerRead access to segments
plugins:grafana-adaptive-metrics-app:config-editorEdit access to plugin configuration
plugins:grafana-adaptive-metrics-app:config-readerRead access to plugin configuration
plugins:grafana-adaptive-metrics-app:plugin-accessAccess to the Adaptive Metrics plugin

Adaptive Traces plugin

Plugin ID: grafana-adaptivetraces-app

Plugin roleDescription
plugins:grafana-adaptivetraces-app:adminRead/write access to everything in Adaptive Traces

Application Observability plugin

Plugin ID: grafana-app-observability-app

Plugin roleDescription
plugins:grafana-app-observability-app:adminRead/write access to everything in Application Observability plugin
plugins:grafana-app-observability-app:viewerView access in Application Observability plugin

Cloud Provider plugin

Plugin ID: grafana-csp-app

Plugin roleDescription
plugins:grafana-csp-app:aws-writerRead/Write access to AWS in Cloud provider plugin
plugins:grafana-csp-app:azure-writerRead/Write access to Azure in Cloud provider plugin
plugins:grafana-csp-app:gcp-writerRead/Write access to GCP in Cloud provider plugin
plugins:grafana-csp-app:readerRead access in Cloud provider plugin

Cost Attributions plugin

Plugin ID: grafana-attributions-app

Plugin roleDescription
plugins:grafana-attributions-app:cost-attributions-viewerView the Cost Attributions application and its data

Cost Management and Billing plugin

Plugin ID: grafana-cmab-app

Plugin roleDescription
plugins:grafana-cmab-app:full-adminFull access to all features
plugins:grafana-cmab-app:billing-and-usage-readerRead-only access to billing and usage data
plugins:grafana-cmab-app:invoice-readerRead-only access to invoices, FOCUS & usage data
plugins:grafana-cmab-app:cost-attribution-adminFull access to cost attributions
plugins:grafana-cmab-app:cost-attribution-readerRead-only access to cost attributions
plugins:grafana-cmab-app:usage-alerts-adminFull access to usage alerts
plugins:grafana-cmab-app:usage-alerts-readerRead-only access to usage alerts

Easystart / Integrations plugin

Plugin ID: grafana-easystart-app

Plugin roleDescription
plugins:grafana-easystart-app:integrations-writerAdminister integrations

Fleet Management (Collector plugin)

Plugin ID: grafana-collector-app

Plugin roleDescription
plugins:grafana-collector-app:collector-app-adminFull access to Fleet Management
plugins:grafana-collector-app:collector-app-readerRead-only access to Fleet Management

Frontend Observability plugin

Plugin ID: grafana-kowalski-app

Plugin roleDescription
plugins:grafana-kowalski-app:frontend-observability-adminRead/write access to everything in Frontend Observability plugin
plugins:grafana-kowalski-app:frontend-observability-editorRead/write access to everything but app deletion
plugins:grafana-kowalski-app:frontend-observability-viewerView access only
plugins:grafana-kowalski-app:frontend-observability-sourcemap-uploaderView access with the ability to read settings and upload sourcemaps

Grafana Assistant plugin

Plugin ID: grafana-assistant-app

Plugin roleDescription
plugins:grafana-assistant-app:assistant-adminManage both user and tenant-wide Assistant resources and settings
plugins:grafana-assistant-app:assistant-mcp-userUse Grafana Assistant and add personal MCP servers
plugins:grafana-assistant-app:assistant-userBasic access to Grafana Assistant with read-only capabilities
plugins:grafana-assistant-app:assistant-investigation-userUse Assistant Backend Investigations

Grafana Auth plugin

Plugin ID: grafana-auth-app

Plugin roleDescription
plugins:grafana-auth-app:writerWrite and manage access policies for Grafana Cloud

Incident plugin

Plugin ID: grafana-incident-app

Plugin roleDescription
plugins:grafana-incident-app:incident-accessAccess to Grafana Incident

IRM plugin

Plugin ID: grafana-irm-app

Core roles

Plugin roleDescription
plugins:grafana-irm-app:adminRead/write access to everything in IRM
plugins:grafana-irm-app:editorSimilar to Admin, minus abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general IRM settings
plugins:grafana-irm-app:readerRead-only access to everything in IRM
plugins:grafana-irm-app:oncallerRead access to everything in IRM, plus edit access to Alert Groups, Schedules, and own settings
plugins:grafana-irm-app:notifications-receiverReceive alert notifications, plus edit own IRM settings
plugins:grafana-irm-app:incident-accessAccess to Grafana IRM incidents

Alert groups

Plugin roleDescription
plugins:grafana-irm-app:alert-groups-readerRead-only access to Alert Groups
plugins:grafana-irm-app:alert-groups-editorRead access to Alert Groups + ability to act on Alert Groups (acknowledge, resolve, etc)
plugins:grafana-irm-app:alert-groups-direct-pagingManually create new Alert Groups (Direct Paging)

Integrations

Plugin roleDescription
plugins:grafana-irm-app:integrations-readerRead-only access to Integrations
plugins:grafana-irm-app:integrations-editorRead/write access to Integrations

Escalation chains

Plugin roleDescription
plugins:grafana-irm-app:escalation-chains-readerRead-only access to Escalation Chains
plugins:grafana-irm-app:escalation-chains-editorRead/write access to Escalation Chains

Schedules

Plugin roleDescription
plugins:grafana-irm-app:schedules-readerRead-only access to Schedules
plugins:grafana-irm-app:schedules-editorRead/write access to Schedules

ChatOps

Plugin roleDescription
plugins:grafana-irm-app:chatops-readerRead-only access to ChatOps settings
plugins:grafana-irm-app:chatops-editorRead/write access to ChatOps settings

Outgoing webhooks

Plugin roleDescription
plugins:grafana-irm-app:outgoing-webhooks-readerRead-only access to Outgoing Webhooks
plugins:grafana-irm-app:outgoing-webhooks-editorRead/write access to Outgoing Webhooks

Maintenance

Plugin roleDescription
plugins:grafana-irm-app:maintenance-readerRead-only access to Integration Maintenance
plugins:grafana-irm-app:maintenance-editorRead/write access to Integration Maintenance

API keys

Plugin roleDescription
plugins:grafana-irm-app:api-keys-readerRead-only access to OnCall API Keys
plugins:grafana-irm-app:api-keys-editorRead/write access to OnCall API Keys + ability to consume the API

User settings

Plugin roleDescription
plugins:grafana-irm-app:user-settings-readerRead-only access to own IRM User Settings
plugins:grafana-irm-app:user-settings-editorRead/write access to own IRM User Settings + view basic info about other IRM users
plugins:grafana-irm-app:user-settings-adminRead/write access to your own + other’s IRM User Settings

Notification and general settings

Plugin roleDescription
plugins:grafana-irm-app:notification-settings-readerRead-only access to IRM Notification Settings
plugins:grafana-irm-app:notification-settings-editorRead/write access to IRM Notification Settings
plugins:grafana-irm-app:settings-readerRead-only access to IRM Settings
plugins:grafana-irm-app:settings-editorRead/write access to IRM Settings

k6 Cloud plugin

Plugin ID: k6-app

Plugin roleDescription
plugins:k6-app:adminAdmin access to everything in k6
plugins:k6-app:editorRead/write access to k6 with limited scopes
plugins:k6-app:readerRead-only access to k6

Knowledge Graph plugin

Plugin ID: grafana-asserts-app

Plugin roleDescription
plugins:grafana-asserts-app:knowledge-graph-writerRead/write/create in Knowledge Graph
plugins:grafana-asserts-app:knowledge-graph-readerRead-only access to everything in Knowledge Graph
plugins:grafana-asserts-app:knowledge-graph-accessAccess to Knowledge Graph

Kubernetes Monitoring plugin

Plugin ID: grafana-k8s-app

Plugin roleDescription
plugins:grafana-k8s-app:adminAdmin access to everything in k8s plugin
plugins:grafana-k8s-app:readerRead-only access to k8s plugin

Labels plugin

Plugin ID: grafana-labels-app

Plugin roleDescription
plugins:grafana-labels-app:labels-writerRead/write/create/delete Labels
plugins:grafana-labels-app:labels-readerRead-only access to Labels

Machine Learning plugin

Plugin ID: grafana-ml-app

Plugin roleDescription
plugins:grafana-ml-app:ml-editorRead and write access to ML features
plugins:grafana-ml-app:ml-viewerRead access to ML features
plugins:grafana-ml-app:sift-editorRead and write access to Sift features
plugins:grafana-ml-app:sift-viewerRead access to Sift features

OnCall plugin

Plugin ID: grafana-oncall-app

Core roles

Plugin roleDescription
plugins:grafana-oncall-app:adminRead/write access to everything in OnCall
plugins:grafana-oncall-app:editorSimilar to Admin, minus abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general OnCall settings
plugins:grafana-oncall-app:readerRead-only access to everything in OnCall
plugins:grafana-oncall-app:oncallerRead access to everything in OnCall, plus edit access to Alert Groups, Schedules, and own settings
plugins:grafana-oncall-app:notifications-receiverReceive OnCall alert notifications, plus edit own OnCall settings

Alert groups

Plugin roleDescription
plugins:grafana-oncall-app:alert-groups-readerRead-only access to OnCall Alert Groups
plugins:grafana-oncall-app:alert-groups-editorRead access to OnCall Alert Groups + ability to act on Alert Groups (acknowledge, resolve, etc)
plugins:grafana-oncall-app:alert-groups-direct-pagingManually create new Alert Groups (Direct Paging)

Integrations

Plugin roleDescription
plugins:grafana-oncall-app:integrations-readerRead-only access to OnCall Integrations
plugins:grafana-oncall-app:integrations-editorRead/write access to OnCall Integrations

Escalation chains

Plugin roleDescription
plugins:grafana-oncall-app:escalation-chains-readerRead-only access to OnCall Escalation Chains
plugins:grafana-oncall-app:escalation-chains-editorRead/write access to OnCall Escalation Chains

Schedules

Plugin roleDescription
plugins:grafana-oncall-app:schedules-readerRead-only access to OnCall Schedules
plugins:grafana-oncall-app:schedules-editorRead/write access to OnCall Schedules

ChatOps

Plugin roleDescription
plugins:grafana-oncall-app:chatops-readerRead-only access to OnCall ChatOps
plugins:grafana-oncall-app:chatops-editorRead/write access to OnCall ChatOps

Outgoing webhooks

Plugin roleDescription
plugins:grafana-oncall-app:outgoing-webhooks-readerRead-only access to OnCall Outgoing Webhooks
plugins:grafana-oncall-app:outgoing-webhooks-editorRead/write access to OnCall Outgoing Webhooks

Maintenance

Plugin roleDescription
plugins:grafana-oncall-app:maintenance-readerRead-only access to OnCall Maintenance
plugins:grafana-oncall-app:maintenance-editorRead/write access to OnCall Maintenance

API keys

Plugin roleDescription
plugins:grafana-oncall-app:api-keys-readerRead-only access to OnCall API Keys
plugins:grafana-oncall-app:api-keys-editorRead/write access to OnCall API Keys + ability to consume the API

User settings

Plugin roleDescription
plugins:grafana-oncall-app:user-settings-readerRead-only access to own OnCall User Settings
plugins:grafana-oncall-app:user-settings-editorRead/write access to own OnCall User Settings + view basic info about other OnCall users
plugins:grafana-oncall-app:user-settings-adminRead/write access to your own + other’s OnCall User Settings

Notification and general settings

Plugin roleDescription
plugins:grafana-oncall-app:notification-settings-readerRead-only access to OnCall Notification Settings
plugins:grafana-oncall-app:notification-settings-editorRead/write access to OnCall Notification Settings
plugins:grafana-oncall-app:settings-readerRead-only access to OnCall Settings
plugins:grafana-oncall-app:settings-editorRead/write access to OnCall Settings

Private Data Connect plugin

Plugin ID: grafana-pdc-app

Plugin roleDescription
plugins:grafana-pdc-app:private-networks-readRead Private Networks
plugins:grafana-pdc-app:private-networks-writeEdit Private Networks

SLO plugin

Plugin ID: grafana-slo-app

Plugin roleDescription
plugins:grafana-slo-app:slo-readerView SLOs in folders where you have folder read permission
plugins:grafana-slo-app:slo-writerManage SLOs in folders where you have folder edit permission
plugins:grafana-slo-app:slo-adminSLO Writer, plus the ability to modify org preferences

Synthetic Monitoring plugin

Plugin ID: grafana-synthetic-monitoring-app

Core roles

Plugin roleDescription
plugins:grafana-synthetic-monitoring-app:adminFull access to write and manage checks, probes, alerts, thresholds, and access tokens as well as enabling/disabling the plugin
plugins:grafana-synthetic-monitoring-app:editorAdd, update and delete checks, probes, alerts, and thresholds
plugins:grafana-synthetic-monitoring-app:readerRead checks, probes, alerts, thresholds, and access tokens

Granular roles

Plugin roleDescription
plugins:grafana-synthetic-monitoring-app:checks-readerRead checks
plugins:grafana-synthetic-monitoring-app:checks-writerCreate, edit and delete checks
plugins:grafana-synthetic-monitoring-app:probes-readerRead probes
plugins:grafana-synthetic-monitoring-app:probes-writerCreate, edit and delete probes
plugins:grafana-synthetic-monitoring-app:alerts-readerRead alerts
plugins:grafana-synthetic-monitoring-app:alerts-writerCreate, edit and delete alerts
plugins:grafana-synthetic-monitoring-app:thresholds-readerRead thresholds
plugins:grafana-synthetic-monitoring-app:thresholds-writerRead and edit thresholds
plugins:grafana-synthetic-monitoring-app:access-tokens-writerCreate and delete access tokens

Role assignment

Plugin roles can be assigned to:

  • Users: Individual user accounts
  • Teams: All members of a team inherit the role
  • Basic Roles: Can be added to Viewer, Editor, or Admin base roles

To assign roles, use:

  • UI: Administration > Users/Teams > Select user/team > Roles tab
  • API: PUT /api/access-control/users/{userId}/roles or PUT /api/access-control/teams/{teamId}/roles

For more information about managing RBAC roles, refer to Manage RBAC roles.

Query plugin roles

You can query your Grafana Cloud stack’s available plugin roles using the API:

Bash 
curl -s -H "Authorization: Bearer YOUR_SERVICE_ACCOUNT_TOKEN" \
  "https://YOUR_STACK.grafana.net/api/access-control/roles?includeHidden=true" | \
  jq '[.[] | select(.name | startswith("plugins:"))]'