IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: RBAC GA (#49062)

Browse Source
This commit is contained in:
Karl Persson 2022-05-20 21:48:52 +02:00 committed by GitHub
parent b3b650be1f
commit 0cbe4fe661
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
34 changed files with 350 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/sources/administration/configuration.md
View File

@ -1945,3 +1945,7 @@ Maximum duration of a single crawl. Default is 1h.
Minimum interval between two subsequent scheduler runs. Default is 12h.
Refer to the [dashboards previews]({{< relref "../dashboards/previews.md" >}}) documentation for detailed instructions.
## [rbac]
Refer to [Role-based access control]({{< relref "../enterprise/access-control/about-rbac.md" >}}) for more information.

2
docs/sources/administration/manage-users-and-permissions/about-users-and-permissions.md
View File

@ -20,6 +20,8 @@ You can assign a user one of three types of permissions:
A Grafana server administrator manages server-wide settings and access to resources such as organizations, users, and licenses. Grafana includes a default server administrator that you can use to manage all of Grafana, or you can divide that responsibility among other server administrators that you create.
> **Note:** The server administrator role does not mean that the user is also a Grafana [organization administrator]({{< ref "#organization-roles" >}}).
A server administrator can perform the following tasks:
- Manage users and permissions

2
docs/sources/administration/manage-users-and-permissions/manage-dashboard-permissions/_index.md
View File

@ -64,6 +64,8 @@ By default, the viewer organization role does not allow viewers to create dashbo
This modification is useful for public Grafana installations where you want anonymous users to be able to edit panels and queries but not save or create new dashboards.
> **Note**: If you use Grafana Enterprise and customize users' permissions using RBAC, the RBAC permissions override the functionality enabled by the `viewers_can_edit` flag.
### Before you begin
- Ensure that you have access to the Grafana server

2
docs/sources/administration/manage-users-and-permissions/manage-server-users/grant-editor-admin-permissions.md
View File

@ -15,6 +15,8 @@ When `editors_can_admin` is enabled:
- Users with the Editor role in an organization are Administrators for new dashboards and folders they create, meaning they can edit dashboard permissions. To learn more about dashboard permissions, refer to [Manage dashboard permissions]({{< relref "../manage-dashboard-permissions/_index.md" >}}).
- Users with the Editor role in an organization can create teams, and they are Administrators of the teams they create. To learn more about team permissions, refer to [Manage teams]({{< relref "../manage-teams/_index.md" >}})
> **Note**: If you use Grafana Enterprise and customize users' permissions using RBAC, the RBAC permissions override the functionality enabled by the `editors_can_admin` flag.
## Before you begin
- Ensure that you have access to the Grafana server

2
docs/sources/administration/provisioning.md
View File

@ -601,4 +601,4 @@ The following sections detail the supported settings and secure settings for eac
Grafana Enterprise supports provisioning for the following resources:
- [Access control provisioning]({{< relref "../enterprise/access-control/_index.md" >}})
- [Role-based access control provisioning]({{< relref "../enterprise/access-control/rbac-provisioning.md" >}})

2
docs/sources/administration/service-accounts/about-service-accounts.md
View File

@ -11,7 +11,7 @@ weight: 30
A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications like Terraform with the Grafana API.
> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature To enable service accounts, refer to [Enable service accounts]({{< relref "./enable-service-accounts.md#" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/_index.md" >}}) as the primary way to authenticate applications that interact with Grafana.
> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature. To enable service accounts, refer to [Enable service accounts]({{< relref "./enable-service-accounts.md#" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/_index.md" >}}) as the primary way to authenticate applications that interact with Grafana.
A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:

2
docs/sources/alerting/_index.md
View File

@ -21,7 +21,7 @@ For new installations or existing installs without alerting configured, Grafana
- For existing OSS installations with legacy dashboard alerting, you can [opt-in]({{< relref "./opt-in.md" >}}) to Grafana alerting.
- For Grafana Cloud instances using legacy cloud alerting, contact customer support to migrate to Grafana alerting.
Before you begin, we recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "./fundamentals/_index.md" >}}) of Grafana alerting. Refer to [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to learn more about controlling access to alerts using fine-grained permissions.
Before you begin, we recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "./fundamentals/_index.md" >}}) of Grafana alerting. Refer to [Role-based access control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to learn more about controlling access to alerts using role-based permissions.
- [Enable Grafana alerting in OSS]({{< relref "./opt-in.md" >}})
- [Migrating legacy alerts]({{< relref "./migrating-legacy-alerts.md" >}})

5
docs/sources/developers/http_api/access_control.md
View File

@ -9,10 +9,9 @@ title = "RBAC HTTP API"
> Role-based access control API is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../../enterprise" >}}).
The API can be used to create, update, get and list roles, and create or remove assignments.
To use the API, you would need to [enable role-based access control]({{< relref "../../enterprise/access-control/_index.md#enable-role-based-access-control" >}}).
The API can be used to create, update, delete, get, and list roles.
The API does not currently work with an API Token. So in order to use these API endpoints you will have to use [Basic auth]({{< relref "auth#basic-auth" >}}).
To check which basic or fixed roles have the required permissions, refer to [RBAC role definitions]({{< ref "../../enterprise/access-control/rbac-fixed-basic-role-definitions.md" >}}).
## Get status

25
docs/sources/developers/http_api/admin.md
View File

@ -11,8 +11,7 @@ The Admin HTTP API does not currently work with an API Token. API Tokens are cur
the permission of server admin, only users can be given that permission. So in order to use these API calls you will have to use Basic Auth and the Grafana user
must have the Grafana Admin permission. (The default admin user is called `admin` and has permission to use this API.)
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Fetch settings
@ -20,7 +19,7 @@ must have the Grafana Admin permission. (The default admin user is called `admin
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -192,7 +191,7 @@ Updates / removes and reloads database settings. You must provide either `update
This endpoint only supports changes to `auth.saml` configuration.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -246,7 +245,7 @@ Status codes:
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -328,7 +327,7 @@ Content-Type: application/json
Create new user. Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -370,7 +369,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
Change password for a specific user.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -403,7 +402,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -436,7 +435,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -504,7 +503,7 @@ Return a list of all auth tokens (devices) that the user currently have logged i
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -563,7 +562,7 @@ and will be required to authenticate again upon next activity.
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -603,7 +602,7 @@ and will be required to authenticate again upon next activity.
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
@ -648,7 +647,7 @@ polling for changes in dashboard files and then restart it with new configuratio
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.

17
docs/sources/developers/http_api/annotations.md
View File

@ -9,14 +9,13 @@ title = "Annotations HTTP API "
This is the API documentation for the new Grafana Annotations feature released in Grafana 4.6. Annotations are saved in the Grafana database (sqlite, mysql or postgres). Annotations can be organization annotations that can be shown on any dashboard by configuring an annotation data source - they are filtered by tags. Or they can be tied to a panel on a dashboard and are then only shown on that panel.
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, access to endpoints will be controlled by role-based access control permissions.
> Refer to specific endpoints to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Find Annotations
`GET /api/annotations?from=1506676478816&to=1507281278816&tags=tag1&tags=tag2&limit=100`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -105,7 +104,7 @@ The format for `time` and `timeEnd` should be epoch numbers in millisecond resol
`POST /api/annotations`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -153,7 +152,7 @@ format (string with multiple tags being separated by a space).
`POST /api/annotations/graphite`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -194,7 +193,7 @@ Content-Type: application/json
Updates all properties of an annotation that matches the specified id. To only update certain property, consider using the [Patch Annotation](#patch-annotation) operation.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -239,7 +238,7 @@ Updates one or more properties of an annotation that matches the specified id.
This operation currently supports updating of the `text`, `tags`, `time` and `timeEnd` properties.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -278,7 +277,7 @@ Content-Type: application/json
Deletes the annotation that matches the specified id.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.
@ -312,7 +311,7 @@ Content-Type: application/json
Find all the event tags created in the annotations.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#annotations-api" >}}) for an explanation.

28
docs/sources/developers/http_api/auth.md
View File

@ -7,9 +7,11 @@ title = "Authentication HTTP API "
# Authentication API
> If you are running Grafana Enterprise, for some endpoints you would need to have relevant permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Tokens
Currently you can authenticate via an `API Token` or via a `Session cookie` (acquired using regular login or OAuth).
Currently, you can authenticate via an `API Token` or via a `Session cookie` (acquired using regular login or OAuth).
## X-Grafana-Org-Id Header
@ -76,6 +78,14 @@ curl example:
`GET /api/auth/keys`
**Required permissions**
See note in the [introduction]({{< ref "#authentication-api" >}}) for an explanation.
| Action | Scope |
| -------------- | ----------- |
| `apikeys:read` | `apikeys:*` |
**Example Request**:
```http
@ -114,6 +124,14 @@ Content-Type: application/json
`POST /api/auth/keys`
**Required permissions**
See note in the [introduction]({{< ref "#authentication-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ----- |
| `apikeys:create` | n/a |
**Example Request**:
```http
@ -153,6 +171,14 @@ Content-Type: application/json
`DELETE /api/auth/keys/:id`
**Required permissions**
See note in the [introduction]({{< ref "#authentication-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ---------- |
| `apikeys:delete` | apikeys:\* |
**Example Request**:
```http

26
docs/sources/developers/http_api/dashboard.md
View File

@ -7,6 +7,8 @@ title = "Dashboard HTTP API "
# Dashboard API
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Identifier (id) vs unique identifier (uid)
The identifier (id) of a dashboard is an auto-incrementing numeric value and is only unique per Grafana install.
@ -24,6 +26,14 @@ The uid can have a maximum length of 40 characters.
Creates a new dashboard or updates an existing dashboard. When updating existing dashboards, if you do not define the `folderId` or the `folderUid` property, then the dashboard(s) are moved to the General folder. (You need to define only one property, not both).
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-api" >}}) for an explanation.
| Action | Scope |
| ------------------- | ----------- |
| `dashboards:create` | `folders:*` |
**Example Request for new dashboard**:
```http
@ -272,6 +282,14 @@ In case of title already exists the `status` property will be `name-exists`.
Will return the dashboard given the dashboard unique identifier (uid). Information about the unique identifier of a folder containing the requested dashboard might be found in the metadata.
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-api" >}}) for an explanation.
| Action | Scope |
| ----------------- | -------------- |
| `dashboards:read` | `dashboards:*` |
**Example Request**:
```http
@ -320,6 +338,14 @@ Status Codes:
Will delete the dashboard given the specified unique identifier (uid).
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-api" >}}) for an explanation.
| Action | Scope |
| ------------------- | ----------------------------- |
| `dashboards:delete` | `dashboards:*`<br>`folders:*` |
**Example Request**:
```http

34
docs/sources/developers/http_api/dashboard_permissions.md
View File

@ -17,12 +17,22 @@ The permission levels for the permission field:
- 2 = Edit
- 4 = Admin
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Get permissions for a dashboard
`GET /api/dashboards/uid/:uid/permissions`
Gets all existing permissions for the dashboard with the given `uid`.
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-permission-api" >}}) for an explanation.
| Action | Scope |
| ----------------------------- | ------------------------------------- |
| `dashboards.permissions:read` | `dashboards:uid:*`<br>`folders:uid:*` |
**Example request**:
```http
@ -94,6 +104,14 @@ Status Codes:
Updates permissions for a dashboard. This operation will remove existing permissions if they're not included in the request.
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-permission-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ------------------------------------- |
| `dashboards.permissions:write` | `dashboards:uid:*`<br>`folders:uid:*` |
**Example request**:
```http
@ -153,6 +171,14 @@ Status Codes:
Gets all existing permissions for the dashboard with the given `dashboardId`.
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-permission-api" >}}) for an explanation.
| Action | Scope |
| ----------------------------- | ----------------------------- |
| `dashboards.permissions:read` | `dashboards:*`<br>`folders:*` |
**Example request**:
```http
@ -226,6 +252,14 @@ Status Codes:
Updates permissions for a dashboard. This operation will remove existing permissions if they're not included in the request.
**Required permissions**
See note in the [introduction]({{< ref "#dashboard-permission-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ----------------------------- |
| `dashboards.permissions:write` | `dashboards:*`<br>`folders:*` |
**Example request**:
```http

23
docs/sources/developers/http_api/data_source.md
View File

@ -7,14 +7,13 @@ title = "Data source HTTP API "
# Data source API
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Get all data sources
`GET /api/datasources`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -70,7 +69,7 @@ Content-Type: application/json
`GET /api/datasources/:datasourceId`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -126,7 +125,7 @@ Content-Type: application/json
`GET /api/datasources/uid/:uid`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -182,7 +181,7 @@ Content-Type: application/json
`GET /api/datasources/name/:name`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -238,7 +237,7 @@ Content-Type: application/json
`GET /api/datasources/id/:name`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -272,7 +271,7 @@ Content-Type: application/json
`POST /api/datasources`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -420,7 +419,7 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
`PUT /api/datasources/:datasourceId`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -500,7 +499,7 @@ Content-Type: application/json
`DELETE /api/datasources/:datasourceId`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -532,7 +531,7 @@ Content-Type: application/json
`DELETE /api/datasources/uid/:uid`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
@ -567,7 +566,7 @@ Content-Type: application/json
`DELETE /api/datasources/name/:datasourceName`
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.

13
docs/sources/developers/http_api/datasource_permissions.md
View File

@ -9,8 +9,7 @@ title = "Datasource Permissions HTTP API "
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../../enterprise" >}}).
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
This API can be used to enable, disable, list, add and remove permissions for a data source.
@ -26,7 +25,7 @@ The permission levels for the permission field:
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
@ -71,7 +70,7 @@ Status codes:
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
@ -116,7 +115,7 @@ Status codes:
Gets all existing permissions for the data source with the given `id`.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
@ -187,7 +186,7 @@ Status codes:
Adds a user permission for the data source with the given `id`.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
@ -261,7 +260,7 @@ Status codes:
Removes the permission with the given `permissionId` for the data source with the given `id`.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.

15
docs/sources/developers/http_api/external_group_sync.md
View File

@ -9,16 +9,15 @@ title = "External Group Sync HTTP API "
> External Group Synchronization is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../../enterprise" >}}).
> If you have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, access to endpoints will be controlled by role-based access control permissions.
> Refer to specific endpoints to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Get External Groups
`GET /api/teams/:teamId/groups`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#external-group-synchronization-api" >}}) for an explanation.
| Action | Scope |
| ---------------------- | -------- |
@ -58,9 +57,9 @@ Status Codes:
`POST /api/teams/:teamId/groups`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#external-group-synchronization-api" >}}) for an explanation.
| Action | Scope |
| ----------------------- | -------- |
@ -100,9 +99,9 @@ Status Codes:
`DELETE /api/teams/:teamId/groups/:groupId`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#external-group-synchronization-api" >}}) for an explanation.
| Action | Scope |
| ----------------------- | -------- |

50
docs/sources/developers/http_api/folder.md
View File

@ -7,6 +7,8 @@ title = "Folder HTTP API "
# Folder API
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Identifier (id) vs unique identifier (uid)
The identifier (id) of a folder is an auto-incrementing numeric value and is only unique per Grafana install.
@ -26,6 +28,14 @@ that you cannot use this API for retrieving information about the General folder
Returns all folders that the authenticated user has permission to view. You can control the maximum number of folders returned through the `limit` query parameter, the default is 1000. You can also pass the `page` query parameter for fetching folders from a page other than the first one.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| -------------- | ----------- |
| `folders:read` | `folders:*` |
**Example Request**:
```http
@ -61,6 +71,14 @@ Content-Type: application/json
Will return the folder given the folder uid.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| -------------- | ----------- |
| `folders:read` | `folders:*` |
**Example Request**:
```http
@ -106,6 +124,14 @@ Status Codes:
Creates a new folder.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ----- |
| `folders:create` | n/a |
**Example Request**:
```http
@ -162,6 +188,14 @@ Status Codes:
Updates an existing folder identified by uid.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| --------------- | ----------- |
| `folders:write` | `folders:*` |
**Example Request**:
```http
@ -241,6 +275,14 @@ Deletes an existing folder identified by UID along with all dashboards (and thei
If [Grafana alerting]({{< relref "../../alerting/_index.md" >}}) is enabled, you can set an optional query parameter `forceDeleteRules=false` so that requests will fail with 400 (Bad Request) error if the folder contains any Grafana alerts. However, if this parameter is set to `true` then it will delete any Grafana alerts under this folder.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ----------- |
| `folders:delete` | `folders:*` |
**Example Request**:
```http
@ -277,6 +319,14 @@ Status Codes:
Will return the folder identified by id.
**Required permissions**
See note in the [introduction]({{< ref "#folder-api" >}}) for an explanation.
| Action | Scope |
| -------------- | ----------- |
| `folders:read` | `folders:*` |
**Example Request**:
```http

2
docs/sources/developers/http_api/folder_dashboard_search.md
View File

@ -11,6 +11,8 @@ title = "Folder/Dashboard Search HTTP API "
`GET /api/search/`
> Note: When using [Role-based access control]({{< relref "../../enterprise/access-control" >}}), search results will contain only dashboards and folders which you have access to.
Query parameters:
- **query** Search Query

18
docs/sources/developers/http_api/folder_permissions.md
View File

@ -17,12 +17,22 @@ The permission levels for the permission field:
- 2 = Edit
- 4 = Admin
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Get permissions for a folder
`GET /api/folders/:uid/permissions`
Gets all existing permissions for the folder with the given `uid`.
**Required permissions**
See note in the [introduction]({{< ref "#folder-permission-api" >}}) for an explanation.
| Action | Scope |
| -------------------------- | ----------- |
| `folders.permissions:read` | `folders:*` |
**Example request**:
```http
@ -94,6 +104,14 @@ Status Codes:
Updates permissions for a folder. This operation will remove existing permissions if they're not included in the request.
**Required permissions**
See note in the [introduction]({{< ref "#folder-permission-api" >}}) for an explanation.
| Action | Scope |
| --------------------------- | ----------- |
| `folders.permissions:write` | `folders:*` |
**Example request**:
```http

9
docs/sources/developers/http_api/licensing.md
View File

@ -9,8 +9,7 @@ title = "Licensing HTTP API "
Licensing is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../../enterprise" >}}).
If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Check license availability
@ -20,7 +19,7 @@ Refer to specific resources to understand what permissions are required.
Checks if a valid license is available.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#enterprise-license-api" >}}) for an explanation.
@ -60,7 +59,7 @@ Status codes:
Manually ask license issuer for a new token.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#enterprise-license-api" >}}) for an explanation.
@ -120,7 +119,7 @@ Status Codes:
Removes the license stored in the Grafana database.
### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#enterprise-license-api" >}}) for an explanation.

37
docs/sources/developers/http_api/org.md
View File

@ -11,8 +11,7 @@ The Organization HTTP API is divided in two resources, `/api/org` (current organ
and `/api/orgs` (admin organizations). One big difference between these are that
the admin of all organizations API only works with basic authentication, see [Admin Organizations API](#admin-organizations-api) for more information.
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Current Organization API
@ -20,7 +19,7 @@ the admin of all organizations API only works with basic authentication, see [Ad
`GET /api/org/`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -56,7 +55,7 @@ Content-Type: application/json
Returns all org users within the current organization.
Accessible to users with org admin role.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -102,7 +101,7 @@ Accessible to users with org admin role, admin in any folder or admin of any tea
Mainly used by Grafana UI for providing list of users when adding team members and
when editing folder/dashboard permissions.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -138,7 +137,7 @@ Content-Type: application/json
`PATCH /api/org/users/:userId`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -172,7 +171,7 @@ Content-Type: application/json
`DELETE /api/org/users/:userId`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -202,7 +201,7 @@ Content-Type: application/json
`PUT /api/org`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -238,7 +237,7 @@ Content-Type: application/json
Adds a global user to the current organization.
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -283,7 +282,7 @@ is called `admin` and has permission to use this API).
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -325,7 +324,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -367,7 +366,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -410,7 +409,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -452,7 +451,7 @@ Content-Type: application/json
Update Organization, fields _Address 1_, _Address 2_, _City_ are not implemented yet.
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -487,7 +486,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -517,7 +516,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -558,7 +557,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -594,7 +593,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.
@ -629,7 +628,7 @@ Content-Type: application/json
Only works with Basic Authentication (username and password), see [introduction](#admin-organizations-api).
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#organization-api" >}}) for an explanation.

3
docs/sources/developers/http_api/reporting.md
View File

@ -11,8 +11,7 @@ This API allows you to interact programmatically with the [Reporting]({{< relref
> Reporting is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../../enterprise" >}}).
> If you have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Send a report

31
docs/sources/developers/http_api/serviceaccount.md
View File

@ -7,16 +7,15 @@ title = "Service account HTTP API "
# Service account API
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Search service accounts with Paging
`GET /api/serviceaccounts/search?perpage=10&page=1&query=myserviceaccount`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------------- |
@ -81,9 +80,9 @@ Content-Type: application/json
`POST /api/serviceaccounts`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
@ -129,9 +128,9 @@ Content-Type: application/json
`GET /api/serviceaccounts/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------ |
@ -172,9 +171,9 @@ Content-Type: application/json
`PATCH /api/serviceaccounts/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
@ -224,9 +223,9 @@ Content-Type: application/json
`GET /api/serviceaccounts/:id/tokens`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------ |
@ -266,9 +265,9 @@ Content-Type: application/json
`POST /api/serviceaccounts/:id/tokens`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
@ -307,9 +306,9 @@ Content-Type: application/json
`DELETE /api/serviceaccounts/:id/tokens/:tokenId`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |

23
docs/sources/developers/http_api/team.md
View File

@ -16,8 +16,7 @@ Access to these API endpoints is restricted as follows:
- If you enable `editors_can_admin` configuration flag, then Organization Editors can create teams and manage teams where they are Admin.
- If you enable `editors_can_admin` configuration flag, Editors can find out whether a team that they are not members of exists by trying to create a team with the same name.
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, access to endpoints will be controlled by role-based access control permissions.
> Refer to specific endpoints to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Team Search With Paging
@ -27,7 +26,7 @@ or
`GET /api/teams/search?name=myteam`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -90,7 +89,7 @@ The `name` parameter returns a single team if the parameter matches the `name` f
`GET /api/teams/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -136,7 +135,7 @@ The Team `name` needs to be unique. `name` is required and `email`,`orgId` is op
`POST /api/teams`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -181,7 +180,7 @@ There are two fields that can be updated for a team: `name` and `email`.
`PUT /api/teams/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -224,7 +223,7 @@ Status Codes:
`DELETE /api/teams/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -261,7 +260,7 @@ Status Codes:
`GET /api/teams/:teamId/members`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -314,7 +313,7 @@ Status Codes:
`POST /api/teams/:teamId/members`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -356,7 +355,7 @@ Status Codes:
`DELETE /api/teams/:teamId/members/:userId`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -393,7 +392,7 @@ Status Codes:
`GET /api/teams/:teamId/preferences`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.
@ -427,7 +426,7 @@ Content-Type: application/json
`PUT /api/teams/:teamId/preferences`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#team-api" >}}) for an explanation.

17
docs/sources/developers/http_api/user.md
View File

@ -7,14 +7,13 @@ title = "User HTTP API "
# User API
> If you are running Grafana Enterprise and have [Role-based access control]({{< relref "../../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
> If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "../../enterprise/access-control/custom-role-actions-scopes" >}}) for more information.
## Search Users
`GET /api/users?perpage=10&page=1`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -69,7 +68,7 @@ Content-Type: application/json
`GET /api/users/search?perpage=10&page=1&query=mygraf`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -130,7 +129,7 @@ Content-Type: application/json
`GET /api/users/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -176,7 +175,7 @@ Content-Type: application/json
`GET /api/users/lookup?loginOrEmail=user@mygraf.com`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -231,7 +230,7 @@ Content-Type: application/json
`PUT /api/users/:id`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -270,7 +269,7 @@ Content-Type: application/json
`GET /api/users/:id/orgs`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
@ -308,7 +307,7 @@ Content-Type: application/json
`GET /api/users/:id/teams`
#### Required permissions
**Required permissions**
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.

15
docs/sources/enterprise/access-control/about-rbac.md
View File

@ -15,8 +15,6 @@ weight: 10
Role-based access control (RBAC) provides a standardized way of granting, changing, and revoking access so that users can view and modify Grafana resources, such as users and reports.
RBAC extends Grafana basic roles that are included in Grafana OSS, and enables you more granular control of users actions.
> **Note:** RBAC is in beta, so you can expect changes in future releases.
By using RBAC you can provide users with permissions that extend the permissions available with basic roles. For example, you can use RBAC to:
- Modify existing basic roles: for example, enable an editor to create reports
@ -50,16 +48,21 @@ Each basic role is comprised of a number of _permissions_. For example, the view
- `Action: annotations:write, Scope: annotations:type:dashboard`: Enables the viewer to modify annotations of a dashboard.
- `Action: annotations:delete, Scope: annotations:type:dashboard`: Enables the viewer to remove annotations from a dashboard.
You can use RBAC to modify the permissions associated with any basic role, which changes what viewers, editors, or admins can do. For more information about the permissions associated with each basic role, refer to [Basic role definitions]({{< relref "./rbac-fixed-basic-role-definitions#basic-role-assignments" >}}).
You cannot delete basic roles.
> **Note:** You can't have a Grafana user without a basic role assigned.
> **Note:** You must assign each Grafana user a basic role.
### Basic role modification
You can use RBAC to modify the permissions associated with any basic role, which changes what viewers, editors, or admins can do. You can't delete basic roles.
Note that any modification to any of these basic role is not propagated to the other basic roles.
For example, if you modify Viewer basic role and grant additional permission, Editors or Admins won't have that additional grant.
For more information about the permissions associated with each basic role, refer to [Basic role definitions]({{< relref "./rbac-fixed-basic-role-definitions#basic-role-assignments" >}}).
To interact with the API and view or modify basic roles permissions, refer to [the table]({{< relref "./manage-rbac-roles#basic-role-uid-mapping" >}}) that maps basic role names to the associated UID.
## Fixed roles
Grafana Enterprise includes the ability for you to assign discrete fixed roles to users and teams. This gives you finer-grained control over user permissions than you would have with basic roles alone. These roles are called "fixed" because you cannot change or delete fixed roles. You can also create _custom_ roles of your own; see more information in the [custom roles section]({{< relref "#custom-roles" >}}) below.
Grafana Enterprise includes the ability for you to assign discrete fixed roles to users, teams, and service accounts. This gives you fine-grained control over user permissions than you would have with basic roles alone. These roles are called "fixed" because you cannot change or delete fixed roles. You can also create _custom_ roles of your own; see more information in the [custom roles section]({{< relref "#custom-roles" >}}) below.
Assign fixed roles when the basic roles do not meet your permission requirements. For example, you might want a user with the basic viewer role to also edit dashboards. Or, you might want anyone with the editor role to also add and manage users. Fixed roles provide users more granular access to create, view, and update the following Grafana resources:

10
docs/sources/enterprise/access-control/assign-rbac-roles.md
View File

@ -54,8 +54,6 @@ In both cases, the assignment applies only to the user or team within the affect
![User role picker in an organization](/static/img/docs/enterprise/user_role_picker_in_org.png)
<br/>
**To assign a fixed role as a server administrator:**
1. Sign in to Grafana, hover your cursor over **Server Admin** (the shield icon) in the left navigation menu, and click **Users**.
@ -69,14 +67,10 @@ In both cases, the assignment applies only to the user or team within the affect
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.
</br>
**Before you begin:**
- [Enable role provisioning]({{< relref "./enable-rbac-and-provisioning#enable-role-provisioning" >}})
- Ensure that the team to which you are adding the fixed role exists. For more information about creating teams, refer to [Manage teams]({{< relref "../../administration/manage-users-and-permissions/manage-teams/_index.md" >}})
</br>
- Refer to [Role provisioning]({{< relref "./rbac-provisioning#rbac-provisioning" >}})
- Ensure that the team to which you are adding the fixed role exists. For more information about creating teams, refer to [Manage teams]({{< relref "../../administration/manage-users-and-permissions/manage-teams/_index.md">}})
**To assign a role to a team:**

23
docs/sources/enterprise/access-control/configure-rbac.md Normal file
View File

@ -0,0 +1,23 @@
---
title: 'Configure RBAC in Grafana'
menuTitle: 'Configure RBAC'
description: 'Learn how to configure RBAC.'
aliases: []
weight: 30
---
# Configure RBAC in Grafana
The table below describes all RBAC configuration options. Like any other Grafana configuration, you can apply these options as [environment variables]({{< relref "../../administration/configuration.md#configure-with-environment-variables" >}}).
| Setting | Required | Description | Default |
| ------------------ | -------- | ---------------------------------------------------------------------------- | ------- |
| `permission_cache` | No | Enable to use in memory cache for loading and evaluating users' permissions. | `true` |
## Example RBAC configuration
```bash
[rbac]
permission_cache = true
```

93
docs/sources/enterprise/access-control/enable-rbac-and-provisioning.md
View File

@ -1,93 +0,0 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/enable-rbac-and-provisioning/
description: Learn how to enable RBAC and provisioning in Grafana.
menuTitle: Enable RBAC and provisioning
title: Enable RBAC and provisioning in Grafana
weight: 30
---
# Enable RBAC and provisioning
Before you assign RBAC roles to Grafana users and teams, you must enable it by:
- Adding a feature toggle to the Grafana configuration file, or
- Adding an environment variable to the Grafana configuration file
If you use provisioning to assign and manage roles, in addition to enabling RBAC, you must enable provisioning.
This topic includes instructions for both methods of enabling role-based access control, and steps for enabling provisioning.
## Enable RBAC
This section describes how to enable RBAC by setting a feature flag or adding an environment variable to the Grafana configuration file. You choose one method to enable RBAC. You are not required to use both methods to enable RBAC.
> **Note:** The environment variable overrides access control settings in the configuration file, if any exist.
</br>
**Before you begin:**
- Ensure that you have administration privileges to the Grafana server.
</br>
**To enable RBAC:**
1. Open the Grafana configuration file.
For more information about the location of the Grafana configuration file, refer to [config file]({{< relref "../../administration/configuration.md#config-file-locations" >}}).
1. To enable RBAC using the feature toggle:
a. Locate the `[feature toggles]` section in the configuration file.
b. Add the following feature toggle parameter:
```
[feature_toggles]
# enable features, separated by spaces
enable = accesscontrol
```
1. To enable RBAC by setting an environment variable, add the following environment variable to the configuration file:
`GF_FEATURE_TOGGLES_ENABLE = accesscontrol`
For more information about using environment variables in Grafana, refer to [Configuring with environment variables]({{< relref "../../administration/configuration.md#configure-with-environment-variables" >}}).
1. Save your changes and restart the Grafana server.
1. To verify that RBAC is enabled, send an HTTP request to the check endpoint.
For more information about sending an HTTP request to the check endpoint, refer to [Check endpoint]({{< relref "../../developers/http_api/access_control.md#check-if-enabled" >}}).
## Enable role provisioning
You can create, change, or remove [custom roles]({{< relref "./manage-rbac-roles.md#create-custom-roles-using-provisioning" >}}) and update [basic roles]({{< relref "./manage-rbac-roles.md#update-basic-role-permissions" >}}), by adding one or more YAML configuration files in the `provisioning/access-control/` directory.
If you choose to use provisioning to assign and manage role, you must first enable it.
Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.
</br>
**Before you begin:**
- Ensure that you have access to files on the server where Grafana is running.
</br>
**To manage and assign RBAC roles using provisioning:**
1. Sign in to the Grafana server.
2. Locate the Grafana provisioning folder.
3. Create a new YAML in the following folder: **provisioning/access-control**. For example, `provisioning/access-control/custom-roles.yml`
4. Add RBAC provisioning details to the configuration file. See [manage RBAC roles]({{< relref "manage-rbac-roles.md" >}}) and [assign RBAC roles]({{< relref "assign-rbac-roles.md" >}}) for instructions, and see this [example role provisioning file]({{< relref "provisioning-roles-example.md" >}}) for a complete example of a provisioning file.
5. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../developers/http_api/admin/#reload-provisioning-configurations" >}}).

28
docs/sources/enterprise/access-control/manage-rbac-roles.md
View File

@ -6,7 +6,7 @@ aliases:
description: Learn how to view permissions associated with roles, create custom roles,
and update and delete roles in Grafana.
menuTitle: Manage RBAC roles
title: Manage RBAC roles
title: Manage Grafana RBAC roles
weight: 50
---
@ -14,17 +14,13 @@ weight: 50
This section includes instructions for how to view permissions associated with roles, create custom roles, and update and delete roles.
**Before you begin:**
- [Enable role-based access control]({{< relref "./enable-rbac-and-provisioning#enable-rback" >}}).
The following example includes the base64 username:password Basic Authorization. You cannot use authorization tokens in the request.
### List permissions associated with roles
Use a `GET` command to see the actions and scopes associated with a role. For more information about seeing a list of permissions for each role, refer to [Get a role]({{< relref "../../developers/http_api/access_control.md#get-a-role" >}}).
<span id="basic-role-uid-mapping">To see the permissions associated with basic roles, refer to the following basic role UIDs</span>:
To see the permissions associated with basic roles, refer to the following basic role UIDs:
| Basic role | UID |
| --------------- | --------------------- |
@ -92,7 +88,7 @@ Create a custom role when basic roles and fixed roles do not meet your permissio
- [Plan your RBAC rollout strategy]({{< relref "./plan-rbac-rollout-strategy" >}}).
- Determine which permissions you want to add to the custom role. To see a list of actions and scope, refer to [RBAC permissions actions and scopes]({{< relref "./custom-role-actions-scopes.md" >}}).
- [Enable role provisioning]({{< relref "./enable-rbac-and-provisioning#enable-rbac" >}}).
- [Enable role provisioning]({{< relref "./rbac-provisioning" >}}).
- Ensure that you have permissions to create a custom role.
- By default, the Grafana Admin role has permission to create custom roles.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the `permissions:type:delegate` scope.
@ -219,8 +215,6 @@ curl --location --request POST '<grafana_url>/api/access-control/roles/' \
}'
```
</br>
**Example response**
```
@ -249,14 +243,10 @@ Refer to the [RBAC HTTP API]({{< relref "../../developers/http_api/access_contro
If the default basic role definitions do not meet your requirements, you can change their permissions.
</br>
**Before you begin:**
- Determine the permissions you want to add or remove from a basic role. For more information about the permissions associated with basic roles, refer to [RBAC role definitions]({{< relref "./rbac-fixed-basic-role-definitions#basic-role-assignments" >}}).
</br>
**To change permissions from a basic role:**
1. Open the YAML configuration file and locate the `roles` section.
@ -320,7 +310,7 @@ This section describes how to reset the basic roles to their default:
1. Open the YAML configuration file and locate the `roles` section.
1. Grant the `action: "roles:write", scope: "permissions:type:escalate` permission to `Grafana Admin`.
1. Grant the `action: "roles:write", scope: "permissions:type:escalate` permission to `Grafana Admin`. Note that this permission has not been granted to any basic roles by default, because users could acquire more permissions than they previously had through the basic role permissions reset.
```yaml
apiVersion: 2
@ -337,25 +327,17 @@ This section describes how to reset the basic roles to their default:
scope: 'permissions:type:escalate'
```
> **Note**: This permission has not been granted to any basic roles by default, because users could acquire more permissions than they previously had through the basic role permissions reset.
1. As a `Grafana Admin`, call the API endpoint to reset the basic roles to their default. Refer to the [RBAC HTTP API]({{< relref "../../developers/http_api/access_control.md#reset-basic-roles-to-their-default" >}}) for more details.
## Delete a custom role using Grafana provisioning
Delete a custom role when you no longer need it. When you delete a custom role, the custom role is removed from users and teams to which it is assigned.
> **Note:** If you use the same configuration file to both add and remove roles, the system deletes roles identified in the `deleteRoles` section before it adds roles identified in the `roles` section.
</br>
**Before you begin:**
- Identify the role or roles that you want to delete.
- Ensure that you have access to the YAML configuration file.
</br>
**To delete a custom role:**
1. Open the YAML configuration file and locate the `roles` section.
@ -367,7 +349,7 @@ Delete a custom role when you no longer need it. When you delete a custom role,
| `name` | The name of the custom role you want to delete. You can specify a `uid` instead of a role name. The role `name` or the `uid` are required. |
| `orgId` | Identifies the organization to which the role belongs. |
| `state` | The state of the role set to `absent` to trigger its removal. |
| `force` | Sets the force parameter. |
| `force` | When set to `true`, the roles are removed even if there are existing assignments. |
1. Reload the provisioning configuration file.

2
docs/sources/enterprise/access-control/rbac-fixed-basic-role-definitions.md
View File

@ -5,7 +5,7 @@ aliases:
description: This topic includes a table that lists permission associated with Grafana
fixed and basic roles.
menuTitle: RBAC role definitions
title: RBAC role definitions
title: Grafana RBAC role definitions
weight: 70
---

36
docs/sources/enterprise/access-control/provisioning-roles-example.md → docs/sources/enterprise/access-control/rbac-provisioning.md
View File

@ -1,13 +1,39 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/provisioning-roles-example/
description: View an example YAML provisioning file that configures Grafana role assignments.
menuTitle: Provisioning roles example
title: Example role configuration file using Grafana provisioning
- /docs/grafana/latest/enterprise/access-control/rbac-provisioning/
description: Learn about RBAC provisioning and view an example YAML provisioning file that configures Grafana role assignments.
menuTitle: RBAC provisioning
title: Grafana RBAC provisioning
weight: 60
---
# Example role configuration file using Grafana provisioning
# Grafana RBAC provisioning
You can create, change or remove [Custom roles]({{< relref "./manage-rbac-roles.md#create-custom-roles-using-provisioning" >}}) and create or remove [basic role assignments]({{< relref "./assign-rbac-roles.md#assign-a-fixed-role-to-a-basic-role-using-provisioning" >}}), by adding one or more YAML configuration files in the `provisioning/access-control/` directory.
If you choose to use provisioning to assign and manage role, you must first enable it.
Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.
**Before you begin:**
- Ensure that you have access to files on the server where Grafana is running.
**To manage and assign RBAC roles using provisioning:**
1. Sign in to the Grafana server.
2. Locate the Grafana provisioning folder.
3. Create a new YAML in the following folder: **provisioning/access-control**. For example, `provisioning/access-control/custom-roles.yml`
4. Add RBAC provisioning details to the configuration file. See [manage RBAC roles]({{< relref "manage-rbac-roles.md" >}}) and [assign RBAC roles]({{< relref "assign-rbac-roles.md" >}}) for instructions, and see this [example role provisioning file]({{< relref "rbac-provisioning#example" >}}) for a complete example of a provisioning file.
5. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../http_api/admin/#reload-provisioning-configurations" >}}).
## Example role configuration file using Grafana provisioning
The following example shows a complete YAML configuration file that:

2
docs/sources/enterprise/datasource_permissions.md
View File

@ -19,7 +19,7 @@ Data source permissions allow you to restrict access for users to query a data s
By default, data sources in an organization can be queried by any user in that organization. For example, a user with the `Viewer` role can issue any possible query to a data source, not just
queries that exist on dashboards they have access to.
When permissions are enabled for a data source in an organization, you restrict admin and query access for that data source to admin users in that organization.
When permissions are enabled for a data source in an organization, the user who created the datasource can edit the datasource and in addition, viewers can query the datasource.
**Enable permissions for a data source:**

5
docs/sources/enterprise/license/license-expiration.md
View File

@ -45,6 +45,11 @@ Your current data source permissions will keep working as expected, but you'll b
SAML authentication is not affected by an expired license.
### Role-based access control (RBAC)
- Creating, updating and deleting custom roles is not available.
- Modifying permissions for custom roles is not available.
### Reporting
- You're unable to configure new reports or generate previews.