IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Make a clear distinction between Organization Roles and RBAC roles (#97082)

Browse Source 
* Docs: Make a clear distinction between Organization Roles and RBAC roles

* Add section to assign fixed and custom roles using the HTTP api

* Remove </br>

* run prettier

* Suggestions

Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>

---------

Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>
This commit is contained in:
Gabriel MABILLE 2024-12-03 11:40:51 +01:00 committed by GitHub
parent 869dfe0cdd
commit 3f8c20907c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles/index.md
View File

@ -56,8 +56,6 @@ This section describes how to:
In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations. In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
<br/>
**Before you begin:** **Before you begin:**
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy). - [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
@ -71,8 +69,6 @@ In both cases, the assignment applies only to the user, team or service account
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions. - Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself. - Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
<br/>
**To assign a fixed role to a user, team or service account:** **To assign a fixed role to a user, team or service account:**
1. Sign in to Grafana. 1. Sign in to Grafana.
@ -93,6 +89,35 @@ In both cases, the assignment applies only to the user, team or service account
1. Select a role within an organization that you want to assign to the user. 1. Select a role within an organization that you want to assign to the user.
1. Click **Save**. 1. Click **Save**.
## Assign fixed or custom roles using the HTTP API
This section describes how to:
- Assign a fixed role to a user, team or service account as an organization administrator.
**Before you begin:**
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
- Identify the fixed roles that you want to assign to the user, team or service account.
For more information about available fixed roles, refer to [RBAC role definitions](ref:rbac-role-definitions).
- Ensure that your own user account has the correct permissions:
- If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
- If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
**To assign a fixed role to a user or service account:**
Refer to the [RBAC HTTP API for user role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-user-role-assignment).
The service account ID can be used in place of the user ID.
**To assign a fixed role to a team:**
Refer to the [RBAC HTTP API for team role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-team-role-assignment).
## Assign fixed or custom roles to a team using provisioning ## Assign fixed or custom roles to a team using provisioning
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments. Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.

4
docs/sources/administration/service-accounts/_index.md
View File

@ -161,8 +161,8 @@ By default, service account tokens don't have an expiration date, meaning they w
## Assign roles to a service account in Grafana ## Assign roles to a service account in Grafana
You can assign roles to a Grafana service account to control access for the associated service account tokens. You can assign organization roles (`Viewer`, `Editor`, `Admin`) to a Grafana service account to control access for the associated service account tokens.
You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account). You can assign organization roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account).
In [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/), you can also [assign RBAC roles](ref:rbac-assign-rbac-roles) to grant very specific permissions to applications that interact with Grafana. In [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/), you can also [assign RBAC roles](ref:rbac-assign-rbac-roles) to grant very specific permissions to applications that interact with Grafana.