Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Enterprise Open source

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed rolesPermissionsDescriptions
fixed:permissions:admin:readroles:read
roles:list
roles.builtin:list
Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:editAll permissions from fixed:permissions:admin:read and
roles:write
roles:delete
roles.builtin:add
roles.builtin:remove
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:provisioning:adminprovisioning:reloadAllow provisioning configurations to be reloaded.
fixed:reporting:admin:readreports:read
reports:send
reports.settings:read
Allows to read reports and report settings.
fixed:reporting:admin:editAll permissions from fixed:reporting:admin:read and
reports.admin:write
reports:delete
reports.settings:write
Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:readusers.authtoken:list
users.quotas:list
users:read
users.teams:read
Allows to list and get users and related information.
fixed:users:admin:editAll permissions from fixed:users:admin:read and
users.password:update
users:write
users:create
users:delete
users:enable
users:disable
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Allows every read action for users and in addition allows to administer users.
fixed:users:org:readorg.users:readAllows to get user organizations.
fixed:users:org:editAll permissions from fixed:users:org:read and
org.users:add
org.users:remove
org.users.role:update
Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:readldap.user:read
ldap.status:read
Allows to read LDAP information and status.
fixed:ldap:admin:editAll permissions from fixed:ldap:admin:read and
ldap.user:sync
ldap.config:reload
Allows every read action for LDAP and in addition allows to administer LDAP.
fixed:server:admin:readserver.stats:readRead server stats
fixed:settings:admin:readsettings:readRead settings
fixed:settings:admin:editAll permissions from fixed:settings:admin:read and
settings:write
Update settings
fixed:datasources:editor:readdatasources:exploreAllows to access the Explore tab
fixed:datasources:admindatasources:read
datasources:create
datasources:write
datasources:delete
Allows to create, read, update, delete data sources.
fixed:datasources:id:viewerdatasources.id:readAllows to read data source IDs.
fixed:datasources:permissions:admindatasources.permissions:create
datasources.permissions:read
datasources.permissions:delete
datasources.permissions:toggle
Allows to create, read, delete, enable, or disable data source permissions

Default built-in role assignments

Built-in roleAssociated roleDescription
Grafana Adminfixed:permissions:admin:edit
fixed:permissions:admin:read
fixed:provisioning:admin
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:users:admin:edit
fixed:users:admin:read
fixed:users:org:edit
fixed:users:org:read
fixed:ldap:admin:edit
fixed:ldap:admin:read
fixed:server:admin:read
fixed:settings:admin:read
fixed:settings:admin:edit
Default Grafana server administrator assignments.
Adminfixed:users:org:edit
fixed:users:org:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:datasources:admin
fixed:datasources:permissions:admin
Default Grafana organization administrator assignments.
Editorfixed:datasources:editor:readDefault Editor assignments.
Viewerfixed:datasources:id:viewerDefault Viewer assignments.