Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow AI and machine learningbreadcrumb arrow Grafana Assistantbreadcrumb arrow Privacy and securitybreadcrumb arrow Manage access (RBAC)
Grafana Cloud

Manage Assistant access with RBAC

Grafana Assistant relies on Grafana role-based access control (RBAC) so you can decide who can chat, run investigations, or administer deployment-wide settings. This article explains the roles available, the permissions they unlock, and how to grant users the access they need.

Before you begin

Decide who needs chat access, admin access, or investigation access before you start assigning roles.

  • Organization administrator access: Only admins can assign Assistant-related roles and permissions.
  • RBAC plan: Decide which teams need chat, investigations, or administrative control.
  • Feature availability: Confirm you enabled Grafana Assistant and investigations in your stack.
  • Scope per deployment: Assistant uses Grafana RBAC in the Grafana deployment where the plugin runs. In Grafana Cloud, that means a Grafana Cloud stack. In self-managed Grafana, that means your local Grafana instance. Use plugins.app:access scoped to plugins:id:grafana-assistant-app to control who can open Assistant. To remove or disable the Assistant in a deployment, an administrator can navigate to Administration > Plugins and data > Plugins, search for Grafana Assistant or go directly to /plugins/grafana-assistant-app, uncheck the agreement box, and click Save.

Note

In self-managed Grafana, the self-managed deployment hides some Grafana Cloud-dependent features entirely. RBAC still governs access to the Assistant app and its remaining settings, but permissions alone do not enable investigations, MCP management, SQL discovery, or automations in a self-managed deployment.

Understand available roles

Grafana offers baseline organization roles plus Assistant-specific roles. Combining them lets you tailor access without granting more privileges than necessary.

Organization roles define broad access in Grafana:

Organization roleWhat the role can do with Grafana Assistant
AdminFull access to Assistant chat, investigations, rules, and MCP server management.
EditorChat, investigations, and personal MCP server management.
ViewerChat access.
No basic roleNo Assistant access unless an administrator adds an Assistant-specific role.

Assistant-specific roles extend or restrict access regardless of the user’s organization role:

Assistant roleWhat the role unlocks
Assistant AdminAdministers deployment-wide Assistant settings, usage analytics and limits, rules, and MCP servers in addition to chat.
Assistant Cloud MCP UserAuthorizes and manages external AI agent connections to Grafana via the Grafana Cloud MCP server.
Assistant MCP UserUses Assistant chat and manages personal MCP servers and rules.
Assistant UserBasic Assistant chat plus personal rule management and personal skills.
Assistant Investigation UserLaunches and manages Assistant investigations.
Assistant System Investigation ViewerAdds visibility of system-created investigations. Combine with Assistant Investigation User or organization Admin.

Assign Assistant-specific roles to give targeted access to teammates who are not Editors or Admins.

Note

System-created investigations (launched automatically via IRM webhooks, alerts, or incidents) are hidden by default. Only users with the Assistant System Investigation Viewer role (combined with Assistant Investigation User) or organization Admin role can see them.

Grant access in Grafana

Use the following procedures to grant the right level of access without over-provisioning.

Grant basic Assistant chat access

  1. Sign in as an organization administrator.
  2. Go to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant User.
  5. Click Apply.

Allow users to launch investigations and skills

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User.
  5. Click Apply.

Allow users to view system-created investigations

System-created investigations are launched automatically by IRM webhooks, alerts, or incidents. By default, only organization Admins can view them. This role is additive — the user also needs the Assistant Investigation User role for general investigation access.

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Investigation User (if not already assigned).
  5. Also choose Assistant > Assistant System Investigation Viewer.
  6. Click Apply.

Delegate Assistant administration

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Admin.
  5. Click Apply.

Users can hold multiple Assistant roles if they need both investigation access and deployment-wide configuration control.

Control access to Skills

Skills use separate permissions for personal and deployment-wide scope.

Users with Assistant User can create, edit, and delete their own Just me skills. Users with Assistant Admin can also create, edit, and delete Everybody skills for the deployment. Users who don’t have deployment-wide skill permissions can still view shared skills, but they can’t modify them.

Control access to Usage Analytics and limits

The Assistant > Usage page is gated by the grafana-assistant-app.usage:read permission. Editing limits from that page requires grafana-assistant-app.usage:write.

By default, these permissions are included in the Assistant Admin role. The Assistant Admin role is granted to the organization Admin basic role by default.

Enable Grafana Cloud MCP access

Grafana Cloud MCP access is automatically included for users with the Editor role or higher. To grant Grafana Cloud MCP access to users without the Editor role:

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant Cloud MCP User.
  5. Click Apply.

To allow users to authorize write-scoped Grafana Cloud MCP connections (enabling tools that create or modify resources), add the Assistant Admin role.

For more information, refer to Grafana Cloud MCP server.

Enable MCP server management

To allow users to configure personal MCP servers without granting full Editor access:

  1. Sign in as an organization administrator.
  2. Navigate to Administration > Users and access > Users.
  3. Select the user and open the Role picker.
  4. Choose Assistant > Assistant MCP User.
  5. Click Apply.

MCP servers configured with Everybody scope require deployment-wide MCP permissions, typically the Grafana Admin basic role or Assistant Admin.

Understand memory access control

Assistant respects Grafana’s existing RBAC when accessing memories:

  • Dashboard memory: Search results are filtered based on your Grafana folder and dashboard permissions. You can only discover and reference dashboards you have access to view.
  • Infrastructure memory: Semantic search results are filtered by datasource permissions. You can only access infrastructure metrics from datasources you’re authorized to query. If permissions can’t be verified, access is denied by default.

This ensures Assistant never exposes data beyond your existing Grafana permissions.

Map permissions to actions

Each Assistant role grants a set of permissions. Use the tables below when you need to understand or audit the underlying RBAC settings.

Core permissions

PermissionDescriptionScope
plugins.app:accessAccess the Assistant plugin shell.plugins:id:grafana-assistant-app
grafana-assistant-app.settings.terms:writeAccept terms and conditions to enable Assistant.n/a
grafana-assistant-app.settings.sql-discovery:readRead SQL table discovery settings.n/a
grafana-assistant-app.settings.sql-discovery:writeConfigure SQL table discovery settings.n/a
grafana-assistant-app.chats:accessUse Assistant chat.n/a
grafana-assistant-app.rules.user:readRead personal Assistant rules.n/a
grafana-assistant-app.rules.user:createCreate personal Assistant rules.n/a
grafana-assistant-app.rules.user:writeUpdate personal Assistant rules.n/a
grafana-assistant-app.rules.user:deleteDelete personal Assistant rules.n/a
grafana-assistant-app.rules.tenant:readRead tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:createCreate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:writeUpdate tenant-level Assistant rules.n/a
grafana-assistant-app.rules.tenant:deleteDelete tenant-level Assistant rules.n/a
grafana-assistant-app.mcps.user:readRead personal MCP servers.n/a
grafana-assistant-app.mcps.user:createCreate personal MCP servers.n/a
grafana-assistant-app.mcps.user:writeUpdate personal MCP servers.n/a
grafana-assistant-app.mcps.user:deleteDelete personal MCP servers.n/a
grafana-assistant-app.mcps.tenant:readRead tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:createCreate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:writeUpdate tenant MCP servers.n/a
grafana-assistant-app.mcps.tenant:deleteDelete tenant MCP servers.n/a
grafana-assistant-app.investigations:readView investigations.n/a
grafana-assistant-app.investigations:createLaunch investigations.n/a
grafana-assistant-app.investigations.system:readView system-created investigations.n/a
grafana-assistant-app.cloud-mcp:accessConnect external AI agents via Grafana Cloud MCP and manage connections.n/a
grafana-assistant-app.cloud-mcp.scope:writeAuthorize Grafana Cloud MCP connections with write scope.n/a
grafana-assistant-app.skills.user:*Manage personal skills.n/a
grafana-assistant-app.skills.tenant:*Manage deployment-wide shared skills.n/a
grafana-assistant-app.usage:readView Usage Analytics for the deployment.n/a
grafana-assistant-app.usage:writeUpdate deployment usage limits.n/a

Actions and required permissions

Assistant actionRequired permissions (all)
Enable Assistant and accept termsgrafana-assistant-app.settings.terms:write, plugins.app:access
Configure SQL table discoverygrafana-assistant-app.settings.sql-discovery:write, grafana-assistant-app.settings.sql-discovery:read, plugins.app:access
Use Assistant chatgrafana-assistant-app.chats:access, plugins.app:access
Manage personal rulesgrafana-assistant-app.rules.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage personal MCP serversgrafana-assistant-app.mcps.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant rulesgrafana-assistant-app.rules.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant MCP serversgrafana-assistant-app.mcps.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
Use investigationsgrafana-assistant-app.investigations:*, grafana-assistant-app.chats:access, plugins.app:access
View system-created investigationsgrafana-assistant-app.investigations.system:read, grafana-assistant-app.investigations:read, plugins.app:access
Manage personal skillsgrafana-assistant-app.skills.user:*, grafana-assistant-app.chats:access, plugins.app:access
Manage tenant-wide skillsgrafana-assistant-app.skills.tenant:*, grafana-assistant-app.chats:access, plugins.app:access
View Usage Analytics dashboardgrafana-assistant-app.usage:read, plugins.app:access
Configure usage limitsgrafana-assistant-app.usage:write, grafana-assistant-app.usage:read, plugins.app:access
Connect via Grafana Cloud MCPgrafana-assistant-app.cloud-mcp:access, plugins.app:access
Authorize write-scoped Grafana Cloud MCP connectionsgrafana-assistant-app.cloud-mcp.scope:write, grafana-assistant-app.cloud-mcp:access, plugins.app:access

Permissions with a * suffix mean the role needs read, create, write, and delete access for that feature area.

Next steps