IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
12605bfed226503396d2a76426bf9d0ac968e5fa
grafana/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md

147 lines
56 KiB
Markdown
Raw Normal View History

Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
---
Add current alias to all files (#48635) * Add aliases to all files Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Prettify front matter Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
2022-05-17 16:24:11 +01:00
aliases:
Use relative aliases for all non-current Grafana aliases (#60062) * Use relative aliases for all non-current Grafana aliases Prevents non-latest documentation "stealing" the page away from latest and through permanent redirects for latest pages that no longer exist. The redirected pages are indexed by search engines but our robots.txt forbids them crawling the non-latest page. Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Remove aliases from shared pages Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Rewrite all current latest aliases to be next Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix typo in latest alias Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Remove all current page aliases find docs/sources -type f -name '*.md' -exec sed -z -i 's#\n *- /docs/grafana/next/[^\n]*\n#\n#' {} \; find docs/sources -type f -name '*.md' -exec sed -Ez -i 's#\n((aliases:\n *-)|aliases:\n)#\n\2#' {} \; Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Prettier Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
2022-12-09 12:36:04 -04:00
- ../../../enterprise/access-control/fine-grained-access-control-references/
- ../../../enterprise/access-control/rbac-fixed-basic-role-definitions/
Add current alias to all files (#48635) * Add aliases to all files Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Prettify front matter Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
2022-05-17 16:24:11 +01:00
description: This topic includes a table that lists permission associated with Grafana
fixed and basic roles.
Explicitly set all front matter labels in the source files (#71548) * Set every page to have defaults of 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/enterprise-licensing pages to have 'Enterprise' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/recorded-queries pages to have labels cloud,enterprise * Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/stats-and-license pages to have labels cloud,enterprise * Set alerting pages to have labels cloud,enterprise,oss * Set breaking-changes pages to have labels cloud,enterprise,oss * Set dashboards pages to have labels cloud,enterprise,oss * Set datasources pages to have labels cloud,enterprise,oss * Set explore pages to have labels cloud,enterprise,oss * Set fundamentals pages to have labels cloud,enterprise,oss * Set introduction/grafana-cloud pages to have labels cloud Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix introduction pages products Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set panels-visualizations pages to have labels cloud,enterprise,oss * Set release-notes pages to have labels cloud,enterprise,oss * Set search pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set troubleshooting pages to have labels cloud,enterprise,oss * Set whatsnew pages to have labels cloud,enterprise,oss * Apply updated labels from review Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com> --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
2023-07-18 09:10:12 +01:00
labels:
products:
- cloud
- enterprise
Add current alias to all files (#48635) * Add aliases to all files Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Prettify front matter Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
2022-05-17 16:24:11 +01:00
menuTitle: RBAC role definitions
Docs: RBAC GA (#49062)
2022-05-20 21:48:52 +02:00
title: Grafana RBAC role definitions
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
weight: 70
---
Add fine-grained-access-control-references.md file. (#35043) * Add fine-grained-access-control-references.md file. * Fix syntax error in relref. * Fix another syntax error. * Fix broken link: see introduction of alert rules at PR https://github.com/grafana/grafana/pull/34839.
2021-06-01 16:35:38 +02:00
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
# RBAC role definitions
PackageJson: Prettify markdown/mdx on commit with lint-staged (#37616) * Format md,mdx files with prettier on lint-staged * Manually run prettier on docs/sources
2021-08-06 07:52:36 -06:00
[feat] docs; update admonition syntax (#68842) * [feat] docs; update admonition syntax - Standardizes according to style conventions: https://grafana.com/docs/writers-toolkit/style-guide/style-conventions/#admonitions - Prepares docs for better, uniform admonition style. * Remove false positives and irregularities * false positive removal * Update docs/sources/datasources/mysql/_index.md * Update docs/sources/developers/angular_deprecation/angular-plugins.md * fix link errors * Prettify some nested blockquotes * remoe unnecessary admonition
2023-05-22 17:45:28 -03:00
{{% admonition type="note" %}}
Everything in Cloud free updates (#69948) * updates for everything in Free * more cloud free
2023-06-12 11:14:02 -07:00
Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud](/docs/grafana-cloud).
[feat] docs; update admonition syntax (#68842) * [feat] docs; update admonition syntax - Standardizes according to style conventions: https://grafana.com/docs/writers-toolkit/style-guide/style-conventions/#admonitions - Prepares docs for better, uniform admonition style. * Remove false positives and irregularities * false positive removal * Update docs/sources/datasources/mysql/_index.md * Update docs/sources/developers/angular_deprecation/angular-plugins.md * fix link errors * Prettify some nested blockquotes * remoe unnecessary admonition
2023-05-22 17:45:28 -03:00
{{% /admonition %}}
RBAC: Update the docs homepage to mention that RBAC is only enterprise (#52890) * RBAC: Update the docs homepage to mention that RBAC is only enterprise * Don't mention that there is anything to enable for provisioning RBAC * Add GE notices to child RBAC pages * Extend the RBAC availibility note to Cloud Advanced Co-authored-by: Garrett Guillotte <garrett.guillotte@grafana.com>
2022-07-28 11:32:11 +02:00
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
The following tables list permissions associated with basic and fixed roles.
Add fine-grained-access-control-references.md file. (#35043) * Add fine-grained-access-control-references.md file. * Fix syntax error in relref. * Fix another syntax error. * Fix broken link: see introduction of alert rules at PR https://github.com/grafana/grafana/pull/34839.
2021-06-01 16:35:38 +02:00
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
## Basic role assignments
Add fine-grained-access-control-references.md file. (#35043) * Add fine-grained-access-control-references.md file. * Fix syntax error in relref. * Fix another syntax error. * Fix broken link: see introduction of alert rules at PR https://github.com/grafana/grafana/pull/34839.
2021-06-01 16:35:38 +02:00
Alerting: Add description of a new role (#85218)
2024-04-08 15:01:15 -04:00
| Basic role | Associated fixed roles | Description |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer`<br>`fixed:datasources.caching:reader`<br>`fixed:datasources.caching:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:plugins:maintainer`<br>`fixed:authentication.config:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:library.panels:writer`<br>`fixed:library.panels:general.writer` | Default [Grafana server administrator]({{< relref "../../#grafana-server-administrators" >}}) assignments. |
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:reader`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:reader`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:reader`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:reader`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:apikeys:reader`<br>`fixed:apikeys:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:reader`<br>`fixed:datasources.caching:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:plugins:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:library.panels:writer`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer` | Default [Grafana organization administrator]({{< relref "../#basic-roles" >}}) assignments. |
| Editor | `fixed:datasources:explorer`<br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled<br>`fixed:alerting:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.reader`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer` | Default [Editor]({{< relref "../#basic-roles" >}}) assignments. |
| Viewer | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader` | Default [Viewer]({{< relref "../#basic-roles" >}}) assignments. |
| No Basic Role | | Default [No Basic Role]({{< relref "../#basic-roles" >}}) |
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
## Fixed role definitions
Alerting: Update fixed roles to include silences permissions (#85826) * update fixed roles to include silences * add silence actions to managed permissions * update documentation
2024-04-12 12:37:34 -04:00
| Fixed role | Permissions | Description |
| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:alerting.instances:writer` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*` | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles) |
| `fixed:alerting.instances:reader` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*` | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles) |
| `fixed:alerting.notifications:writer` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles) |
| `fixed:alerting.notifications:reader` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.rules:writer` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences |
| `fixed:alerting.rules:reader` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list` | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences |
| `fixed:alerting:writer` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer` | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting:reader` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader` | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.provisioning.secrets:reader` | `alert.provisioning:read` and `alert.provisioning.secrets:read` | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles) |
| `fixed:alerting.provisioning:writer` | `alert.provisioning:read` and `alert.provisioning:write` | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles) |
| `fixed:alerting.provisioning.status:writer` | `alert.provisioning.provenance:write` | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles) |
| `fixed:annotations.dashboard:writer` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard` | Create, update and delete dashboard annotations and annotation tags. |
| `fixed:annotations:reader` | `annotations:read` for scopes `annotations:type:*` | Read all annotations and annotation tags. |
| `fixed:annotations:writer` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*` | Read, create, update and delete all annotations and annotation tags. |
| `fixed:apikeys:reader` | `apikeys:read` for scope `apikeys:*` | Read all api keys. |
| `fixed:apikeys:writer` | All permissions from `fixed:apikeys:reader` and <br> `apikeys:create` <br> `apikeys:delete` for scope `apikeys:*` | Read, create, delete all api keys. |
| `fixed:authentication.config:writer` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*` | Read and update authentication and SAML settings. |
| `fixed:dashboards:creator` | `dashboards:create`<br>`folders:read` | Create dashboards. |
| `fixed:dashboards.insights:reader` | `dashboards.insights:read` | Read dashboard insights data and see presence indicators. |
| `fixed:dashboards.permissions:reader` | `dashboards.permissions:read` | Read all dashboard permissions. |
| `fixed:dashboards.permissions:writer` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write` | Read and update all dashboard permissions. |
| `fixed:dashboards.public:writer` | `dashboards.public:write` | Create, update, delete or pause a public dashboard. |
| `fixed:dashboards:reader` | `dashboards:read` | Read all dashboards. |
| `fixed:dashboards:writer` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:edit`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write` | Read, create, update, and delete all dashboards. |
| `fixed:datasources.caching:reader` | `datasources.caching:read` | Read data source query caching settings. |
| `fixed:datasources.caching:writer` | `datasources.caching:read`<br>`datasources.caching:write` | Enable, disable, or update query caching settings. |
| `fixed:datasources:explorer` | `datasources:explore` | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
| `fixed:datasources.id:reader` | `datasources.id:read` | Read the ID of a data source based on its name. |
| `fixed:datasources.insights:reader` | `datasources.insights:read` | Read data source insights data. |
| `fixed:datasources.permissions:reader` | `datasources.permissions:read` | Read data source permissions. |
| `fixed:datasources.permissions:writer` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write` | Create, read, or delete permissions of a data source. |
| `fixed:datasources:creator` | `datasources:create` | Create data sources. |
| `fixed:datasources:reader` | `datasources:read`<br>`datasources:query` | Read and query data sources. |
| `fixed:datasources:writer` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Read, query, create, delete, or update a data source. |
| `fixed:folders.permissions:reader` | `folders.permissions:read` | Read all folder permissions. |
| `fixed:folders.permissions:writer` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write` | Read and update all folder permissions. |
| `fixed:folders:creator` | `folders:create` | Create folders in the root level. If granted together with `folders:write` permission, also allows creating subfolders under all folders. |
| `fixed:folders:reader` | `folders:read`<br>`dashboards:read` | Read all folders and dashboards. |
| `fixed:folders:writer` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write` | Read, create, update, and delete all folders and dashboards. If granted together with `fixed:folders:creator`, allows creating subfolders under all folders. |
| `fixed:ldap:reader` | `ldap.user:read`<br>`ldap.status:read` | Read the LDAP configuration and LDAP status information. |
| `fixed:ldap:writer` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Read and update the LDAP configuration, and read LDAP status information. |
| `fixed:library.panels:creator` | `library.panels:create`<br>`folders:read` | Create library panel at the root level. |
| `fixed:library.panels:reader` | `library.panels:read` | Read all library panels. |
| `fixed:library.panels:general.reader` | `library.panels:read` | Read all library panels at the root level. |
| `fixed:library.panels:writer` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write` | Create, read, write or delete all library panels and their permissions. |
| `fixed:library.panels:general.writer` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write` | Create, read, write or delete all library panels and their permissions at the root level. |
| `fixed:licensing:reader` | `licensing:read`<br>`licensing.reports:read` | Read licensing information and licensing reports. |
| `fixed:licensing:writer` | All permissions from `fixed:licensing:viewer` and <br>`licensing:write`<br>`licensing:delete` | Read licensing information and licensing reports, update and delete the license token. |
| `fixed:org.users:reader` | `org.users:read` | Read users within a single organization. |
| `fixed:org.users:writer` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write` | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
| `fixed:organization:maintainer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write` | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
| `fixed:organization:reader` | `orgs:read`<br>`orgs.quotas:read` | Read an organization and its quotas. |
| `fixed:organization:writer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write` | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
| `fixed:plugins.app:reader` | `plugins.app:access` | Access application plugins (still enforcing the organization role). |
| `fixed:plugins:maintainer` | `plugins:install` | Install and uninstall plugins. Needs to be assigned globally. |
| `fixed:plugins:writer` | `plugins:write` | Enable and disable plugins and edit plugins' settings. |
| `fixed:provisioning:writer` | `provisioning:reload` | Reload provisioning. |
| `fixed:reports:reader` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Read all reports and shared report settings. |
| `fixed:reports:writer` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write` | Create, read, update, or delete all reports and shared report settings. |
| `fixed:roles:reader` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read` | Read all access control roles, roles and permissions assigned to users, teams. |
| `fixed:roles:writer` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove` | Create, read, update, or delete all roles, assign or unassign roles to users, teams. |
| `fixed:roles:resetter` | `roles:write` with scope `permissions:type:escalate` | Reset basic roles to their default. |
| `fixed:serviceaccounts:reader` | `serviceaccounts:read` | Read Grafana service accounts. |
| `fixed:serviceaccounts:creator` | `serviceaccounts:create` | Create Grafana service accounts. |
| `fixed:serviceaccounts:writer` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write` | Create, update, read and delete all Grafana service accounts and manage service account permissions. |
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:teams:reader` | `teams:read` | List all teams. |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read` | Create a team and list organization users (required to manage the created team). |
| `fixed:teams:writer` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write` | Create, read, update and delete teams and manage team memberships. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`<br>` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
| `fixed:users:writer` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write` | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users. |
Add fine-grained-access-control-references.md file. (#35043) * Add fine-grained-access-control-references.md file. * Fix syntax error in relref. * Fix another syntax error. * Fix broken link: see introduction of alert rules at PR https://github.com/grafana/grafana/pull/34839.
2021-06-01 16:35:38 +02:00
Alerting: Update RBAC documentation with information about alerting (#47858) Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2022-04-20 11:35:57 -04:00
### Alerting roles
Remove legacy alerting docs (#84190)
2024-03-12 05:37:41 +01:00
You can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Alerting: Update RBAC documentation with information about alerting (#47858) Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2022-04-20 11:35:57 -04:00
Access to Grafana alert rules is an intersection of many permissions:
Docs: Fine-grained access control refactor (#47536) * fleshing out About topic * docs, fgac refactor initial draft * updated FGAC with service account details * finalized restructure * make prettier, corrects spelling * fixes typo * adds rollout strategy topic * started name change * renamed to rbac throughout docs * copy edit to about and actions and scopes docs * finishes content reorg * draft of refactored refactored docs * corrects relrefs * formatting tweaks * fixes typo * copy updates to about rbac * rbac rollout docs edits * update rbac role assignment docs * content update to manage rbac roles doc * sort and reorder roles reference in rbac docs * alphabetize permissions table * Update docs/sources/enterprise/settings-updates.md Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com> * incorporates feedback, makes prettier * update http api references in rbac docs * fix broken refs and improve wording on enabling RBAC provisioning Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00
- Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
- Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
Alerting: Update RBAC documentation with information about alerting (#47858) Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2022-04-20 11:35:57 -04:00
RBAC: Rename alerting roles to match naming convention (#50504)
2022-06-09 14:29:27 +02:00
There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
Alerting: Add RBAC actions and role for provisioning API routes (#50459) * add alert provisioning actions and role * linter
2022-06-09 03:18:57 -04:00
Docs: Fix Admin docs relrefs (#51060) * Fix relrefs in CLI docs * Fix relrefs in licensing docs * Fix relrefs in AWS licensing docs * Fix RBAC relrefs * Fix Enterprise relrefs * Fix data source management relrefs * Fix server/org user management relrefs * Remove redundant force-user-logout doc * Fix add/remove user from org relrefs * Fix user management relrefs * Fix user management relrefs * Fix link text typos * Fix and add stats and license relrefs * Fix index page relrefs * Fix developer docs plugin relref to admin plugins doc * Update docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/_index.md Co-authored-by: Fiona Artiaga <89225282+GrafanaWriter@users.noreply.github.com> * Fix provisioning relrefs Co-authored-by: Fiona Artiaga <89225282+GrafanaWriter@users.noreply.github.com>
2022-06-17 15:03:26 -07:00
For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).
Docs: OnCall role and action definitions (#61175) * OnCall role and action definitions * change verbs from write to update or edit * Update docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-01-12 14:40:19 +00:00
### Grafana OnCall roles (beta)
[feat] docs; update admonition syntax (#68842) * [feat] docs; update admonition syntax - Standardizes according to style conventions: https://grafana.com/docs/writers-toolkit/style-guide/style-conventions/#admonitions - Prepares docs for better, uniform admonition style. * Remove false positives and irregularities * false positive removal * Update docs/sources/datasources/mysql/_index.md * Update docs/sources/developers/angular_deprecation/angular-plugins.md * fix link errors * Prettify some nested blockquotes * remoe unnecessary admonition
2023-05-22 17:45:28 -03:00
{{% admonition type="note" %}}
Available from Grafana 9.4 in early access.
{{% /admonition %}}
Docs: OnCall role and action definitions (#61175) * OnCall role and action definitions * change verbs from write to update or edit * Update docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-01-12 14:40:19 +00:00
[feat] docs; update admonition syntax (#68842) * [feat] docs; update admonition syntax - Standardizes according to style conventions: https://grafana.com/docs/writers-toolkit/style-guide/style-conventions/#admonitions - Prepares docs for better, uniform admonition style. * Remove false positives and irregularities * false positive removal * Update docs/sources/datasources/mysql/_index.md * Update docs/sources/developers/angular_deprecation/angular-plugins.md * fix link errors * Prettify some nested blockquotes * remoe unnecessary admonition
2023-05-22 17:45:28 -03:00
{{% admonition type="note" %}}
This feature is behind the `accessControlOnCall` feature toggle.
You can enable feature toggles through configuration file or environment variables. See configuration [docs]({{< relref "../../../../setup-grafana/configure-grafana/#feature_toggles" >}}) for details.
{{% /admonition %}}
Docs: OnCall role and action definitions (#61175) * OnCall role and action definitions * change verbs from write to update or edit * Update docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-01-12 14:40:19 +00:00
If you are using [Grafana OnCall](https://grafana.com/docs/oncall/latest/get-started/), you can try out the integration between Grafana OnCall and RBAC.
update RBAC for OnCall documentation (#80828) * update RBAC for OnCall documentation * Update docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * fix typo --------- Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
2024-01-22 11:18:39 -05:00
For a detailed list of the available OnCall RBAC roles, refer to the table in [Available Grafana OnCall RBAC roles and granted actions](https://grafana.com/docs/oncall/latest/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions).
Docs: OnCall role and action definitions (#61175) * OnCall role and action definitions * change verbs from write to update or edit * Update docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-01-12 14:40:19 +00:00
The following table lists the default RBAC OnCall role assignments to the basic roles:
Docs: No basic role documentation updates (#75110) * Add more scenarios to the documentation --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2023-09-20 15:23:16 +02:00
| Basic role | Associated fixed roles | Description |
| ------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `plugins:grafana-oncall-app:admin` | Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments. |
| Admin | `plugins:grafana-oncall-app:admin` | Default [Grafana organization administrator]({{< relref "../#basic-roles" >}}) assignments. |
| Editor | `plugins:grafana-oncall-app:editor` | Default [Editor]({{< relref "../#basic-roles" >}}) assignments. |
| Viewer | `plugins:grafana-oncall-app:reader` | Default [Viewer]({{< relref "../#basic-roles" >}}) assignments. |
Reference in New Issue Copy Permalink