IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Make a clear distinction between Organization Roles and RBAC roles (#97082)

Browse Source 
* Docs: Make a clear distinction between Organization Roles and RBAC roles

* Add section to assign fixed and custom roles using the HTTP api

* Remove </br>

* run prettier

* Suggestions

Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>

---------

Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>
This commit is contained in:
Gabriel MABILLE 2024-12-03 11:40:51 +01:00 committed by GitHub
parent 869dfe0cdd
commit 3f8c20907c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles/index.md
View File

@ -56,8 +56,6 @@ This section describes how to:
In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
<br/>
**Before you begin:**
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
@ -71,8 +69,6 @@ In both cases, the assignment applies only to the user, team or service account
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
<br/>
**To assign a fixed role to a user, team or service account:**
1. Sign in to Grafana.
@ -93,6 +89,35 @@ In both cases, the assignment applies only to the user, team or service account
1. Select a role within an organization that you want to assign to the user.
1. Click **Save**.
## Assign fixed or custom roles using the HTTP API
This section describes how to:
- Assign a fixed role to a user, team or service account as an organization administrator.
**Before you begin:**
- [Plan your RBAC rollout strategy](ref:plan-rbac-rollout-strategy).
- Identify the fixed roles that you want to assign to the user, team or service account.
For more information about available fixed roles, refer to [RBAC role definitions](ref:rbac-role-definitions).
- Ensure that your own user account has the correct permissions:
- If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
- If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
**To assign a fixed role to a user or service account:**
Refer to the [RBAC HTTP API for user role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-user-role-assignment).
The service account ID can be used in place of the user ID.
**To assign a fixed role to a team:**
Refer to the [RBAC HTTP API for team role assignment](/docs/grafana/<GRAFANA_VERSION>/developers/http_api/access_control/#add-a-team-role-assignment).
## Assign fixed or custom roles to a team using provisioning
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.

4
docs/sources/administration/service-accounts/_index.md
View File

@ -161,8 +161,8 @@ By default, service account tokens don't have an expiration date, meaning they w
## Assign roles to a service account in Grafana
You can assign roles to a Grafana service account to control access for the associated service account tokens.
You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account).
You can assign organization roles (`Viewer`, `Editor`, `Admin`) to a Grafana service account to control access for the associated service account tokens.
You can assign organization roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API](ref:api-update-service-account).
In [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/), you can also [assign RBAC roles](ref:rbac-assign-rbac-roles) to grant very specific permissions to applications that interact with Grafana.