Menu
Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
Enterprise
Open source
Permissions
A permission is an action and a scope. When creating a fine-grained access control, consider what specific action a user should be allowed to perform, and on what resources (its scope).
To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.
To learn more about which permissions are used for which resources, refer to Resources with fine-grained permissions.
- action
- The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.
- scope
- The scope describes where an action can be performed, such as reading a specific user profile. In such case, a permission is associated with the scope
users:<userId>to the relevant role.
Action definitions
The following list contains fine-grained access control actions.
| Actions | Applicable scopes | Descriptions |
|---|---|---|
| roles:list | roles:* | List available roles without permissions. |
| roles:read | roles:* | Read a specific role with it’s permissions. |
| roles:write | permissions:delegate | Create or update a custom role. |
| roles:delete | permissions:delegate | Delete a custom role. |
| roles.builtin:list | roles:* | List built-in role assignments. |
| roles.builtin:add | permissions:delegate | Create a built-in role assignment. |
| roles.builtin:remove | permissions:delegate | Delete a built-in role assignment. |
| reports.admin:create | reports:* | Create reports. |
| reports.admin:write | reports:* | Update reports. |
| reports:delete | reports:* | Delete reports. |
| reports:read | reports:* | List all available reports or get a specific report. |
| reports:send | reports:* | Send a report email. |
| reports.settings:write | n/a | Update report settings. |
| reports.settings:read | n/a | Read report settings. |
| provisioning:reload | service:access-control | Reload provisioning files. |
| users:read | global:users:* | Read or search user profiles. |
| users:write | global:users:* | Update a user’s profile. |
| users.teams:read | global:users:* | Read a user’s teams. |
| users.authtoken:list | global:users:* | List authentication tokens that are assigned to a user. |
| users.authtoken:update | global:users:* | Update authentication tokens that are assigned to a user. |
| users.password:update | global:users:* | Update a user’s password. |
| users:delete | global:users:* | Delete a user. |
| users:create | n/a | Create a user. |
| users:enable | global:users:* | Enable a user. |
| users:disable | global:users:* | Disable a user. |
| users.permissions:update | global:users:* | Update a user’s organization-level permissions. |
| users:logout | global:users:* | Log out a user. |
| users.quotas:list | global:users:* | List a user’s quotas. |
| users.quotas:update | global:users:* | Update a user’s quotas. |
| org.users.read | users:* | Get user profiles within an organization. |
| org.users.add | users:* | Add a user to an organization. |
| org.users.remove | users:* | Remove a user from an organization. |
| org.users.role:update | users:* | Update the organization role (Viewer, Editor, Admin) for an organization. |
| ldap.user:read | n/a | Get a user via LDAP. |
| ldap.user:sync | n/a | Sync a user via LDAP. |
| ldap.status:read | n/a | Verify the LDAP servers’ availability. |
| status:accesscontrol | service:access-control | Get access-control enabled status. |
Scope definitions
The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
|---|---|
| roles:* | Restrict an action to a set of roles. For example, roles:* matches any role, roles:randomuid matches only the role with UID randomuid and roles:custom:reports:{editor,viewer} matches both custom:reports:editor and custom:reports:viewer roles. |
| permissions:delegate | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| reports:* | Restrict an action to a set of reports. For example, reports:* matches any report and reports:1 matches the report with id 1. |
| service:accesscontrol | Restrict an action to target only the fine-grained access control service. For example, you can use this in conjunction with the provisioning:reload or the status:accesscontrol actions. |
| global:users:* | Restrict an action to a set of global users. |
| users:* | Restrict an action to a set of users from an organization. |
Was this page helpful?
Related resources from Grafana Labs
Getting started with the Grafana LGTM Stack
In this webinar, we’ll demo how to get started using the LGTM Stack: Loki for logs, Grafana for visualization, Tempo for traces, and Mimir for metrics.
Getting started with Grafana dashboard design
In this webinar, you'll learn how to design stylish and easily accessible Grafana dashboards that tell a story.
Building advanced Grafana dashboards
In this webinar, we’ll demo how to build and format Grafana dashboards.