Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
Fine-grained access control references
The reference information that follows complements conceptual information about Roles.
Fine-grained access fixed roles
Fixed roles | Permissions | Descriptions |
---|---|---|
fixed:roles:reader | roles:read roles:list users.roles:list users.permissions:list roles.builtin:list | Read all access control roles, roles and permissions assigned to users and built-in role assignments. |
fixed:roles:writer | All permissions from fixed:roles:reader androles:write roles:delete users.roles:add users.roles:remove roles.builtin:add roles.builtin:remove | Create, read, update, or delete all roles, assign or unassign roles to users and built-in role assignments. |
fixed:reports:reader | reports:read reports:send reports.settings:read | Read all reports and shared report settings. |
fixed:reports:writer | All permissions from fixed:reports:reader andreports.admin:write reports:delete reports.settings:write | Create, read, update, or delete all reports and shared report settings. |
fixed:users:reader | users:read users.quotas:list users.authtoken:list users.teams:read | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
fixed:users:writer | All permissions from fixed:users:reader andusers:write users:create users:delete users:enable users:disable users.password:update users.permissions:update users:logout users.authtoken:update users.quotas:update | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
fixed:org.users:reader | org.users:read | Read users within a single organization. |
fixed:org.users:writer | All permissions from fixed:org.users:reader andorg.users:add org.users:remove org.users.role:update | Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
fixed:ldap:reader | ldap.user:read ldap.status:read | Read the LDAP configuration and LDAP status information. |
fixed:ldap:writer | All permissions from fixed:ldap:reader andldap.user:sync ldap.config:reload | Read and update the LDAP configuration, and read LDAP status information. |
fixed:stats:reader | server.stats:read | Read Grafana instance statistics. |
fixed:settings:reader | settings:read | Read Grafana instance settings. |
fixed:settings:writer | All permissions from fixed:settings:reader andsettings:write | Read and update Grafana instance settings. |
fixed:datasources:explorer | datasources:explore | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
fixed:datasources:reader | datasources:read datasources:query | Read and query data sources. |
fixed:datasources:writer | All permissions from fixed:datasources:reader anddatasources:create datasources:write datasources:delete | Read, query, create, delete, or update a data source. |
fixed:datasources:id:reader | datasources.id:read | Read the ID of a data source based on its name. |
fixed:datasources.permissions:reader | datasources.permissions:read | Read data source permissions. |
fixed:datasources.permissions:writer | All permissions from fixed:datasources.permissions:reader anddatasources.permissions:create datasources.permissions:delete datasources.permissions:toggle | Create, read, or delete permissions of a data source. |
fixed:licensing:reader | licensing:read licensing.reports:read | Read licensing information and licensing reports. |
fixed:licensing:writer | All permissions from fixed:licensing:viewer andlicensing:update licensing:delete | Read licensing information and licensing reports, update and delete the license token. |
fixed:provisioning:writer | provisioning:reload | Reload provisioning. |
fixed:organization:reader | orgs:read orgs.quotas:read | Read an organization and its quotas. |
fixed:organization:writer | All permissions from fixed:organization:reader andorgs:write orgs.preferences:read orgs.preferences:write | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
fixed:organization:maintainer | All permissions from fixed:organization:reader andorgs:write orgs:create orgs:delete orgs.quotas:write | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
Default built-in role assignments
Built-in role | Associated role | Description |
---|---|---|
Grafana Admin | fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer | Default Grafana server administrator assignments. |
Admin | fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer | Default Grafana organization administrator assignments. |
Editor | fixed:datasources:explorer | Default Editor assignments. |
Viewer | fixed:datasources:id:reader fixed:organization:reader | Default Viewer assignments. |