Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Enterprise Open source

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed rolesPermissionsDescriptions
fixed:permissions:admin:readroles:read
roles:list
roles.builtin:list
Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:editAll permissions from fixed:permissions:admin:read and
roles:write
roles:delete
roles.builtin:add
roles.builtin:remove
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:reporting:admin:readreports:read
reports:send
reports.settings:read
Allows to read reports and report settings.
fixed:reporting:admin:editAll permissions from fixed:reporting:admin:read and
reports.admin:write
reports:delete
reports.settings:write
Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:readusers.authtoken:list
users.quotas:list
users:read
users.teams:read
Allows to list and get users and related information.
fixed:users:admin:editAll permissions from fixed:users:admin:read and
users.password:update
users:write
users:create
users:delete
users:enable
users:disable
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Allows every read action for users and in addition allows to administer users.
fixed:users:org:readorg.users:readAllows to get user organizations.
fixed:users:org:editAll permissions from fixed:users:org:read and
org.users:add
org.users:remove
org.users.role:update
Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:readldap.user:read
ldap.status:read
Allows to read LDAP information and status.
fixed:ldap:admin:editAll permissions from fixed:ldap:admin:read and
ldap.user:sync
ldap.config:reload
Allows every read action for LDAP and in addition allows to administer LDAP.
fixed:server:admin:readserver.stats:readRead server stats
fixed:settings:admin:readsettings:readRead settings
fixed:settings:admin:editAll permissions from fixed:settings:admin:read and
settings:write
Update settings
fixed:datasource:editor:readdatasources:exploreExplore datasources

Default built-in role assignments

Built-in rolesAssociated rolesDescriptions
Grafana Adminfixed:permissions:admin:edit
fixed:permissions:admin:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:users:admin:edit
fixed:users:admin:read
fixed:users:org:edit
fixed:users:org:read
fixed:ldap:admin:edit
fixed:ldap:admin:read
fixed:server:admin:read
fixed:settings:admin:read
fixed:settings:admin:edit
Allows access to resources which Grafana Server Admin has permissions by default.
Adminfixed:users:org:edit
fixed:users:org:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
Allows access to resource which Admin has permissions by default.
Editorfixed:datasource:editor:read