mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Docs: Change access control scopes for dashboards, folders and data sources to be based on uid:s (#48397)
* Change to uid based scopes
This commit is contained in:
Karl Persson
GitHub
parent
a7a5476ac2
commit
0c998a1fbd
@ -19,135 +19,134 @@ To learn more about the Grafana resources to which you can apply RBAC, refer to
|
|||||||
|
|
||||||
The following list contains role-based access control actions.
|
The following list contains role-based access control actions.
|
||||||
|
|
||||||
| Action | Applicable scope | Description |
|
| Action | Applicable scope | Description |
|
||||||
| ------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||||
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
|
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
|
||||||
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
|
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
|
||||||
| `alert.instances:create` | n/a | Create silences in the current organization. |
|
| `alert.instances:create` | n/a | Create silences in the current organization. |
|
||||||
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
|
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
|
||||||
| `alert.instances:update` | n/a | Update and expire silences in the current organization. |
|
| `alert.instances:update` | n/a | Update and expire silences in the current organization. |
|
||||||
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
||||||
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
||||||
| `alert.notifications:create` | n/a | Create templates, contact points, notification policies, and mute timings in the current organization. |
|
| `alert.notifications:create` | n/a | Create templates, contact points, notification policies, and mute timings in the current organization. |
|
||||||
| `alert.notifications:delete` | n/a | Delete templates, contact points, notification policies, and mute timings in the current organization. |
|
| `alert.notifications:delete` | n/a | Delete templates, contact points, notification policies, and mute timings in the current organization. |
|
||||||
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
|
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
|
||||||
| `alert.notifications:update` | n/a | Update templates, contact points, notification policies, and mute timings in the current organization. |
|
| `alert.notifications:update` | n/a | Update templates, contact points, notification policies, and mute timings in the current organization. |
|
||||||
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
|
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
|
||||||
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
|
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
|
||||||
| `alert.rules:create` | `folders:*`<br>`folders:id:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||||||
| `alert.rules:delete` | `folders:*`<br>`folders:id:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||||||
| `alert.rules:read` | `folders:*`<br>`folders:id:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||||||
| `alert.rules:update` | `folders:*`<br>`folders:id:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
| `alert.rules:update` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||||||
| `annotations.create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
|
| `annotations.create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
|
||||||
| `annotations.delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
|
| `annotations.delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
|
||||||
| `annotations.read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
|
| `annotations.read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
|
||||||
| `annotations.write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
|
| `annotations.write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
|
||||||
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Read permissions for one or more dashboards. |
|
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
|
||||||
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Update permissions for one or more dashboards. |
|
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
|
||||||
| `dashboards:create` | `folders:*`<br>`folders:id:*` | Create dashboards in one or more folders. |
|
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders. |
|
||||||
| `dashboards:delete` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Delete one or more dashboards. |
|
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
|
||||||
| `dashboards:edit` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Edit one or more dashboards (only in ui). |
|
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
|
||||||
| `dashboards:read` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Read one or more dashboards. |
|
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
|
||||||
| `dashboards:write` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Update one or more dashboards. |
|
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
|
||||||
| `datasources.id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
|
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
|
||||||
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
|
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
|
||||||
| `datasources.permissions:write` | `datasources:*`<br>`datasources:id:*` | Update data source permissions. |
|
| `datasources:create` | n/a | Create data sources. |
|
||||||
| `datasources:create` | n/a | Create data sources. |
|
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
|
||||||
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
|
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
|
||||||
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
|
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
|
||||||
| `datasources:query` | n/a<br>`datasources:*`<br>`datasources:id:*` | Query data sources. |
|
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
|
||||||
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
|
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
|
||||||
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
|
| `folers.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders. |
|
||||||
| `folders.permissions:write` | `folders:*`<br>`folders:id:*` | Update permissions for one or more folders. |
|
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders. |
|
||||||
| `folders:create` | n/a | Create folders. |
|
| `folders:create` | n/a | Create folders. |
|
||||||
| `folders:delete` | `folders:*`<br>`folders:id:*` | Delete one or more folders. |
|
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders. |
|
||||||
| `folders:read` | `folders:*`<br>`folders:id:*` | Read one or more folders. |
|
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders. |
|
||||||
| `folders:write` | `folders:*`<br>`folders:id:*` | Update one or more folders. |
|
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders. |
|
||||||
| `folers.permissions:read` | `folders:*`<br>`folders:id:*` | Read permissions for one or more folders. |
|
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
|
||||||
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
|
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
|
||||||
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
|
| `ldap.user:read` | n/a | Read users via LDAP. |
|
||||||
| `ldap.user:read` | n/a | Read users via LDAP. |
|
| `ldap.user:sync` | n/a | Sync users via LDAP. |
|
||||||
| `ldap.user:sync` | n/a | Sync users via LDAP. |
|
| `licensing.reports:read` | n/a | Get custom permission reports. |
|
||||||
| `licensing.reports:read` | n/a | Get custom permission reports. |
|
| `licensing:delete` | n/a | Delete the license token. |
|
||||||
| `licensing:delete` | n/a | Delete the license token. |
|
| `licensing:read` | n/a | Read licensing information. |
|
||||||
| `licensing:read` | n/a | Read licensing information. |
|
| `licensing:update` | n/a | Update the license token. |
|
||||||
| `licensing:update` | n/a | Update the license token. |
|
| `org.users.role:update` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
|
||||||
| `org.users.role:update` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
|
| `org.users:add` | `users:*` | Add a user to an organization. |
|
||||||
| `org.users:add` | `users:*` | Add a user to an organization. |
|
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
|
||||||
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
|
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
|
||||||
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
|
| `org:create` | n/a | Create an organization. |
|
||||||
| `org:create` | n/a | Create an organization. |
|
| `orgs.preferences:read` | `orgs:*` <br> `orgs:id:*` | Read organization preferences. |
|
||||||
| `orgs.preferences:read` | `orgs:*` <br> `orgs:id:*` | Read organization preferences. |
|
| `orgs.preferences:write` | `orgs:*` <br> `orgs:id:*` | Update organization preferences. |
|
||||||
| `orgs.preferences:write` | `orgs:*` <br> `orgs:id:*` | Update organization preferences. |
|
| `orgs.quotas:read` | `orgs:*` <br> `orgs:id:*` | Read organization quotas. |
|
||||||
| `orgs.quotas:read` | `orgs:*` <br> `orgs:id:*` | Read organization quotas. |
|
| `orgs.quotas:write` | `orgs:*` <br> `orgs:id:*` | Update organization quotas. |
|
||||||
| `orgs.quotas:write` | `orgs:*` <br> `orgs:id:*` | Update organization quotas. |
|
| `orgs:delete` | `orgs:*` <br> `orgs:id:*` | Delete one or more organizations. |
|
||||||
| `orgs:delete` | `orgs:*` <br> `orgs:id:*` | Delete one or more organizations. |
|
| `orgs:read` | `orgs:*` <br> `orgs:id:*` | Read one or more organizations. |
|
||||||
| `orgs:read` | `orgs:*` <br> `orgs:id:*` | Read one or more organizations. |
|
| `orgs:write` | `orgs:*` <br> `orgs:id:*` | Update one or more organizations. |
|
||||||
| `orgs:write` | `orgs:*` <br> `orgs:id:*` | Update one or more organizations. |
|
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
|
||||||
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
|
| `reports.admin:create` | n/a | Create reports. |
|
||||||
| `reports.admin:create` | n/a | Create reports. |
|
| `reports.admin:write` | `reports:*` <br> `reports:id:*` | Update reports. |
|
||||||
| `reports.admin:write` | `reports:*` <br> `reports:id:*` | Update reports. |
|
| `reports.settings:read` | n/a | Read report settings. |
|
||||||
| `reports.settings:read` | n/a | Read report settings. |
|
| `reports.settings:write` | n/a | Update report settings. |
|
||||||
| `reports.settings:write` | n/a | Update report settings. |
|
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
|
||||||
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
|
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
|
||||||
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
|
| `reports:send` | `reports:*` | Send a report email. |
|
||||||
| `reports:send` | `reports:*` | Send a report email. |
|
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
|
||||||
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
|
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
|
||||||
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
|
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
|
||||||
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
|
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
|
||||||
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
|
| `roles:list` | `roles:*` | List available roles without permissions. |
|
||||||
| `roles:list` | `roles:*` | List available roles without permissions. |
|
| `roles:read` | `roles:*` <br> `roles:uid:*` | Read a specific role with its permissions. |
|
||||||
| `roles:read` | `roles:*` <br> `roles:uid:*` | Read a specific role with its permissions. |
|
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
|
||||||
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
|
| `server.stats:read` | n/a | Read Grafana instance statistics. |
|
||||||
| `server.stats:read` | n/a | Read Grafana instance statistics. |
|
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
|
||||||
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
|
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
|
||||||
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
|
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
|
||||||
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
|
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and External Group Synchronization setup for teams. |
|
||||||
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and External Group Synchronization setup for teams. |
|
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. |
|
||||||
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. |
|
| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. |
|
||||||
| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. |
|
| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. |
|
||||||
| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. |
|
| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. |
|
||||||
| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. |
|
| `teams:create` | n/a | Create teams. |
|
||||||
| `teams:create` | n/a | Create teams. |
|
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
|
||||||
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
|
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
|
||||||
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
|
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
|
||||||
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
|
| `users.authtoken:list` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
|
||||||
| `users.authtoken:list` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
|
| `users.authtoken:update` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
|
||||||
| `users.authtoken:update` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
|
| `users.password:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s password. |
|
||||||
| `users.password:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s password. |
|
| `users.permissions:list` | `users:*` | List permissions of a user. |
|
||||||
| `users.permissions:list` | `users:*` | List permissions of a user. |
|
| `users.permissions:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s organization-level permissions. |
|
||||||
| `users.permissions:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s organization-level permissions. |
|
| `users.quotas:list` | `global.users:*` <br> `global.users:id:*` | List a user’s quotas. |
|
||||||
| `users.quotas:list` | `global.users:*` <br> `global.users:id:*` | List a user’s quotas. |
|
| `users.quotas:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s quotas. |
|
||||||
| `users.quotas:update` | `global.users:*` <br> `global.users:id:*` | Update a user’s quotas. |
|
| `users.roles:add` | `permissions:delegate` | Assign a role to a user. |
|
||||||
| `users.roles:add` | `permissions:delegate` | Assign a role to a user. |
|
| `users.roles:list` | `users:*` | List roles assigned directly to a user. |
|
||||||
| `users.roles:list` | `users:*` | List roles assigned directly to a user. |
|
| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. |
|
||||||
| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. |
|
| `users.teams:read` | `global.users:*` <br> `global.users:id:*` | Read a user’s teams. |
|
||||||
| `users.teams:read` | `global.users:*` <br> `global.users:id:*` | Read a user’s teams. |
|
| `users:create` | n/a | Create a user. |
|
||||||
| `users:create` | n/a | Create a user. |
|
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
|
||||||
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
|
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
|
||||||
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
|
| `users:enable` | `globa.users:*` <br> `global.users:id:*` | Enable a user. |
|
||||||
| `users:enable` | `globa.users:*` <br> `global.users:id:*` | Enable a user. |
|
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
|
||||||
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
|
| `users:read` | `global.users:*` | Read or search user profiles. |
|
||||||
| `users:read` | `global.users:*` | Read or search user profiles. |
|
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s profile. |
|
||||||
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s profile. |
|
|
||||||
|
|
||||||
## Scope definitions
|
## Scope definitions
|
||||||
|
|
||||||
The following list contains role-based access control scopes.
|
The following list contains role-based access control scopes.
|
||||||
|
|
||||||
| Scopes | Descriptions |
|
| Scopes | Descriptions |
|
||||||
| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| `annotations:*`<br>`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
|
| `annotations:*`<br>`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
|
||||||
| `dashboards:*`<br>`dashboards:id:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:id:1` matches the dashboard whose ID is `1`. |
|
| `dashboards:*`<br>`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. |
|
||||||
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |
|
| `datasources:*`<br>`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. |
|
||||||
| `folders:*`<br>`folders:id:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:id:1` matches the folder whose ID is `1`. |
|
| `folders:*`<br>`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. |
|
||||||
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
|
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
|
||||||
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
|
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
|
||||||
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
|
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
|
||||||
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./custom-role-actions-scopes" >}}). |
|
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./custom-role-actions-scopes" >}}). |
|
||||||
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
|
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
|
||||||
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
|
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
|
||||||
| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
|
| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
|
||||||
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
|
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
|
||||||
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
|
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
|
||||||
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
|
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
|
||||||
|
|||||||
@ -128,11 +128,11 @@ curl --location --request POST '<grafana_url>/api/access-control/roles/' \
|
|||||||
"permissions": [
|
"permissions": [
|
||||||
{
|
{
|
||||||
"action": "folders:read",
|
"action": "folders:read",
|
||||||
"scope": "folders:id:92"
|
"scope": "folders:uid:YEcBGYU22"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"action": "alert.rules:read",
|
"action": "alert.rules:read",
|
||||||
"scope": "folders:id:92"
|
"scope": "folders:uid:YEcBGYU22"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"action": "datasources:query",
|
"action": "datasources:query",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user