Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Documentation

Grafana documentation

Grafana Enterprise

Fine-grained access control

Fine-grained access control references

Enterprise Open source

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed roles	Permissions	Descriptions
`fixed:roles:reader`	`roles:read` `roles:list` `users.roles:list` `users.permissions:list` `roles.builtin:list`	Read all access control roles, roles and permissions assigned to users and built-in role assignments.
`fixed:roles:writer`	All permissions from `fixed:roles:reader` and `roles:write` `roles:delete` `users.roles:add` `users.roles:remove` `roles.builtin:add` `roles.builtin:remove`	Create, read, update, or delete all roles, assign or unassign roles to users and built-in role assignments.
`fixed:reports:reader`	`reports:read` `reports:send` `reports.settings:read`	Read all reports and shared report settings.
`fixed:reports:writer`	All permissions from `fixed:reports:reader` and `reports.admin:write` `reports:delete` `reports.settings:write`	Create, read, update, or delete all reports and shared report settings.
`fixed:users:reader`	`users:read` `users.quotas:list` `users.authtoken:list` `users.teams:read`	Read all users and their information, such as team memberships, authentication tokens, and quotas.
`fixed:users:writer`	All permissions from `fixed:users:reader` and `users:write` `users:create` `users:delete` `users:enable` `users:disable` `users.password:update` `users.permissions:update` `users:logout` `users.authtoken:update` `users.quotas:update`	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
`fixed:org.users:reader`	`org.users:read`	Read users within a single organization.
`fixed:org.users:writer`	All permissions from `fixed:org.users:reader` and `org.users:add` `org.users:remove` `org.users.role:update`	Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
`fixed:ldap:reader`	`ldap.user:read` `ldap.status:read`	Read the LDAP configuration and LDAP status information.
`fixed:ldap:writer`	All permissions from `fixed:ldap:reader` and `ldap.user:sync` `ldap.config:reload`	Read and update the LDAP configuration, and read LDAP status information.
`fixed:stats:reader`	`server.stats:read`	Read Grafana instance statistics.
`fixed:settings:reader`	`settings:read`	Read Grafana instance settings.
`fixed:settings:writer`	All permissions from `fixed:settings:reader` and `settings:write`	Read and update Grafana instance settings.
`fixed:datasources:explorer`	`datasources:explore`	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
`fixed:datasources:reader`	`datasources:read` `datasources:query`	Read and query data sources.
`fixed:datasources:writer`	All permissions from `fixed:datasources:reader` and `datasources:create` `datasources:write` `datasources:delete`	Read, query, create, delete, or update a data source.
`fixed:datasources:id:reader`	`datasources.id:read`	Read the ID of a data source based on its name.
`fixed:datasources.permissions:reader`	`datasources.permissions:read`	Read data source permissions.
`fixed:datasources.permissions:writer`	All permissions from `fixed:datasources.permissions:reader` and `datasources.permissions:create` `datasources.permissions:delete` `datasources.permissions:toggle`	Create, read, or delete permissions of a data source.
`fixed:licensing:reader`	`licensing:read` `licensing.reports:read`	Read licensing information and licensing reports.
`fixed:licensing:writer`	All permissions from `fixed:licensing:viewer` and `licensing:update` `licensing:delete`	Read licensing information and licensing reports, update and delete the license token.
`fixed:provisioning:writer`	`provisioning:reload`	Reload provisioning.
`fixed:organization:reader`	`orgs:read` `orgs.quotas:read`	Read an organization and its quotas.
`fixed:organization:writer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs.preferences:read` `orgs.preferences:write`	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
`fixed:organization:maintainer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs:create` `orgs:delete` `orgs.quotas:write`	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.

Default built-in role assignments

Built-in role	Associated role	Description
Grafana Admin	`fixed:roles:reader` `fixed:roles:writer` `fixed:users:reader` `fixed:users:writer` `fixed:org.users:reader` `fixed:org.users:writer` `fixed:ldap:reader` `fixed:ldap:writer` `fixed:stats:reader` `fixed:settings:reader` `fixed:settings:writer` `fixed:provisioning:writer` `fixed:organization:reader` `fixed:organization:maintainer` `fixed:licensing:reader` `fixed:licensing:writer`	Default Grafana server administrator assignments.
Admin	`fixed:reports:reader` `fixed:reports:writer` `fixed:datasources:reader` `fixed:datasources:writer` `fixed:organization:writer` `fixed:datasources.permissions:reader` `fixed:datasources.permissions:writer`	Default Grafana organization administrator assignments.
Editor	`fixed:datasources:explorer`	Default Editor assignments.
Viewer	`fixed:datasources:id:reader` `fixed:organization:reader`	Default Viewer assignments.