Menu
Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
Documentation
Grafana documentation
Grafana Enterprise
Fine-grained access control
Fine-grained access control references
Grafana documentation
Grafana Enterprise
Fine-grained access control
Fine-grained access control referencesEnterprise
Open source
Fine-grained access control references
The reference information that follows complements conceptual information about Roles.
Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
|---|---|---|
fixed:roles:reader | roles:readroles:listteams.roles:listusers.roles:listusers.permissions:listroles.builtin:list | Read all access control roles, roles and permissions assigned to users, teams and built-in role assignments. |
fixed:roles:writer | All permissions from fixed:roles:reader androles:writeroles:deleteteams.roles:addteams.roles:removeusers.roles:addusers.roles:removeroles.builtin:addroles.builtin:remove | Create, read, update, or delete all roles, assign or unassign roles to users, teams and built-in role assignments. |
fixed:reports:reader | reports:readreports:sendreports.settings:read | Read all reports and shared report settings. |
fixed:reports:writer | All permissions from fixed:reports:reader andreports.admin:writereports:deletereports.settings:write | Create, read, update, or delete all reports and shared report settings. |
fixed:users:reader | users:readusers.quotas:listusers.authtoken:listusers.teams:read | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
fixed:users:writer | All permissions from fixed:users:reader andusers:writeusers:createusers:deleteusers:enableusers:disableusers.password:updateusers.permissions:updateusers:logoutusers.authtoken:updateusers.quotas:update | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
fixed:org.users:reader | org.users:read | Read users within a single organization. |
fixed:org.users:writer | All permissions from fixed:org.users:reader andorg.users:addorg.users:removeorg.users.role:update | Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
fixed:ldap:reader | ldap.user:readldap.status:read | Read the LDAP configuration and LDAP status information. |
fixed:ldap:writer | All permissions from fixed:ldap:reader andldap.user:syncldap.config:reload | Read and update the LDAP configuration, and read LDAP status information. |
fixed:stats:reader | server.stats:read | Read Grafana instance statistics. |
fixed:settings:reader | settings:read | Read Grafana instance settings. |
fixed:settings:writer | All permissions from fixed:settings:reader andsettings:write | Read and update Grafana instance settings. |
fixed:datasources:explorer | datasources:explore | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
fixed:datasources:reader | datasources:readdatasources:query | Read and query data sources. |
fixed:datasources:writer | All permissions from fixed:datasources:reader anddatasources:createdatasources:writedatasources:delete | Read, query, create, delete, or update a data source. |
fixed:datasources:id:reader | datasources.id:read | Read the ID of a data source based on its name. |
fixed:datasources.permissions:reader | datasources.permissions:read | Read data source permissions. |
fixed:datasources.permissions:writer | All permissions from fixed:datasources.permissions:reader anddatasources.permissions:write | Create, read, or delete permissions of a data source. |
fixed:licensing:reader | licensing:readlicensing.reports:read | Read licensing information and licensing reports. |
fixed:licensing:writer | All permissions from fixed:licensing:viewer andlicensing:updatelicensing:delete | Read licensing information and licensing reports, update and delete the license token. |
fixed:provisioning:writer | provisioning:reload | Reload provisioning. |
fixed:organization:reader | orgs:readorgs.quotas:read | Read an organization and its quotas. |
fixed:organization:writer | All permissions from fixed:organization:reader andorgs:writeorgs.preferences:readorgs.preferences:write | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
fixed:organization:maintainer | All permissions from fixed:organization:reader andorgs:writeorgs:createorgs:deleteorgs.quotas:write | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
fixed:teams:creator | teams:createorg.users:read | Create a team and list organization users (required to manage the created team). |
fixed:teams:writer | teams:createteams:deleteteams:readteams:writeteams.permissions:readteams.permissions:write | Create, read, update and delete teams and manage team memberships. |
fixed:dashboards:creator | dashboards:createfolders:read | Create dashboards. |
fixed:dashboards:reader | dashboards:read | Read all dashboards. |
fixed:dashboards:writer | All permissions from fixed:dashboards:reader anddashboards:writedashboards:editdashboards:deletedashboards:createdashboards.permissions:readdashboards.permissions:write | Read, create, update, and delete all dashboards. |
fixed:dashboards.permissions:reader | dashboards.permissions:read | Read all dashboard permissions. |
fixed:dashboards.permissions:writer | All permissions from fixed:dashboards.permissions:reader anddashboards.permissions:write | Read and update all dashboard permissions. |
fixed:folders:creator | folders:create | Create folders. |
fixed:folders:reader | folders:readdashboards:read | Read all folders and dashboards. |
fixed:folders:writer | All permissions from fixed:dashboards:writer andfolders:readfolders:writefolders:createfolders:deletefolders.permissions:readfolders.permissions:write | Read, create, update, and delete all folders and dashboards. |
fixed:folders.permissions:reader | folders.permissions:read | Read all folder permissions. |
fixed:folders.permissions:writer | All permissions from fixed:folders.permissions:reader andfolders.permissions:write | Read and update all folder permissions. |
fixed:annotations:reader | annotations:read | Read all annotations and annotation tags. |
fixed:annotations.dashboard:writer | annotations:writeannotations.createannotations:delete for scope annotations:type:dashboard | Create, update and delete dashboard annotations and annotation tags. |
fixed:annotations:writer | annotations:writeannotations.createannotations:delete for scope annotations:type:* | Create, update and delete all annotations and annotation tags. |
Alerting roles
If you enable Grafana Alerting, you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Access to Grafana alert rules is an intersection of many permissions:
- Permission to read a folder, for example, the fixed role
fixed:folders:readeror actionfolders:readin the scope of a folderfolders:id: - Permission to manage alerts. The following table contains information about alerting fixed roles.
- Permission to query all data sources that the rule uses, for example, the fixed role
fixed:datasources:readeror actiondatasources:queryin the scope ofdatasources:uid:.
For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.
| Fixed roles | Permissions | Descriptions |
|---|---|---|
fixed:alerting.rules:reader | alert.rule:read for scope folders:*alert.rules.external:read for scope datasources:* | Read all* Grafana, Mimir, and Loki alert rules |
fixed:alerting.rules:editor | All permissions from fixed:alerting.rules:reader andalert.rule:createalert.rule:updatealert.rule:delete for scope folders:*alert.rules.external:write for scope datasources:* | Create, update, and delete all* Grafana, Mimir, and Loki alert rules. |
fixed:alerting.instances:reader | alert.instances:read for organization scopealert.instances.external:read for scope datasources:* | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences. |
fixed:alerting.instances:editor | All permissions from fixed:alerting.instances:reader andalert.instances:createalert.instances:update for organization scopealert.instances.external:write for scope datasources:* | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki. |
fixed:alerting.notifications:reader | alert.notifications:read for organization scopealert.notifications.external:read for scope datasources:* | Read all Grafana and Alertmanager contact points, templates, and notification policies. |
fixed:alerting.notifications:editor | All permissions from fixed:alerting.notifications:reader andalert.notifications:write for organization scopealert.notifications.external:read for scope datasources:* | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager. |
fixed:alerting:reader | All permissions from fixed:alerting.rules:readerfixed:alerting.instances:readerfixed:alerting.notifications:reader | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies. |
fixed:alerting:editor | All permissions from fixed:alerting.rules:editorfixed:alerting.instances:editorfixed:alerting.notifications:editor | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies. |
Default built-in role assignments
| Built-in role | Associated role | Description |
|---|---|---|
| Grafana Admin | fixed:roles:readerfixed:roles:writerfixed:users:readerfixed:users:writerfixed:org.users:readerfixed:org.users:writerfixed:ldap:readerfixed:ldap:writerfixed:stats:readerfixed:settings:readerfixed:settings:writerfixed:provisioning:writerfixed:organization:readerfixed:organization:maintainerfixed:licensing:readerfixed:licensing:writer | Default Grafana server administrator assignments. |
| Admin | fixed:reports:readerfixed:reports:writerfixed:datasources:readerfixed:datasources:writerfixed:organization:writerfixed:datasources.permissions:readerfixed:datasources.permissions:writerfixed:teams:writerfixed:dashboards:readerfixed:dashboards:writerfixed:dashboards.permissions:readerfixed:dashboards.permissions:writerfixed:folders:readerfixes:folders:writerfixed:folders.permissions:readerfixed:folders.permissions:writerfixed:alerting:editor | Default Grafana organization administrator assignments. |
| Editor | fixed:datasources:explorerfixed:dashboards:creatorfixed:folders:creatorfixed:annotations:writerfixed:teams:creator if the editors_can_admin configuration flag is enabledfixed:alerting:editor | Default Editor assignments. |
| Viewer | fixed:datasources:id:readerfixed:organization:readerfixed:annotations:readerfixed:annotations.dashboard:writerfixed:alerting:reader | Default Viewer assignments. |
