Manage users and teams for Grafana OnCall
Grafana OnCall relies on the teams and user permissions configured at the organization level of your Grafana instance. Organization administrators can invite users, configure teams, and manage user permissions at Grafana.com.
User roles and permissions
Note: User roles and teams cannot be managed directly from Grafana OnCall.
User roles and permissions are assigned and managed at the Grafana organization or Cloud portal level. There are two ways to manage user roles and permissions for Grafana OnCall.
Basic role authorization
By default, authorization within Grafana OnCall relies on the basic user roles configured at the organization level. All users are assigned a basic role by the
organization administrator. There are three available roles:
Role-based access control (RBAC)
RBAC for Grafana plugins allows for fine-grained access control so you can define custom roles and actions for users in Grafana OnCall. Use RBAC to grant specific permissions within the Grafana OnCall plugin without changing the user’s basic role at the organization level. You can fine-tune basic roles to add or remove certain Grafana OnCall RBAC roles.
For example, a user with the basic
Viewer role at the organization level needs to edit on-call schedules. You can assign the Grafana OnCall RBAC role of
Schedules Editor to allow the user to view everything in Grafana OnCall, as well as allow them to edit on-call schedules.
To learn more about RBAC for Grafana OnCall, refer to the following documentation:
Available Grafana OnCall RBAC roles + granted actions
Note: granting any of the following roles will also grant the user the
plugins.app:access action with a scope of
plugins:id:grafana-oncall-app (ie. granting the user the ability to access the plugin). Additionally, all of the
following RBAC roles do not currently support scopes. Consider using Grafana teams to further control which Grafana OnCall
objects specific groups of users can see (see “Manage Teams in Grafana OnCall”).
|Role||Description||Granted Actions||Basic Roles Granted To|
|Admin||Read/write access to everything in OnCall||Grafana Admin, Admin|
|Editor||Similar to the Admin role, minus the abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general OnCall setings.||Editor|
|Reader||Read-only access to everything in OnCall||Viewer|
|Notifications Receiver||Grants the ability to receive OnCall alert notifications. By virtue, also grants the user the ability to edit their own OnCall settings.||N/A|
|OnCaller||Grants read access to everything in OnCall. In addition, grants edit access to Alert Groups and Schedules||N/A|
|Alert Groups Reader||Read-only access to OnCall Alert Groups||N/A|
|Alert Groups Editor||Read access to OnCall Alert Groups + ability to act on Alert Groups (ie. ack, resolve, etc)||N/A|
|Alert Groups Direct Paging||Grants the ability to be able to manually create new Alert Groups (aka Direct Paging)||N/A|
|Integrations Reader||Read-only access to OnCall Integrations||N/A|
|Integrations Editor||Read/write access to OnCall Integrations||N/A|
|Escalation Chains Reader||Read-only access to OnCall Escalation Chains||N/A|
|Escalation Chains Editor||Read/write access to OnCall Escalation Chains||N/A|
|Schedules Reader||Read-only access to OnCall Schedules||N/A|
|Schedules Editor||Read/write access to OnCall Schedules||N/A|
|ChatOps Reader||Read-only access to OnCall ChatOps||N/A|
|ChatOps Editor||Read/write access to OnCall ChatOps||N/A|
|Outgoing Webhooks Reader||Read-only access to OnCall Outgoing Webhooks||N/A|
|Outgoing Webhooks Editor||Read/write access to OnCall Outgoing Webhooks||N/A|
|Maintenance Reader||Read-only access to OnCall Maintenance||N/A|
|Maintenance Editor||Read/write access to OnCall Maintenance||N/A|
|API Keys Reader||Read-only access to OnCall API Keys||N/A|
|API Keys Editor||Read/write access to OnCall API Keys. Also grants access to be able to consume the API.||N/A|
|Notification Settings Reader||Read-only access to OnCall Notification Settings||N/A|
|Notification Settings Editor||Read/write access to OnCall Notification Settings||N/A|
|User Settings Reader||Read-only access to own OnCall User Settings||N/A|
|User Settings Editor||Read/write access to own OnCall User Settings + ability to view basic information about other OnCall users||N/A|
|User Settings Admin||Read/write access to your own, plus other’s OnCall User Settings||N/A|
|Settings Reader||Read-only access to OnCall Settings||N/A|
|Settings Editor||Read/write access to OnCall Settings||N/A|
Manage Teams in Grafana OnCall
Teams in Grafana OnCall enable the configuration of visibility and filtering of resources, such as alert groups, integrations, escalation chains, and schedules. OnCall teams are automatically synced with Grafana teams created at the organization level of your Grafana instance. To modify global settings like team name or team members, navigate to Configuration > Teams. For OnCall-specific team settings, go to Alerts & IRM > OnCall > Settings > Teams and Access Settings.
This section displays a list of teams, allowing you to configure team visibility and access to team resources for all
Grafana users, or only admins and team members. You can also set a default team, which is a user-specific setting;
the default team will be pre-selected each time a user creates a new resource. The team list includes a
No team tag,
signifying that the resource has no team and is accessible to everyone.
Admins can view the list of all teams, while editors and viewers can only see teams (and their resources) they are members of or if the team setting “who can see the team name and access the team resources” is set to “all users of Grafana”.
⚠️ In the main Grafana teams section, users can set team-specific user permissions, such as Admin, Editor, or Viewer, but only for resources within that team. Currently, Grafana OnCall ignores this setting and uses global roles instead.
Teams help filter resources on their respective pages, improving organization. You can assign a resource to a team when creating it. Alert groups created via the Integration API inherit the team from the integration.
Resources from different teams can be connected with one another. For instance, you can create an integration in one
team, set up multiple routes for the integration, and utilize escalation chains from other teams. Users, schedules,
and outgoing webhooks from other teams can also be included in the escalation chain. If a user only has access to the
first team and not others, they will be unable to view the resource, which will display as
🔒 Private resource.
This feature enables the distribution of escalations across various teams.