Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Enterprise Open source

Permissions

A permission is an action and a scope. When creating a fine-grained access control, consider what specific action a user should be allowed to perform, and on what resources (its scope).

To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.

To learn more about which permissions are used for which resources, refer to Resources with fine-grained permissions.

action
The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.
scope
The scope describes where an action can be performed, such as reading a specific user profile. In such case, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains fine-grained access control actions.

ActionApplicable scopeDescription
roles:listroles:*List available roles without permissions.
roles:readroles:*
roles:uid:*
Read a specific role with its permissions.
roles:writepermissions:delegateCreate or update a custom role.
roles:deletepermissions:delegateDelete a custom role.
roles.builtin:listroles:*List built-in role assignments.
roles.builtin:addpermissions:delegateCreate a built-in role assignment.
roles.builtin:removepermissions:delegateDelete a built-in role assignment.
reports.admin:createn/aCreate reports.
reports.admin:writereports:*
reports:id:*
Update reports.
reports:deletereports:*
reports:id:*
Delete reports.
reports:readreports:*List all available reports or get a specific report.
reports:sendreports:*Send a report email.
reports.settings:writen/aUpdate report settings.
reports.settings:readn/aRead report settings.
provisioning:reloadprovisioners:*Reload provisioning files. To find the exact scope for specific provisioner, see Scope definitions.
users:readglobal:users:*Read or search user profiles.
users:writeglobal:users:*
global:users:id
Update a user’s profile.
users.teams:readglobal:users:*
global:users:id:*
Read a user’s teams.
users.authtoken:listglobal:users:*
global:users:id:*
List authentication tokens that are assigned to a user.
users.authtoken:updateglobal:users:*
global:users:id:*
Update authentication tokens that are assigned to a user.
users.password:updateglobal:users:*
global:users:id:*
Update a user’s password.
users:deleteglobal:users:*
global:users:id:*
Delete a user.
users:createn/aCreate a user.
users:enableglobal:users:*
global:users:id:*
Enable a user.
users:disableglobal:users:*
global:users:id:*
Disable a user.
users.permissions:updateglobal:users:*
global:users:id:*
Update a user’s organization-level permissions.
users:logoutglobal:users:*
global:users:id:*
Sign out a user.
users.quotas:listglobal:users:*
global:users:id:*
List a user’s quotas.
users.quotas:updateglobal:users:*
global:users:id:*
Update a user’s quotas.
users.roles:listusers:*List roles assigned directly to a user.
users.roles:addpermissions:delegateAssign a role to a user.
users.roles:removepermissions:delegateUnassign a role from a auser.
users.permissions:listusers:*List permissions of a user.
org.users:readusers:*
users:id:*
Get user profiles within an organization.
org.users:addusers:*Add a user to an organization.
org.users:removeusers:*
users:id:*
Remove a user from an organization.
org.users.role:updateusers:*
users:id:*
Update the organization role (Viewer, Editor, or Admin) of an organization.
orgs:readorgs:*
orgs:id:*
Read one or more organizations.
orgs:writeorgs:*
orgs:id:*
Update one or more organizations.
org:createn/aCreate an organization.
orgs:deleteorgs:*
orgs:id:*
Delete one or more organizations.
orgs.quotas:readorgs:*
orgs:id:*
Read organization quotas.
orgs.quotas:writeorgs:*
orgs:id:*
Update organization quotas.
orgs.preferences:readorgs:*
orgs:id:*
Read organization preferences.
orgs.preferences:writeorgs:*
orgs:id:*
Update organization preferences.
ldap.user:readn/aRead users via LDAP.
ldap.user:syncn/aSync users via LDAP.
ldap.status:readn/aVerify the availability of the LDAP server or servers.
ldap.config:reloadn/aReload the LDAP configuration.
status:accesscontrolservices:accesscontrolGet access-control enabled status.
settings:readsettings:*
settings:auth.saml:*
settings:auth.saml:enabled (property level)
Read the Grafana configuration settings
settings:writesettings:*
settings:auth.saml:*
settings:auth.saml:enabled (property level)
Update any Grafana configuration settings that can be updated at runtime.
server.stats:readn/aRead Grafana instance statistics.
datasources:exploren/aEnable access to the Explore tab.
datasources:readn/a
datasources:*
datasources:id:*
datasources:uid:*
datasources:name:*
List data sources.
datasources:queryn/a
datasources:*
datasources:id:*
Query data sources.
datasources.id:readdatasources:*
datasources:name:*
Read data source IDs.
datasources:createn/aCreate data sources.
datasources:writedatasources:*
datasources:id:*
Update data sources.
datasources:deletedatasources:id:*
datasources:uid:*
datasources:name:*
Delete data sources.
datasources.permissions:readdatasources:*
datasources:id:*
List data source permissions.
datasources.permissions:createdatasources:*
datasources:id:*
Create data source permissions.
datasources.permissions:deletedatasources:*
datasources:id:*
Delete data source permissions.
datasources.permissions:toggledatasources:*
datasources:id:*
Enable or disable data source permissions.
licensing:readn/aRead licensing information.
licensing:updaten/aUpdate the license token.
licensing:deleten/aDelete the license token.
licensing.reports:readn/aGet custom permission reports.
serviceaccounts:deleteserviceaccounts:*
serviceaccounts:id:*
Delete one or more service accounts.

Scope definitions

The following list contains fine-grained access control scopes.

ScopesDescriptions
permissions:delegateThe scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
roles:*
roles:uid:*
Restrict an action to a set of roles. For example, roles:* matches any role and roles:uid:randomuid matches only the role whose UID is randomuid.
reports:*
reports:id:*
Restrict an action to a set of reports. For example, reports:* matches any report and reports:id:1 matches the report whose ID is 1.
services:accesscontrolRestrict an action to target only the fine-grained access control service. You can use this in conjunction with the status:accesscontrol actions.
global:users:*
global:users:id:*
Restrict an action to a set of global users. For example, global:users:* matches any user and global:users:id:1 matches the user whose ID is 1.
users:*
users:id:*
Restrict an action to a set of users from an organization. For example, users:* matches any user and users:id:1 matches the user whose ID is 1.
orgs:*
orgs:id:*
Restrict an action to a set of organizations. For example, orgs:* matches any organization and orgs:id:1 matches the organization whose ID is 1.
settings:*Restrict an action to a subset of settings. For example, settings:* matches all settings, settings:auth.saml:* matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.
provisioners:*Restrict an action to a set of provisioners. For example, provisioners:* matches any provisioner, and provisioners:accesscontrol matches the fine-grained access control provisioner.
datasources:*
datasources:id:*
datasources:uid:*
datasources:name:*
Restrict an action to a set of data sources. For example, datasources:* matches any data source, and datasources:name:postgres matches the data source named postgres.
serviceaccounts:*
serviceaccounts:id:*
Restrict an action to a set of service accounts. For example, serviceaccounts:* matches any service account and serviceaccounts:id:1 matches the service account whose ID is 1.