Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Grafana Enterprisebreadcrumb arrow Fine-grained access controlbreadcrumb arrow Fine-grained access control references
Enterprise Open source

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed rolesPermissionsDescriptions
fixed:roles:readerroles:read
roles:list
users.roles:list
users.permissions:list
roles.builtin:list		Read all access control roles, roles and permissions assigned to users and built-in role assignments.
fixed:roles:writerAll permissions from fixed:roles:reader and
roles:write
roles:delete
users.roles:add
users.roles:remove
roles.builtin:add
roles.builtin:remove		Create, read, update, or delete all roles, assign or unassign roles to users and built-in role assignments.
fixed:reports:readerreports:read
reports:send
reports.settings:read		Read all reports and shared report settings.
fixed:reports:writerAll permissions from fixed:reports:reader and
reports.admin:write
reports:delete
reports.settings:write		Create, read, update, or delete all reports and shared report settings.
fixed:users:readerusers:read
users.quotas:list
users.authtoken:list
users.teams:read		Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writerAll permissions from fixed:users:reader and
users:write
users:create
users:delete
users:enable
users:disable
users.password:update
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update		Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
fixed:org.users:readerorg.users:readRead users within a single organization.
fixed:org.users:writerAll permissions from fixed:org.users:reader and
org.users:add
org.users:remove
org.users.role:update		Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:ldap:readerldap.user:read
ldap.status:read		Read the LDAP configuration and LDAP status information.
fixed:ldap:writerAll permissions from fixed:ldap:reader and
ldap.user:sync
ldap.config:reload		Read and update the LDAP configuration, and read LDAP status information.
fixed:stats:readerserver.stats:readRead Grafana instance statistics.
fixed:settings:readersettings:readRead Grafana instance settings.
fixed:settings:writerAll permissions from fixed:settings:reader and
settings:write		Read and update Grafana instance settings.
fixed:datasources:explorerdatasources:exploreEnable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:readerdatasources:read
datasources:query		Read and query data sources.
fixed:datasources:writerAll permissions from fixed:datasources:reader and
datasources:create
datasources:write
datasources:delete		Read, query, create, delete, or update a data source.
fixed:datasources:id:readerdatasources.id:readRead the ID of a data source based on its name.
fixed:datasources.permissions:readerdatasources.permissions:readRead data source permissions.
fixed:datasources.permissions:writerAll permissions from fixed:datasources.permissions:reader and
datasources.permissions:write		Create, read, or delete permissions of a data source.
fixed:licensing:readerlicensing:read
licensing.reports:read		Read licensing information and licensing reports.
fixed:licensing:writerAll permissions from fixed:licensing:viewer and
licensing:update
licensing:delete		Read licensing information and licensing reports, update and delete the license token.
fixed:provisioning:writerprovisioning:reloadReload provisioning.
fixed:organization:readerorgs:read
orgs.quotas:read		Read an organization and its quotas.
fixed:organization:writerAll permissions from fixed:organization:reader and
orgs:write
orgs.preferences:read
orgs.preferences:write		Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:organization:maintainerAll permissions from fixed:organization:reader and
orgs:write
orgs:create
orgs:delete
orgs.quotas:write		Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:teams:creator `teams:create
org.users:read		Create a team and list organization users (required to manage the created team).
fixed:teams:writerteams:create
teams:delete
teams:read
teams:write
teams.permissions:read
teams.permissions:write		Create, read, update and delete teams and manage team memberships.

Default built-in role assignments

Built-in roleAssociated roleDescription
Grafana Adminfixed:roles:reader
fixed:roles:writer
fixed:users:reader
fixed:users:writer
fixed:org.users:reader
fixed:org.users:writer
fixed:ldap:reader
fixed:ldap:writer
fixed:stats:reader
fixed:settings:reader
fixed:settings:writer
fixed:provisioning:writer
fixed:organization:reader
fixed:organization:maintainer
fixed:licensing:reader
fixed:licensing:writer		Default Grafana server administrator assignments.
Adminfixed:reports:reader
fixed:reports:writer
fixed:datasources:reader
fixed:datasources:writer
fixed:organization:writer
fixed:datasources.permissions:reader
fixed:datasources.permissions:writer
fixed:teams:writer
Default Grafana organization administrator assignments.
Editorfixed:datasources:explorer and
fixed:teams:creator if the editors_can_admin configuration flag is enabled		Default Editor assignments.
Viewerfixed:datasources:id:reader
fixed:organization:reader		Default Viewer assignments.