mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Docs: Make a clear distinction between Organization Roles and RBAC roles (#97082)
* Docs: Make a clear distinction between Organization Roles and RBAC roles * Add section to assign fixed and custom roles using the HTTP api * Remove </br> * run prettier * Suggestions Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com> --------- Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>
This commit is contained in:
parent
869dfe0cdd
commit
3f8c20907c
@ -56,8 +56,6 @@ This section describes how to:
|
|||||||
|
|
||||||
In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
|
In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
|
||||||
|
|
||||||
<br/>
|
|
||||||
|
|
||||||
**Before you begin:**
|
**Before you begin:**
|
||||||
|
|
||||||
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
|
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
|
||||||
@ -71,8 +69,6 @@ In both cases, the assignment applies only to the user, team or service account
|
|||||||
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
|
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
|
||||||
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
|
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
|
||||||
|
|
||||||
<br/>
|
|
||||||
|
|
||||||
**To assign a fixed role to a user, team or service account:**
|
**To assign a fixed role to a user, team or service account:**
|
||||||
|
|
||||||
1. Sign in to Grafana.
|
1. Sign in to Grafana.
|
||||||
@ -93,6 +89,35 @@ In both cases, the assignment applies only to the user, team or service account
|
|||||||
1. Select a role within an organization that you want to assign to the user.
|
1. Select a role within an organization that you want to assign to the user.
|
||||||
1. Click **Save**.
|
1. Click **Save**.
|
||||||
|
|
||||||
|
## Assign fixed or custom roles using the HTTP API
|
||||||
|
|
||||||
|
This section describes how to:
|
||||||
|
|
||||||
|
- Assign a fixed role to a user, team or service account as an organization administrator.
|
||||||
|
|
||||||
|
**Before you begin:**
|
||||||
|
|
||||||
|
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
|
||||||
|
- Identify the fixed roles that you want to assign to the user, team or service account.
|
||||||
|
|
||||||
|
For more information about available fixed roles, refer to [RBAC role definitions](ref:rbac-role-definitions).
|
||||||
|
|
||||||
|
- Ensure that your own user account has the correct permissions:
|
||||||
|
- If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
|
||||||
|
- If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
|
||||||
|
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
|
||||||
|
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
|
||||||
|
|
||||||
|
**To assign a fixed role to a user or service account:**
|
||||||
|
|
||||||
|
Refer to the [RBAC HTTP API for user role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-user-role-assignment).
|
||||||
|
|
||||||
|
The service account ID can be used in place of the user ID.
|
||||||
|
|
||||||
|
**To assign a fixed role to a team:**
|
||||||
|
|
||||||
|
Refer to the [RBAC HTTP API for team role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-team-role-assignment).
|
||||||
|
|
||||||
## Assign fixed or custom roles to a team using provisioning
|
## Assign fixed or custom roles to a team using provisioning
|
||||||
|
|
||||||
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.
|
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.
|
||||||
|
@ -161,8 +161,8 @@ By default, service account tokens don't have an expiration date, meaning they w
|
|||||||
|
|
||||||
## Assign roles to a service account in Grafana
|
## Assign roles to a service account in Grafana
|
||||||
|
|
||||||
You can assign roles to a Grafana service account to control access for the associated service account tokens.
|
You can assign organization roles (`Viewer`, `Editor`, `Admin`) to a Grafana service account to control access for the associated service account tokens.
|
||||||
You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account).
|
You can assign organization roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account).
|
||||||
|
|
||||||
In [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/), you can also [assign RBAC roles](ref:rbac-assign-rbac-roles) to grant very specific permissions to applications that interact with Grafana.
|
In [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/), you can also [assign RBAC roles](ref:rbac-assign-rbac-roles) to grant very specific permissions to applications that interact with Grafana.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user