From 0c998a1fbd369eb18c2a2ae804b4e772ad477ba0 Mon Sep 17 00:00:00 2001 From: Karl Persson Date: Thu, 28 Apr 2022 14:25:20 +0200 Subject: [PATCH] Docs: Change access control scopes for dashboards, folders and data sources to be based on uid:s (#48397) * Change to uid based scopes --- .../custom-role-actions-scopes.md | 253 +++++++++--------- .../plan-rbac-rollout-strategy.md | 4 +- 2 files changed, 128 insertions(+), 129 deletions(-) diff --git a/docs/sources/enterprise/access-control/custom-role-actions-scopes.md b/docs/sources/enterprise/access-control/custom-role-actions-scopes.md index 48cfc02c68b..953dfb16738 100644 --- a/docs/sources/enterprise/access-control/custom-role-actions-scopes.md +++ b/docs/sources/enterprise/access-control/custom-role-actions-scopes.md @@ -19,135 +19,134 @@ To learn more about the Grafana resources to which you can apply RBAC, refer to The following list contains role-based access control actions. -| Action | Applicable scope | Description | -| ------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `alert.instances.external:read` | `datasources:*`
`datasources:uid:*` | Read alerts and silences in data sources that support alerting. | -| `alert.instances.external:write` | `datasources:*`
`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. | -| `alert.instances:create` | n/a | Create silences in the current organization. | -| `alert.instances:read` | n/a | Read alerts and silences in the current organization. | -| `alert.instances:update` | n/a | Update and expire silences in the current organization. | -| `alert.notifications.external:read` | `datasources:*`
`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. | -| `alert.notifications.external:write` | `datasources:*`
`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. | -| `alert.notifications:create` | n/a | Create templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.notifications:delete` | n/a | Delete templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.notifications:update` | n/a | Update templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.rules.external:read` | `datasources:*`
`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) | -| `alert.rules.external:write` | `datasources:*`
`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). | -| `alert.rules:create` | `folders:*`
`folders:id:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:delete` | `folders:*`
`folders:id:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:read` | `folders:*`
`folders:id:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:update` | `folders:*`
`folders:id:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `annotations.create` | `annotations:*`
`annotations:type:*` | Create annotations. | -| `annotations.delete` | `annotations:*`
`annotations:type:*` | Delete annotations. | -| `annotations.read` | `annotations:*`
`annotations:type:*` | Read annotations and annotation tags. | -| `annotations.write` | `annotations:*`
`annotations:type:*` | Update annotations. | -| `dashboards.permissions:read` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Read permissions for one or more dashboards. | -| `dashboards.permissions:write` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Update permissions for one or more dashboards. | -| `dashboards:create` | `folders:*`
`folders:id:*` | Create dashboards in one or more folders. | -| `dashboards:delete` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Delete one or more dashboards. | -| `dashboards:edit` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Edit one or more dashboards (only in ui). | -| `dashboards:read` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Read one or more dashboards. | -| `dashboards:write` | `dashboards:*`
`dashboards:id:*`
`folders:*`
`folders:id:*` | Update one or more dashboards. | -| `datasources.id:read` | `datasources:*`
`datasources:name:*` | Read data source IDs. | -| `datasources.permissions:read` | `datasources:*`
`datasources:id:*` | List data source permissions. | -| `datasources.permissions:write` | `datasources:*`
`datasources:id:*` | Update data source permissions. | -| `datasources:create` | n/a | Create data sources. | -| `datasources:delete` | `datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | Delete data sources. | -| `datasources:explore` | n/a | Enable access to the **Explore** tab. | -| `datasources:query` | n/a
`datasources:*`
`datasources:id:*` | Query data sources. | -| `datasources:read` | n/a
`datasources:*`
`datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | List data sources. | -| `datasources:write` | `datasources:*`
`datasources:id:*` | Update data sources. | -| `folders.permissions:write` | `folders:*`
`folders:id:*` | Update permissions for one or more folders. | -| `folders:create` | n/a | Create folders. | -| `folders:delete` | `folders:*`
`folders:id:*` | Delete one or more folders. | -| `folders:read` | `folders:*`
`folders:id:*` | Read one or more folders. | -| `folders:write` | `folders:*`
`folders:id:*` | Update one or more folders. | -| `folers.permissions:read` | `folders:*`
`folders:id:*` | Read permissions for one or more folders. | -| `ldap.config:reload` | n/a | Reload the LDAP configuration. | -| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. | -| `ldap.user:read` | n/a | Read users via LDAP. | -| `ldap.user:sync` | n/a | Sync users via LDAP. | -| `licensing.reports:read` | n/a | Get custom permission reports. | -| `licensing:delete` | n/a | Delete the license token. | -| `licensing:read` | n/a | Read licensing information. | -| `licensing:update` | n/a | Update the license token. | -| `org.users.role:update` | `users:*`
`users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. | -| `org.users:add` | `users:*` | Add a user to an organization. | -| `org.users:read` | `users:*`
`users:id:*` | Get user profiles within an organization. | -| `org.users:remove` | `users:*`
`users:id:*` | Remove a user from an organization. | -| `org:create` | n/a | Create an organization. | -| `orgs.preferences:read` | `orgs:*`
`orgs:id:*` | Read organization preferences. | -| `orgs.preferences:write` | `orgs:*`
`orgs:id:*` | Update organization preferences. | -| `orgs.quotas:read` | `orgs:*`
`orgs:id:*` | Read organization quotas. | -| `orgs.quotas:write` | `orgs:*`
`orgs:id:*` | Update organization quotas. | -| `orgs:delete` | `orgs:*`
`orgs:id:*` | Delete one or more organizations. | -| `orgs:read` | `orgs:*`
`orgs:id:*` | Read one or more organizations. | -| `orgs:write` | `orgs:*`
`orgs:id:*` | Update one or more organizations. | -| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). | -| `reports.admin:create` | n/a | Create reports. | -| `reports.admin:write` | `reports:*`
`reports:id:*` | Update reports. | -| `reports.settings:read` | n/a | Read report settings. | -| `reports.settings:write` | n/a | Update report settings. | -| `reports:delete` | `reports:*`
`reports:id:*` | Delete reports. | -| `reports:read` | `reports:*` | List all available reports or get a specific report. | -| `reports:send` | `reports:*` | Send a report email. | -| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. | -| `roles.builtin:list` | `roles:*` | List built-in role assignments. | -| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. | -| `roles:delete` | `permissions:delegate` | Delete a custom role. | -| `roles:list` | `roles:*` | List available roles without permissions. | -| `roles:read` | `roles:*`
`roles:uid:*` | Read a specific role with its permissions. | -| `roles:write` | `permissions:delegate` | Create or update a custom role. | -| `server.stats:read` | n/a | Read Grafana instance statistics. | -| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) | -| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). | -| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | -| `teams.permissions:read` | `teams:*`
`teams:id:*` | Read members and External Group Synchronization setup for teams. | -| `teams.permissions:write` | `teams:*`
`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. | -| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. | -| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. | -| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. | -| `teams:create` | n/a | Create teams. | -| `teams:delete` | `teams:*`
`teams:id:*` | Delete one or more teams. | -| `teams:read` | `teams:*`
`teams:id:*` | Read one or more teams and team preferences. | -| `teams:write` | `teams:*`
`teams:id:*` | Update one or more teams and team preferences. | -| `users.authtoken:list` | `global.users:*`
`global.users:id:*` | List authentication tokens that are assigned to a user. | -| `users.authtoken:update` | `global.users:*`
`global.users:id:*` | Update authentication tokens that are assigned to a user. | -| `users.password:update` | `global.users:*`
`global.users:id:*` | Update a user’s password. | -| `users.permissions:list` | `users:*` | List permissions of a user. | -| `users.permissions:update` | `global.users:*`
`global.users:id:*` | Update a user’s organization-level permissions. | -| `users.quotas:list` | `global.users:*`
`global.users:id:*` | List a user’s quotas. | -| `users.quotas:update` | `global.users:*`
`global.users:id:*` | Update a user’s quotas. | -| `users.roles:add` | `permissions:delegate` | Assign a role to a user. | -| `users.roles:list` | `users:*` | List roles assigned directly to a user. | -| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. | -| `users.teams:read` | `global.users:*`
`global.users:id:*` | Read a user’s teams. | -| `users:create` | n/a | Create a user. | -| `users:delete` | `global.users:*`
`global.users:id:*` | Delete a user. | -| `users:disable` | `global.users:*`
`global.users:id:*` | Disable a user. | -| `users:enable` | `globa.users:*`
`global.users:id:*` | Enable a user. | -| `users:logout` | `global.users:*`
`global.users:id:*` | Sign out a user. | -| `users:read` | `global.users:*` | Read or search user profiles. | -| `users:write` | `global.users:*`
`global.users:id:*` | Update a user’s profile. | +| Action | Applicable scope | Description | +| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `alert.instances.external:read` | `datasources:*`
`datasources:uid:*` | Read alerts and silences in data sources that support alerting. | +| `alert.instances.external:write` | `datasources:*`
`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. | +| `alert.instances:create` | n/a | Create silences in the current organization. | +| `alert.instances:read` | n/a | Read alerts and silences in the current organization. | +| `alert.instances:update` | n/a | Update and expire silences in the current organization. | +| `alert.notifications.external:read` | `datasources:*`
`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. | +| `alert.notifications.external:write` | `datasources:*`
`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. | +| `alert.notifications:create` | n/a | Create templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.notifications:delete` | n/a | Delete templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.notifications:update` | n/a | Update templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.rules.external:read` | `datasources:*`
`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) | +| `alert.rules.external:write` | `datasources:*`
`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). | +| `alert.rules:create` | `folders:*`
`folders:uid:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:delete` | `folders:*`
`folders:uid:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:read` | `folders:*`
`folders:uid:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:update` | `folders:*`
`folders:uid:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `annotations.create` | `annotations:*`
`annotations:type:*` | Create annotations. | +| `annotations.delete` | `annotations:*`
`annotations:type:*` | Delete annotations. | +| `annotations.read` | `annotations:*`
`annotations:type:*` | Read annotations and annotation tags. | +| `annotations.write` | `annotations:*`
`annotations:type:*` | Update annotations. | +| `dashboards.permissions:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read permissions for one or more dashboards. | +| `dashboards.permissions:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update permissions for one or more dashboards. | +| `dashboards:create` | `folders:*`
`folders:uid:*` | Create dashboards in one or more folders. | +| `dashboards:delete` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Delete one or more dashboards. | +| `dashboards:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read one or more dashboards. | +| `dashboards:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update one or more dashboards. | +| `datasources.id:read` | `datasources:*`
`datasources:uid:*` | Read data source IDs. | +| `datasources.permissions:read` | `datasources:*`
`datasources:uid:*` | List data source permissions. | +| `datasources.permissions:write` | `datasources:*`
`datasources:uid:*` | Update data source permissions. | +| `datasources:create` | n/a | Create data sources. | +| `datasources:delete` | `datasources:*`
`datasources:uid:*` | Delete data sources. | +| `datasources:explore` | n/a | Enable access to the **Explore** tab. | +| `datasources:query` | `datasources:*`
`datasources:uid:*` | Query data sources. | +| `datasources:read` | `datasources:*`
`datasources:uid:*` | List data sources. | +| `datasources:write` | `datasources:*`
`datasources:uid:*` | Update data sources. | +| `folers.permissions:read` | `folders:*`
`folders:uid:*` | Read permissions for one or more folders. | +| `folders.permissions:write` | `folders:*`
`folders:uid:*` | Update permissions for one or more folders. | +| `folders:create` | n/a | Create folders. | +| `folders:delete` | `folders:*`
`folders:uid:*` | Delete one or more folders. | +| `folders:read` | `folders:*`
`folders:uid:*` | Read one or more folders. | +| `folders:write` | `folders:*`
`folders:uid:*` | Update one or more folders. | +| `ldap.config:reload` | n/a | Reload the LDAP configuration. | +| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. | +| `ldap.user:read` | n/a | Read users via LDAP. | +| `ldap.user:sync` | n/a | Sync users via LDAP. | +| `licensing.reports:read` | n/a | Get custom permission reports. | +| `licensing:delete` | n/a | Delete the license token. | +| `licensing:read` | n/a | Read licensing information. | +| `licensing:update` | n/a | Update the license token. | +| `org.users.role:update` | `users:*`
`users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. | +| `org.users:add` | `users:*` | Add a user to an organization. | +| `org.users:read` | `users:*`
`users:id:*` | Get user profiles within an organization. | +| `org.users:remove` | `users:*`
`users:id:*` | Remove a user from an organization. | +| `org:create` | n/a | Create an organization. | +| `orgs.preferences:read` | `orgs:*`
`orgs:id:*` | Read organization preferences. | +| `orgs.preferences:write` | `orgs:*`
`orgs:id:*` | Update organization preferences. | +| `orgs.quotas:read` | `orgs:*`
`orgs:id:*` | Read organization quotas. | +| `orgs.quotas:write` | `orgs:*`
`orgs:id:*` | Update organization quotas. | +| `orgs:delete` | `orgs:*`
`orgs:id:*` | Delete one or more organizations. | +| `orgs:read` | `orgs:*`
`orgs:id:*` | Read one or more organizations. | +| `orgs:write` | `orgs:*`
`orgs:id:*` | Update one or more organizations. | +| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). | +| `reports.admin:create` | n/a | Create reports. | +| `reports.admin:write` | `reports:*`
`reports:id:*` | Update reports. | +| `reports.settings:read` | n/a | Read report settings. | +| `reports.settings:write` | n/a | Update report settings. | +| `reports:delete` | `reports:*`
`reports:id:*` | Delete reports. | +| `reports:read` | `reports:*` | List all available reports or get a specific report. | +| `reports:send` | `reports:*` | Send a report email. | +| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. | +| `roles.builtin:list` | `roles:*` | List built-in role assignments. | +| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. | +| `roles:delete` | `permissions:delegate` | Delete a custom role. | +| `roles:list` | `roles:*` | List available roles without permissions. | +| `roles:read` | `roles:*`
`roles:uid:*` | Read a specific role with its permissions. | +| `roles:write` | `permissions:delegate` | Create or update a custom role. | +| `server.stats:read` | n/a | Read Grafana instance statistics. | +| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) | +| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). | +| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | +| `teams.permissions:read` | `teams:*`
`teams:id:*` | Read members and External Group Synchronization setup for teams. | +| `teams.permissions:write` | `teams:*`
`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. | +| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. | +| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. | +| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. | +| `teams:create` | n/a | Create teams. | +| `teams:delete` | `teams:*`
`teams:id:*` | Delete one or more teams. | +| `teams:read` | `teams:*`
`teams:id:*` | Read one or more teams and team preferences. | +| `teams:write` | `teams:*`
`teams:id:*` | Update one or more teams and team preferences. | +| `users.authtoken:list` | `global.users:*`
`global.users:id:*` | List authentication tokens that are assigned to a user. | +| `users.authtoken:update` | `global.users:*`
`global.users:id:*` | Update authentication tokens that are assigned to a user. | +| `users.password:update` | `global.users:*`
`global.users:id:*` | Update a user’s password. | +| `users.permissions:list` | `users:*` | List permissions of a user. | +| `users.permissions:update` | `global.users:*`
`global.users:id:*` | Update a user’s organization-level permissions. | +| `users.quotas:list` | `global.users:*`
`global.users:id:*` | List a user’s quotas. | +| `users.quotas:update` | `global.users:*`
`global.users:id:*` | Update a user’s quotas. | +| `users.roles:add` | `permissions:delegate` | Assign a role to a user. | +| `users.roles:list` | `users:*` | List roles assigned directly to a user. | +| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. | +| `users.teams:read` | `global.users:*`
`global.users:id:*` | Read a user’s teams. | +| `users:create` | n/a | Create a user. | +| `users:delete` | `global.users:*`
`global.users:id:*` | Delete a user. | +| `users:disable` | `global.users:*`
`global.users:id:*` | Disable a user. | +| `users:enable` | `globa.users:*`
`global.users:id:*` | Enable a user. | +| `users:logout` | `global.users:*`
`global.users:id:*` | Sign out a user. | +| `users:read` | `global.users:*` | Read or search user profiles. | +| `users:write` | `global.users:*`
`global.users:id:*` | Update a user’s profile. | ## Scope definitions The following list contains role-based access control scopes. -| Scopes | Descriptions | -| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations:*`
`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. | -| `dashboards:*`
`dashboards:id:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:id:1` matches the dashboard whose ID is `1`. | -| `datasources:*`
`datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. | -| `folders:*`
`folders:id:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:id:1` matches the folder whose ID is `1`. | -| `global.users:*`
`global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. | -| `orgs:*`
`orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | -| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | -| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./custom-role-actions-scopes" >}}). | -| `reports:*`
`reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. | -| `roles:*`
`roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. | -| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. | -| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | -| `teams:*`
`teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | -| `users:*`
`users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | +| Scopes | Descriptions | +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `annotations:*`
`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. | +| `dashboards:*`
`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. | +| `datasources:*`
`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. | +| `folders:*`
`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. | +| `global.users:*`
`global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. | +| `orgs:*`
`orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | +| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | +| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./custom-role-actions-scopes" >}}). | +| `reports:*`
`reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. | +| `roles:*`
`roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. | +| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. | +| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | +| `teams:*`
`teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | +| `users:*`
`users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | diff --git a/docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md b/docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md index f721d837334..0fd8dd3b641 100644 --- a/docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md +++ b/docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md @@ -128,11 +128,11 @@ curl --location --request POST '/api/access-control/roles/' \ "permissions": [ { "action": "folders:read", - "scope": "folders:id:92" + "scope": "folders:uid:YEcBGYU22" }, { "action": "alert.rules:read", - "scope": "folders:id:92" + "scope": "folders:uid:YEcBGYU22" }, { "action": "datasources:query",