Menu
Enterprise Grafana Cloud RSS

Configure RBAC

Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.

A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.

Each permission contains one or more actions and a scope.

Permissions

Grafana Alerting has the following permissions.

ActionApplicable scopeDescription
alert.instances.external:readdatasources:*
datasources:uid:*
Read alerts and silences in data sources that support alerting.
alert.instances.external:writedatasources:*
datasources:uid:*
Manage alerts and silences in data sources that support alerting.
alert.instances:createn/aCreate silences in the current organization.
alert.instances:readn/aRead alerts and silences in the current organization.
alert.instances:writen/aUpdate and expire silences in the current organization.
alert.notifications.external:readdatasources:*
datasources:uid:*
Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:writedatasources:*
datasources:uid:*
Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications:writen/aManage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:readn/aRead all templates, contact points, notification policies, and mute timings in the current organization.
alert.rules.external:readdatasources:*
datasources:uid:*
Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:writedatasources:*
datasources:uid:*
Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.rules:createfolders:*
folders:uid:*
Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:deletefolders:*
folders:uid:*
Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:readfolders:*
folders:uid:*
Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder.
alert.rules:writefolders:*
folders:uid:*
Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.silences:createfolders:*
folders:uid:*
Create rule-specific silences in a folder and its subfolders.
alert.silences:readfolders:*
folders:uid:*
Read all general silences and rule-specific silences in a folder and its subfolders.
alert.silences:writefolders:*
folders:uid:*
Update and expire rule-specific silences in a folder and its subfolders.
alert.provisioning:readn/aRead all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
alert.provisioning.secrets:readn/aSame as alert.provisioning:read plus ability to export resources with decrypted secrets.
alert.provisioning:writen/aUpdate all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.
alert.provisioning.provenance:writen/aSet provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources

Contact point permissions. To enable API and user interface that use these permissions, enable the alertingApiServer feature toggle.

ActionApplicable scopeDescription
alert.notifications.receivers:readreceivers:*
receivers:uid:*
Read contact points.
alert.notifications.receivers.secrets:readreceivers:*
receivers:uid:*
Export contact points with decrypted secrets.
alert.notifications.receivers:createn/aCreate a new contact points. The creator is automatically granted full access to the created contact point.
alert.notifications.receivers:writereceivers:*
receivers:uid:*
Update existing contact points.
alert.notifications.receivers:deletereceivers:*
receivers:uid:*
Update and delete existing contact points.
receivers.permissions:readreceivers:*
receivers:uid:*
Read permissions for contact points.
receivers.permissions:writereceivers:*
receivers:uid:*
Manage permissions for contact points.

Mute time interval permissions. To enable API and user interface that use these permissions, enable the alertingApiServer feature toggle.

ActionApplicable scopeDescription
alert.notifications.time-intervals:readn/aRead mute time intervals.
alert.notifications.time-intervals:writen/aCreate new or update existing mute time intervals.
alert.notifications.time-intervals:deleten/aDelete existing time intervals.

Notification template permissions. To enable these permissions, enable the alertingApiServer feature toggle.

ActionApplicable scopeDescription
alert.notifications.templates:readn/aRead templates.
alert.notifications.templates:writen/aCreate new or update existing templates.
alert.notifications.templates:deleten/aDelete existing templates.

Notification policies permissions. To enable API and user interface that use these permissions, enable the alertingApiServer feature toggle.

ActionApplicable scopeDescription
alert.notifications.routes:readn/aRead notification policies.
alert.notifications.routes:writen/aCreate new, update and update notification policies.

To help plan your RBAC rollout strategy, refer to Plan your RBAC rollout strategy.