mirror of
https://github.com/grafana/grafana.git
synced 2024-11-26 02:40:26 -06:00
Docs: refactored manage users and permissions content (#44343)
* initial refactor * initial draft for teams * restructed topics, added front matter * modified aliases * removes old files * removed files * initial refactor * initial draft for teams * restructed topics, added front matter * modified aliases * removes old files * removed files * final xrefs updates * xref adjustment * copy updates * copy and content updates to about, add to org, add user, admin * copy updates to remove user from org * update org vs server admin section names, cross-link * cross-link add and invite users to org * add remaining cross-links between org and server admin * add dashboard permissions table * add permissions information to teams * add copy invite instructions to invite management * tweaks and link updates * incorporated PM feedback * fixed xrefs * yarn prettier * fix codespell * combined teams and dashboard permissions content Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com>
This commit is contained in:
parent
d665306ad1
commit
46360ca0c3
1
devenv/docker/blocks/saml-enterprise
Symbolic link
1
devenv/docker/blocks/saml-enterprise
Symbolic link
@ -0,0 +1 @@
|
||||
/Users/mitchel/Workspace/grafana-enterprise/src/devenv/blocks/saml-enterprise
|
@ -635,7 +635,7 @@ Path to the default home dashboard. If this value is empty, then Grafana uses St
|
||||
|
||||
Set to `false` to prohibit users from being able to sign up / create
|
||||
user accounts. Default is `false`. The admin user can still create
|
||||
users from the [Grafana Admin Pages]({{< relref "../manage-users/server-admin/server-admin-manage-users.md" >}}).
|
||||
users. For more information about creating a user, refer to [Add a user]({{< relref "../administration/manage-users-and-permissions/manage-server-users/add-user.md" >}}).
|
||||
|
||||
### allow_org_create
|
||||
|
||||
|
@ -0,0 +1,13 @@
|
||||
+++
|
||||
title = "Manage users and permissions"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/_index.md"]
|
||||
weight = 200
|
||||
+++
|
||||
|
||||
# Manage users and permissions
|
||||
|
||||
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.
|
||||
|
||||
The following topics describe how to use permissions to control user access to data sources, dashboards, users, and teams.
|
||||
|
||||
{{< section >}}
|
@ -0,0 +1,152 @@
|
||||
+++
|
||||
title = "About users and permissions"
|
||||
aliases = ["docs/sources/manage-users/_index.md", "docs/sources/administration/manage-users-and-permissions/about-users-and-permissions.md", "/docs/grafana/latest/permissions/overview/", "docs/sources/permissions/_index.md", "docs/sources/permissions/organization_roles.md"]
|
||||
weight = 100
|
||||
+++
|
||||
|
||||
# About users and permissions
|
||||
|
||||
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.
|
||||
|
||||
You can assign a user one of three types of permissions:
|
||||
|
||||
- Grafana server administrator permissions: Manage Grafana server-wide settings and resources
|
||||
- Organization permissions: Manage access to dashboards, alerts, plugins, teams, playlists, and other resources for an entire organization. The available roles are Viewer, Editor, and Admin.
|
||||
- Dashboard and folder permission: Manage access to dashboards and folders
|
||||
|
||||
> **Note**: If you are running Grafana Enterprise, you can also control access to data sources and use fine-grained access control to grant read and write permissions for specific resources. For more information about access control options available with Grafana Enterprise, refer to [Grafana Enterprise user permissions features](#grafana-enterprise-user-permissions-features).
|
||||
|
||||
## Grafana server administrators
|
||||
|
||||
A Grafana server administrator manages server-wide settings and access to resources such as organizations, users, and licenses. Grafana includes a default server administrator that you can use to manage all of Grafana, or you can divide that responsibility among other server administrators that you create.
|
||||
|
||||
A server administrator can perform the following tasks:
|
||||
|
||||
- Manage users and permissions
|
||||
- Create, edit, and delete organizations
|
||||
- View server-wide settings defined in the [Configuration]({{< relref "../../administration/configuration.md" >}}) file
|
||||
- View Grafana server statistics, including total users and active sessions
|
||||
- Upgrade the server to Grafana Enterprise.
|
||||
|
||||
> **Note:** The server administrator role does not exist in Grafana Cloud.
|
||||
|
||||
## Organization users and permissions
|
||||
|
||||
All Grafana users belong to at least one organization. An organization is an entity that exists within your instance of Grafana.
|
||||
|
||||
Permissions assigned to a user within an organization control the extent to which the user has access to and can update the following organization resources:
|
||||
|
||||
- dashboards and folders
|
||||
- alerts
|
||||
- playlists
|
||||
- users within that organization
|
||||
- data sources
|
||||
- teams
|
||||
- organization and team settings
|
||||
- plugins
|
||||
- annotations
|
||||
- library panels
|
||||
- API keys
|
||||
|
||||
### Organization roles
|
||||
|
||||
Organization role-based permissions are global, which means that each permission level applies to all Grafana resources within an given organization. For example, an editor can see and update _all_ dashboards in an organization, unless those dashboards have been specifically restricted using [dashboard permissions]({{< relref "manage-dashboard-permissions/_index.md">}}).
|
||||
|
||||
Grafana uses the following roles to control user access:
|
||||
|
||||
- **Organization administrator**: Has access to all organization resources, including dashboards, users, and teams.
|
||||
- **Editor**: Can view and edit dashboards, folders, and playlists.
|
||||
- **Viewer**: Can view dashboards and playlists.
|
||||
|
||||
The following table lists permissions for each role.
|
||||
|
||||
| Permission | Organization administrator | Editor | Viewer |
|
||||
| :----------------------------- | :------------------------: | :----: | :----: |
|
||||
| View dashboards | x | x | x |
|
||||
| Add, edit, delete dashboards | x | x | |
|
||||
| Add, edit, delete folders | x | x | |
|
||||
| View playlists | x | x | x |
|
||||
| Add, edit, delete playlists | x | x | |
|
||||
| Create library panels | x | x | |
|
||||
| View annotations | x | x | x |
|
||||
| Add, edit, delete annotations | x | x | |
|
||||
| Access Explore | x | x | |
|
||||
| Add, edit, delete data sources | x | | |
|
||||
| Add and edit users | x | | |
|
||||
| Add and edit teams | x | | |
|
||||
| Change organizations settings | x | | |
|
||||
| Change team settings | x | | |
|
||||
| Configure application plugins | x | | |
|
||||
|
||||
## Dashboard permissions
|
||||
|
||||
When you want to extend a viewer's ability to edit and save dashboard changes or limit an editor's permission to modify a dashboard, you can assign permissions to dashboards and dashboard folders. For example, you might want a certain viewer to be able to to edit a dashboard. While that user can _see_ all dashboards, you can grant them access to _update_ only one of them.
|
||||
|
||||
> Important: The dashboard permissions you specify override the organization permissions you assign to the user for the selected entity.
|
||||
|
||||
You can specify the following permissions to dashboards and folders.
|
||||
|
||||
- **Admin**: Can create, edit, or delete a dashboard or folder. Administrators can also change dashboard and folder permissions.
|
||||
- **Edit**: Can create and edit dashboards. Editors _cannot_ change folder or dashboard permissions, or add, edit, or delete folders.
|
||||
- **View**: Can only view dashboards and folders.
|
||||
|
||||
For more information about assigning dashboard folder permissions, refer to [Grant dashboard folder permissions]({{< relref "./manage-dashboard-permissions/_index.md#grant-dashboard-folder-permissions" >}}).
|
||||
|
||||
For more information about assigning dashboard permissions, refer to [Grant dashboard permissions]({{< relref "./manage-dashboard-permissions/_index.md#grant-dashboard-permissions" >}}).
|
||||
|
||||
## Editors with administrator permissions
|
||||
|
||||
If you have access to the Grafana server, you can modify the default editor role so that editors can use administrator permissions to manage dashboard folders, dashboards, and teams that they create.
|
||||
|
||||
> **Note**: This permission does not allow editors to manage folders, dashboards, and teams that they do not create.
|
||||
|
||||
This setting can be used to enable self-organizing teams to administer their own dashboards.
|
||||
|
||||
For more information about assigning administrator permissions to editors, refer to [Grant editors administrator permissions]({{< relref "./manage-server-users/grant-editor-admin-permissions.md" >}}).
|
||||
|
||||
## Viewers with dashboard preview and Explore permissions
|
||||
|
||||
If you have access to the Grafana server, you can modify the default viewer role so that viewers can:
|
||||
|
||||
- Edit and preview dashboards, but cannot save their changes or create new dashboards.
|
||||
- Access and use [Explore]({{< relref "../../explore/_index.md" >}}).
|
||||
|
||||
Extending the viewer role is useful for public Grafana installations where you want anonymous users to be able to edit panels and queries, but not be able to save or create new dashboards.
|
||||
|
||||
For more information about assigning dashboard preview permissions to viewers, refer to [Enable viewers to preview dashboards and use Explore]({{< relref "./manage-dashboard-permissions/_index.md#enable-viewers-to-preview-dashboards-and-use-explore" >}}).
|
||||
|
||||
## Teams and permissions
|
||||
|
||||
A team is a group of users within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user can belong to multiple teams.
|
||||
|
||||
You can assign a team member one of the following permissions:
|
||||
|
||||
- **Member**: Includes the user as a member of the team. Members do not have team administrator privileges.
|
||||
- **Admin**: Administrators have permission to manage various aspects of the team, including team membership, permissions, and settings.
|
||||
|
||||
Because teams exist inside an organization, the organization administrator can manage all teams. When the `editors_can_admin` setting is enabled, editors can create teams and manage teams that they create. For more information about the `editors_can_admin` setting, refer to [Grant editors administrator permissions]({{< relref "./manage-server-users/grant-editor-admin-permissions.md" >}}).
|
||||
|
||||
## Grafana Enterprise user permissions features
|
||||
|
||||
While Grafana OSS includes a robust set of permissions and settings that you can use to manage user access to server and organization resources, you might find that you require additional capabilities.
|
||||
|
||||
Grafana Enterprise provides the following permissions-related features:
|
||||
|
||||
- Data source permissions
|
||||
- Fine-grained access control
|
||||
|
||||
### Data source permissions
|
||||
|
||||
By default, a user can query any data source in an organization, even if the data source is not linked to the user's dashboards.
|
||||
|
||||
Data source permissions enable you to restrict data source query permissions to specific **Users** and **Teams**. For more information about assigning data source permissions, refer to [Data source permissions]({{< relref "../../enterprise/datasource_permissions.md" >}}).
|
||||
|
||||
### Fine-grained access control
|
||||
|
||||
Fine-grained access control provides you a way of granting, changing, and revoking user read and write access to Grafana resources, such as users, reports, and authentication.
|
||||
|
||||
For more information about fine-grained access control, refer to [Fine-grained access control]({{< relref "../../enterprise/access-control" >}}).
|
||||
|
||||
### Learn more
|
||||
|
||||
Want to know more? Complete the [Create users and teams](https://grafana.com/tutorials/create-users-and-teams) tutorial to learn how to set up users and teams.
|
@ -0,0 +1,143 @@
|
||||
+++
|
||||
title = "Manage dashboard permissions"
|
||||
aliases = ["/docs/grafana/latest/permissions/dashboard_folder_permissions/", "docs/sources/administration/manage-users-and-permissions/manage-dashboard-permissions/_index.md"]
|
||||
weight = 500
|
||||
+++
|
||||
|
||||
# Manage dashboard permissions
|
||||
|
||||
Dashboard and dasboard folder permissions enable you to grant a viewer the ability to edit and save dashboard changes, or limit an editor's permission to modify a dashboard.
|
||||
|
||||
For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions">}}).
|
||||
|
||||
## Grant dashboard folder permissions
|
||||
|
||||
When you grant user permissions for folders, that setting applies to all dashboards contained in the folder. Consider using this approach to assigning dashboard permissions when you have users or teams who require access to groups of related dashboards.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
- Identify the dashboard folder permissions you want to modify and the users or teams to which you want to grant access. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions">}}).
|
||||
|
||||
**To grant dashboard folder permissions**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
2. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and click **Browse**.
|
||||
3. Hover your mouse cursor over a folder and click **Go to folder**.
|
||||
4. Click the **Permissions** tab, and then click **Add Permission**.
|
||||
5. In the **Add Permission For** dropdown menu, select **User**, **Team**, or one of the role options.
|
||||
6. Select the user or team.
|
||||
|
||||
If you select a role option, you do not select a user or team.
|
||||
|
||||
7. Select the permission and click **Save**.
|
||||
|
||||
## Grant dashboard permissions
|
||||
|
||||
When you grant dashboard folder permissions, that setting applies to all dashboards in the folder. For a more granular approach to assigning permissions, you can also assign user permissions to individual dashboards.
|
||||
|
||||
For example, if a user with the viewer organization role requires editor (or admin) access to a dashboard, you can assign those elevated permissions on an individual basis.
|
||||
|
||||
> **Note**: If you have assigned a user dashboard folder permissions, you cannot also assign the user permission to dashboards contained in the folder.
|
||||
|
||||
Grant dashboard permissions when you want to restrict or enhance dashboard access for users who do not have permissions defined in the associated dashboard folder.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
- Identify the dashboard permissions you want to modify and the users or teams to which you want to grant access
|
||||
|
||||
**To grant dashboard permissions**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and click **Browse**.
|
||||
1. Open a dashboard.
|
||||
1. In the top right corner of the dashboard, click **Dashboard settings** (the cog icon).
|
||||
1. Click **Permissions** and then click **Add Permission**.
|
||||
1. In the **Add Permission For** dropdown menu, select **User** or **Team**.
|
||||
1. Select the user or team.
|
||||
1. Select the permission and click **Save**.
|
||||
|
||||
## Enable viewers to preview dashboards and use Explore
|
||||
|
||||
By default, the viewer organization role does not allow viewers to create dashboards or use the Explore feature. However, by modifying a configuration setting you can allow viewers to create and preview (but not save) dashboards, and use the Explore feature.
|
||||
|
||||
This modification is useful for public Grafana installations where you want anonymous users to be able to edit panels and queries but not save or create new dashboards.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have access to the Grafana server
|
||||
|
||||
**To enable viewers to preview dashboards and use Explore**:
|
||||
|
||||
1. Open the Grafana configuration file.
|
||||
|
||||
For more information about the Grafana configuration file and its location, refer to [Configuration]({{< relref "../../../administration/configuration">}}).
|
||||
|
||||
1. Locate the `viewers_can_edit` parameter.
|
||||
1. Set the `viewers_can_edit` value to `true`.
|
||||
1. Save your changes and restart Grafana.
|
||||
|
||||
## Edit dashboard permissions
|
||||
|
||||
Edit dashboard permissions when you are want to enhance or restrict a user's access to a dashboard. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions">}}).
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Identify the dashboard and user permission you want to change
|
||||
- Ensure you have organization administrator privileges
|
||||
|
||||
**To edit dashboard permissions**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and click **Browse**.
|
||||
1. Open a dashboard.
|
||||
1. In the top-right corner of the dashboard, click **Dashboard settings** (the cog icon).
|
||||
1. Click **Permissions**.
|
||||
1. In the dropdown, update the permissions, and click **Save**.
|
||||
|
||||
## Restrict access to dashboards
|
||||
|
||||
Grafana applies the highest permission a given user has to access a resource like a dashboard, so if you want to prevent a user from accessing a folder or dashboard you need to consider the user's organization role, folder permissions, and dashboard permissions.
|
||||
|
||||
- You cannot override organization administrator permissions. Organization administrators have access to all organization resources.
|
||||
- User permissions set for a dashboard folder propagate to dashboards contained in the folder.
|
||||
- A lower permission level does not affect access if a more general rule exists with a higher permission.
|
||||
|
||||
Refer to the following examples to understand how organization and dashboard permissions impact a user's access to dashboards.
|
||||
|
||||
### Example 1
|
||||
|
||||
In this example, user1 has the editor organization role.
|
||||
|
||||
Dashboard permissions settings:
|
||||
|
||||
- Everyone with Editor role can edit
|
||||
- user1 is set to `view`
|
||||
|
||||
Result: User1 has edit permissions because the user's organization role is Editor.
|
||||
|
||||
### Example 2
|
||||
|
||||
In this example, user1 has the viewer organization role and is a member of team1.
|
||||
|
||||
Dashboard permissions settings:
|
||||
|
||||
- Everyone with Viewer role can view
|
||||
- user1 is set to `edit`
|
||||
- team1 is set to `admin`
|
||||
|
||||
Result: User1 has administrator permissions for the dashboard because user1 is a member of team1.
|
||||
|
||||
### Example 3
|
||||
|
||||
In this example, user1 has the viewer organization role.
|
||||
|
||||
Dashboard permissions settings:
|
||||
|
||||
- user1 is set to `admin`, which is inherited from the permissions set in parent folder
|
||||
- user1 is set to `edit`
|
||||
|
||||
Result: You receive an error message that cannot override a higher permission with a lower permission in the same dashboard. User1 has administrator permissions.
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../../../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to understand how to use fine-grained permissions to restrict access to dashboards, folders, administrative functions, and other resources.
|
@ -0,0 +1,13 @@
|
||||
+++
|
||||
title = "Manage users in an organization"
|
||||
aliases = ["docs/sources/manage-users/org-admin/index.md", "docs/sources/administration/manage-users-and-permissions/manage-org-users/_index.md"]
|
||||
weight = 400
|
||||
+++
|
||||
|
||||
# Manage users in an organization
|
||||
|
||||
Organization administrators can invite users to join their organization. Organization users have access to organization resources based on their role, which is **Admin**, **Editor**, or **Viewer**. Permissions associated with each role determine the tasks a user can perform in the system.
|
||||
|
||||
For more information about organization user permissions, refer to [Organization users and permissions]({{< relref "../about-users-and-permissions/#organization-users-and-permissions">}}).
|
||||
|
||||
{{< section >}}
|
@ -0,0 +1,27 @@
|
||||
+++
|
||||
title = "Change a user's organization permissions"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-org-users/change-user-org-permissions.md"]
|
||||
weight = 30
|
||||
+++
|
||||
|
||||
# Change a user's organization permissions
|
||||
|
||||
Update user permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles">}}).
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
|
||||
**To change the organization role of a user**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
|
||||
1. Find the user account for which you want to change the role.
|
||||
|
||||
If necessary, use the search field to filter the list.
|
||||
|
||||
1. Locate the user on the list and in the **Role** column, click the user role.
|
||||
1. Select the role that you want to assign.
|
||||
1. Click **Update**.
|
||||
|
||||
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can also [change a user's organization permissions]({{< relref "../../manage-users-and-permissions/manage-server-users/change-user-org-permissions.md" >}}) in the Server Admin section.
|
@ -0,0 +1,44 @@
|
||||
+++
|
||||
title = "Invite a user to join an organization"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-org-users/invite-user-join-org.md"]
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
# Invite a user to join an organization
|
||||
|
||||
When you invite users to join an organization, you assign the **Admin**, **Editor**, or **Viewer** role which controls user access to the dashboards and data sources owned by the organization. Users receive an email that prompts them to accept the invitation.
|
||||
|
||||
- If you know that the user already has access Grafana and you know their user name, then you issue an invitation by entering their user name.
|
||||
- If the user is new to Grafana, then use their email address to issue an invitation. The system automatically creates the user account on first sign in.
|
||||
|
||||
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can also manually [add a user to an organization]({{< relref "../../manage-users-and-permissions/manage-server-users/add-remove-user-to-org.md" >}}).
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges.
|
||||
- If the user already has access to Grafana, obtain their user name.
|
||||
- Determine the permissions you want to assign to the user. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles">}}).
|
||||
|
||||
**To invite or add an existing user account to your organization**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. To switch to the organization to which you want to invite a user, hover your mouse over your profile and click **Switch organization** and select an organization.
|
||||
|
||||
> **Note**: It might be that you are currently in the proper organization and don't need to switch organizations.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
|
||||
1. Click **Invite**.
|
||||
1. Enter the following information:
|
||||
|
||||
| Field | Description |
|
||||
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| Email or username | Either the email or username that the user will use to sign in to Grafana. |
|
||||
| Name | The user's name. |
|
||||
| Role | Click the organization role to assign this user. For more information about organization roles, refer to [Organization roles]({{< relref "../about-users-and-permissions#organization-roles" >}}).. |
|
||||
| Send invite email | Switch to on if your organization has configured. The system sends an email to the user inviting them to sign in to Grafana and join the organization. Switch to off if you are not using email. The user can sign in to Grafana with the email or username you entered. |
|
||||
|
||||
1. Click **Submit**.
|
||||
|
||||
If the invitee is not already a user, the system adds them.
|
||||
|
||||
![Invite User](/static/img/docs/manage-users/org-invite-user-7-3.png).
|
@ -0,0 +1,31 @@
|
||||
+++
|
||||
title = "Manage a pending invitation"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-org-users/manage-pending-invites.md"]
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
# Manage a pending invitation
|
||||
|
||||
Periodically review invitations you have sent so that you can see a list of users that have not yet accepted the invitation or cancel a pending invitation.
|
||||
|
||||
> **Note:** The **Pending Invites** button is only visible if there are unanswered invitations.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
|
||||
**To manage a pending invitation**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
|
||||
1. Click **Pending Invites**.
|
||||
|
||||
The **Pending Invites** button appears only when there are unaccepted invitations.
|
||||
|
||||
![Pending Invites button](/static/img/docs/manage-users/pending-invites-button-7-3.png)
|
||||
|
||||
To cancel an invitation, click the red **X** next to the invitation.
|
||||
|
||||
To copy an invitation link and send it directly to a user, click Copy Invite. You can then paste the invite link into a message.
|
||||
|
||||
![Pending Invites list](/static/img/docs/manage-users/pending-invites-list-7-3.png)
|
@ -0,0 +1,27 @@
|
||||
+++
|
||||
title = "Remove a user from an organization"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-org-users/remove-user-from-org.md"]
|
||||
weight = 40
|
||||
+++
|
||||
|
||||
# Remove a user from an organization
|
||||
|
||||
You can remove a user from an organization when they no longer require access to the dashboard or data sources owned by the organization. No longer requiring access to an organization might occur when the user has left your company or has internally moved to another organization.
|
||||
|
||||
This action does not remove the user account from the Grafana server.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
|
||||
**To remove a user from an organization**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
|
||||
1. Find the user account that you want to remove from the organization.
|
||||
|
||||
Use the search field to filter the list, if necessary.
|
||||
|
||||
1. Click the red **X** to remove the user from the organization.
|
||||
|
||||
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can also [remove a user from an organization]({{< relref "../../manage-users-and-permissions/manage-server-users/add-remove-user-to-org.md#remove-a-user-from-an-organization" >}}) on the Users page of the Server Admin section.
|
@ -0,0 +1,22 @@
|
||||
+++
|
||||
title = "View a list of organization users"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-org-users/view-list-org-users.md"]
|
||||
weight = 50
|
||||
+++
|
||||
|
||||
# View a list of organization users
|
||||
|
||||
You can see a list of users with accounts in your Grafana organization. If necessary, you can use the search field to filter the list.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have organization administrator privileges
|
||||
|
||||
**To view a list of organization users**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
|
||||
|
||||
![Org Admin user list](/static/img/docs/manage-users/org-user-list-7-3.png)
|
||||
|
||||
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can also [view a global list of users]({{< relref "../../manage-users-and-permissions/manage-server-users/view-list-users.md" >}}) in the Server Admin section of Grafana.
|
@ -0,0 +1,17 @@
|
||||
+++
|
||||
title = "Manage users globally"
|
||||
aliases = ["docs/sources/manage-users/server-admin/_index.md", "docs/sources/manage-users/server-admin/server-admin-manage-users.md", "docs/sources/administration/manage-users-and-permissions/manage-server-users/_index.md"]
|
||||
weight = 300
|
||||
+++
|
||||
|
||||
# Manage users globally
|
||||
|
||||
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system.
|
||||
|
||||
If you have [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions in Grafana, you can manage all users for a Grafana instance in the Server Admin section:
|
||||
|
||||
{{< section >}}
|
||||
|
||||
If you have [organization administrator]({{< relref "../about-users-and-permissions.md#organization-roles">}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, refer to [Manage users in a organization]({{< relref "../../manage-users-and-permissions/manage-org-users/_index.md" >}}).
|
||||
|
||||
For more information about users and permissions, refer to [About users and permissions]({{< relref "../about-users-and-permissions">}}).
|
@ -0,0 +1,51 @@
|
||||
+++
|
||||
title = "Add or remove a user from an organization"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/add-user-to-org.md"]
|
||||
weight = 30
|
||||
+++
|
||||
|
||||
# Add a user to an organization
|
||||
|
||||
Add a user to an organization when you want the user to have access to organization resources such as dashboards, data sources, and playlists. A user must belong to at least one organization.
|
||||
|
||||
You are required to specify an Admin role for each organization. The first user you add to an organization becomes the Admin by default. After you assign the Admin role to a user, you can add other users to an organization as either Admins, Editors, or Viewers.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Add an organization
|
||||
- [Add a user]({{< relref "./add-user.md">}}) to Grafana
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To add a user to an organization**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. In the **Organizations** section, click **Add user to organization**.
|
||||
1. Select an organization and a role.
|
||||
|
||||
For more information about user permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles">}}).
|
||||
|
||||
1. Click **Add to organization**.
|
||||
|
||||
The next time the user signs in, they will be able to navigate to their new organization using the Switch Organizations option in the user profile menu.
|
||||
|
||||
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions.md#organization-roles">}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can still [invite a user to join an organization]({{< relref "../../manage-users-and-permissions/manage-org-users/invite-user-join-org.md" >}}).
|
||||
|
||||
# Remove a user from an organization
|
||||
|
||||
Remove a user from an organization when they no longer require access to the dashboards, data sources, or alerts in that organization.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To remove a user from an organization**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. In the **Organization** section, click **Remove from organization** next to the organization from which you want to remove the user.
|
||||
1. Click **Confirm removal**.
|
||||
|
||||
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions.md#organization-roles">}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can still [remove a user from an organization]({{< relref "../../manage-users-and-permissions/manage-org-users/remove-user-from-org.md" >}}) in the Users section of organization configuration.
|
@ -0,0 +1,28 @@
|
||||
+++
|
||||
title = "Add a user"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/add-user.md"]
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
# Add a user
|
||||
|
||||
Add users when you want to manually provide individuals with access to Grafana.
|
||||
|
||||
When you create a user using this method, you must create their password. The user does not receive a notification by email. To invite a user to Grafana and allow them to create their own password, [invite a user to join an organization]({{< relref "../manage-org-users/invite-user-join-org.md">}}).
|
||||
|
||||
When you configure advanced authentication using Oauth, SAML, LDAP, or the Auth proxy, users are created automatically.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure that you have Grafana server administrator privileges
|
||||
|
||||
**To add a user**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click **New user**.
|
||||
1. Complete the fields and click **Create user**.
|
||||
|
||||
When you create a user, the system assigns the user viewer permissions in a default organization, which you can change. You can now [add a user to a second organization]({{< relref "./add-remove-user-to-org.md">}}).
|
||||
|
||||
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions.md#organization-roles">}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can still add users by [inviting a user to join an organization]({{< relref "../../manage-users-and-permissions/manage-org-users/invite-user-join-org.md" >}}).
|
@ -0,0 +1,27 @@
|
||||
+++
|
||||
title = "Assign or remove Grafana server administrator privileges"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/assign-remove-server-admin-privileges.md"]
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
# Assign or remove Grafana server administrator privileges
|
||||
|
||||
Grafana server administrators are responsible for creating users, organizations, and managing permissions. For more information about the server administration role, refer to [Grafana server administrators]({{< relref "../about-users-and-permissions/#grafana-server-administrators">}}).
|
||||
|
||||
> **Note:** Server administrators are "super-admins" with full permissions to create, read, update, and delete all resources and users in all organizations, as well as update global settings such as licenses. Only grant this permission to trusted users.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- [Add a user]({{< relref "./add-user.md">}})
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To assign or remove Grafana administrator privileges**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. In the **Grafana Admin** section, click **Change**.
|
||||
1. Click **Yes** or **No**, depending on whether or not you want this user to have the Grafana server administrator role.
|
||||
1. Click **Change**.
|
||||
|
||||
The system updates the user's permission the next time they load a page in Grafana.
|
@ -0,0 +1,22 @@
|
||||
+++
|
||||
title = "Change a user's organization permissions"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/change-user-org-permissions.md"]
|
||||
weight = 50
|
||||
+++
|
||||
|
||||
# Change a user's organization permissions
|
||||
|
||||
Update organization permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles">}}).
|
||||
|
||||
## Before you begin
|
||||
|
||||
- [Add a user to an organization]({{< relref "./add-remove-user-to-org.md">}})
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To change a user's organization permissions**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. In the **Organizations** section, click the role you want to change, and then select another role.
|
||||
1. Click **Update**.
|
@ -0,0 +1,24 @@
|
||||
+++
|
||||
title = "Force a user to logout from Grafana"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/force-user-logout.md"]
|
||||
weight = 90
|
||||
+++
|
||||
|
||||
# Force a user to log out of Grafana
|
||||
|
||||
If you suspect a user account is compromised or is no longer authorized to access the Grafana server, then you can force the user to log out of Grafana.
|
||||
|
||||
The force logout action can apply to one device that is logged in to Grafana, or all devices logged in to Grafana.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. Scroll down to the **Sessions** section.
|
||||
1. Perform one of the following actions:
|
||||
- Click **Force logout** next to the session entry that you want logged out of Grafana.
|
||||
- Click **Force logout from all devices**.
|
||||
1. Confirm the logout.
|
@ -0,0 +1,30 @@
|
||||
+++
|
||||
title = "Grant editors administrator permissions"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/grant-editor-admin-permissions.md"]
|
||||
weight = 60
|
||||
+++
|
||||
|
||||
# Grant editors administrator permissions
|
||||
|
||||
By default, the editor organization role does not allow editors to manage dashboard folders, dashboards, and teams, which you can change by modifying a configuration parameter. You can allow them to do so using the `editors_can_admin` configuration option.
|
||||
|
||||
This setting can be used to enable self-organizing teams to administer their own dashboards.
|
||||
|
||||
When `editors_can_admin` is enabled:
|
||||
|
||||
- Users with the Editor role in an organization are Administrators for new dashboards and folders they create, meaning they can edit dashboard permissions. To learn more about dashboard permissions, refer to [Manage dashboard permissions]({{< relref "../manage-dashboard-permissions/_index.md" >}}).
|
||||
- Users with the Editor role in an organization can create teams, and they are Administrators of the teams they create. To learn more about team permissions, refer to [Manage teams]({{< relref "../manage-teams/_index.md" >}})
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure that you have access to the Grafana server
|
||||
|
||||
**To enable editors with administrator permissions**:
|
||||
|
||||
1. Log in to the Grafana server and open the Grafana configuration file.
|
||||
|
||||
For more information about the Grafana configuration file and its location, refer to [Configuration]({{< relref "../../../administration/configuration">}}).
|
||||
|
||||
1. Locate the `editors_can_admin` parameter.
|
||||
1. Set the `editors_can_admin` value to `true`.
|
||||
1. Save your changes and restart the Grafana server.
|
@ -0,0 +1,68 @@
|
||||
+++
|
||||
title = "View and edit a user account"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/view-user-account-details.md"]
|
||||
weight = 110
|
||||
+++
|
||||
|
||||
# View user details
|
||||
|
||||
View user details when you want to see login, and organizations and permissions settings associated with a user.
|
||||
|
||||
## Before you begin:
|
||||
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To view user details**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
|
||||
A user account contains the following sections.
|
||||
|
||||
### User information
|
||||
|
||||
This section contains basic user information, which users can update.
|
||||
|
||||
![Server Admin user information section](/static/img/docs/manage-users/server-admin-user-information-7-3.png)
|
||||
|
||||
### Permissions
|
||||
|
||||
This indicates whether the user account has the Grafana administrator flag applied. If the flag is set to **Yes**, then the user is a Grafana server administrator.
|
||||
|
||||
![Server Admin Permissions section](/static/img/docs/manage-users/server-admin-permissions-7-3.png)
|
||||
|
||||
### Organisations
|
||||
|
||||
This section lists the organizations the user belongs to and their assigned role.
|
||||
|
||||
![Server Admin Organizations section](/static/img/docs/manage-users/server-admin-organisations-7-3.png)
|
||||
|
||||
### Sessions
|
||||
|
||||
This section includes recent user sessions and information about the time the user logged in and they system they used. You can force logouts, if necessary.
|
||||
|
||||
![Server Admin Sessions section](/static/img/docs/manage-users/server-admin-sessions-7-3.png)
|
||||
|
||||
# Edit a user account
|
||||
|
||||
Edit a user account when you want to modify user login credentials, or delete, disable, or enable a user.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To edit a user account**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
1. Click a user.
|
||||
1. Complete any of the following actions, as necessary.
|
||||
|
||||
| Action | Description |
|
||||
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Update name, email, or username | **Is the user notified of these changes?**. Click **Save** after you make a change. |
|
||||
| Change the user's password | The new password must be at least four characters long. Click **Save** after you make a change. |
|
||||
| Delete a user | This action permanently removes the user from the Grafana server. The user can no longer sign in after you make this change. |
|
||||
| Disable user account | This action prevents a user from signing in with this account, but does not delete the account. You might disable an account if a colleague goes on sabbatical. |
|
||||
| Enable a user account | This action enables a user account. |
|
@ -0,0 +1,22 @@
|
||||
+++
|
||||
title = "View a list of users"
|
||||
aliases = ["docs/sources/administration/manage-users-and-permissions/manage-server-users/view-list-users.md"]
|
||||
weight = 100
|
||||
+++
|
||||
|
||||
# View a list of users
|
||||
|
||||
You can see a list of users with accounts on your Grafana server. This action might be useful when you want to know which role you assigned to each user.
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure you have Grafana server administrator privileges
|
||||
|
||||
**To view a list of users**:
|
||||
|
||||
1. Sign in to Grafana as a server administrator.
|
||||
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
|
||||
|
||||
![Server Admin user list](/static/img/docs/manage-users/server-user-list-7-3.png)
|
||||
|
||||
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions.md#organization-roles">}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions.md#grafana-server-administrators">}}) permissions, you can still [view of list of users in a given organization]({{< relref "../../manage-users-and-permissions/manage-org-users/view-list-org-users.md" >}}).
|
@ -0,0 +1,129 @@
|
||||
+++
|
||||
title = "Manage teams"
|
||||
aliases = ["/docs/grafana/latest/manage-users/add-or-remove-user-from-team/","/docs/grafana/latest/manage-users/create-or-remove-team/", "docs/sources/manage-users/manage-teams/index.md", "docs/sources/administration/manage-users-and-permissions/manage-teams/_index.md"]
|
||||
weight = 600
|
||||
+++
|
||||
|
||||
# Manage teams
|
||||
|
||||
A team is a group of users within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user can belong to multiple teams.
|
||||
|
||||
A user can be a Member or an Administrator for a given team. Members of a team inherit permissions from the team, but they cannot edit the team itself. Team Administrators can add members to a team and update its settings, such as the team name, team member's team roles, UI preferences, and home dashboard.
|
||||
|
||||
For more information about teams, refer to [Teams and permissions]({{< relref "../about-users-and-permissions/#teams-and-permissions">}}).
|
||||
|
||||
## Create a team
|
||||
|
||||
A team is a group of users within an organization that have common dashboard and data source permission needs. Use teams to help make user-permission management more efficient.
|
||||
|
||||
A user can belong to multiple teams.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have either organization administrator permissions or team administrator permissions
|
||||
- Make a plan for which users belong to which teams and the permissions team members receive
|
||||
|
||||
**To create a team**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator or team administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
1. Click **New Team**.
|
||||
1. Complete the fields and click **Create**.
|
||||
1. Click **Add member**.
|
||||
1. In the **Add team member** field, locate and select a user.
|
||||
1. Click **Add to team**.
|
||||
|
||||
## Add a team member
|
||||
|
||||
Add a team member to an existing team whenever you want to provide access to team dashboards and folders to another user.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have organization administrator permissions
|
||||
- [Create a team](#create-a-team).
|
||||
|
||||
**To add a team member**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
1. Click the name of the team to which you want to add members, and click **Add member**.
|
||||
1. In the **Add team member** field, locate and select a user.
|
||||
1. Click **Add to team**.
|
||||
|
||||
![Add team member](/static/img/docs/manage-users/add-team-member-7-3.png)
|
||||
|
||||
## Grant team member permissions
|
||||
|
||||
Complete this task when you want to add or modify team member permissions.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have either organization administrator permissions or team administrator permissions
|
||||
|
||||
**To grant team member permissions**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator or a team administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
1. Click the name of the team for which you want to add or modify team member permissions.
|
||||
1. In the team member list, find and click the user account that you want to change. You can use the search field to filter the list if necessary.
|
||||
1. Click the **Permission** list, and then click the new user permission level.
|
||||
|
||||
![Change team member permissions](/static/img/docs/manage-users/change-team-permissions-7-3.png)
|
||||
|
||||
## Remove a team member
|
||||
|
||||
You can remove a team member when you no longer want to apply team permissions to the user.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have either organization administrator permissions or team administrator permissions
|
||||
|
||||
**To remove a team member**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator or team administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
1. Click a team from which you want to remove a user.
|
||||
1. Click the **X** next to the name of the user.
|
||||
1. Click **Delete**.
|
||||
|
||||
## Delete a team
|
||||
|
||||
Delete a team when you no longer need it. This action permanently deletes the team and removes all team permissions from dashboards and folders.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have organization administrator permissions
|
||||
|
||||
**To delete a team**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
1. Click the **X** next to the name of the team.
|
||||
1. Click **Delete**.
|
||||
|
||||
## View a list of teams
|
||||
|
||||
See the complete list of teams in your Grafana organization.
|
||||
|
||||
### Before you begin
|
||||
|
||||
- Ensure that you have either organization administrator permissions or team administrator permissions
|
||||
|
||||
**To view a list of teams**:
|
||||
|
||||
1. Sign in to Grafana as an organization administrator or a team administrator.
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
|
||||
|
||||
The role you use to sign in to Grafana determines how you see team lists.
|
||||
|
||||
**Organization administrator view**
|
||||
|
||||
The following example shows a list as it appears to an organization administrator.
|
||||
|
||||
![Team list](/static/img/docs/manage-users/org-admin-team-list-7-3.png)
|
||||
|
||||
**Team administrator view**
|
||||
|
||||
The following example shows a list as it appears to a team administrator.
|
||||
|
||||
![Team list](/static/img/docs/manage-users/team-admin-team-list-7-3.png)
|
@ -10,9 +10,9 @@ Grafana preferences are basic settings. They control the Grafana UI theme, home
|
||||
|
||||
Preferences are sometimes confusing because they can be set at four different levels, listed from highest level to lowest:
|
||||
|
||||
- **Server -** Affects all users on the Grafana server. Set by a [Grafana Server Admin]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}).
|
||||
- **Organization -** Affects all users in an organization. Set by an [Organization Admin]({{< relref "../../permissions/organization_roles.md#organization-admin-role" >}}).
|
||||
- **Team -** Affects all users assigned to a team. Set by an Organization Admin or Team Admin. To learn more about these roles, refer to [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}).
|
||||
- **Server -** Affects all users on the Grafana server. Set by a [Grafana server admin]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}).
|
||||
- **Organization -** Affects all users in an organization. Set by an [Organization admin]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#organization-roles" >}}).
|
||||
- **Team -** Affects all users assigned to a team. Set by an Organization Admin or Team Admin. To learn more about these roles, refer to [Teams and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#teams-and-permissions" >}}).
|
||||
- **User account -** Affects the individual user. Set by the user on their own account.
|
||||
|
||||
The lowest level always takes precedence. For example, if a user sets their theme to **Light**, then their visualization of Grafana displays the light theme. Nothing at any higher level can override that.
|
||||
|
@ -40,7 +40,7 @@ Users with the Viewer role can enter _any possible query_ in _any_ of the data s
|
||||
|
||||
To address this vulnerability, you can restrict data source query access in the following ways:
|
||||
|
||||
- Create multiple data sources with some restrictions added in data source configuration that restrict access (like database name or credentials). Then use the [Data Source Permissions]({{< relref "../permissions/datasource_permissions.md" >}}) Enterprise feature to restrict user access to the data source in Grafana.
|
||||
- Create multiple data sources with some restrictions added in data source configuration that restrict access (like database name or credentials). Then use the [Data Source Permissions]({{< relref "../enterprise/datasource_permissions.md" >}}) Enterprise feature to restrict user access to the data source in Grafana.
|
||||
- Create a separate Grafana organization, and in that organization, create a separate data source. Make sure the data source has some option/user/credentials setting that limits access to a subset of the data. Not all data sources have an option to limit access.
|
||||
|
||||
## Implications of enabling anonymous access to dashboards
|
||||
|
@ -12,7 +12,7 @@ weight = 300
|
||||
|
||||
If you are a Grafana server administrator, use the Settings tab to view the settings that are applied to your Grafana server via the [Configuration]({{< relref "../configuration.md#config-file-locations" >}}) file and any environmental variables.
|
||||
|
||||
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [Grafana server admin]({{< relref "../../permissions/_index.md" >}}).
|
||||
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
## View server settings
|
||||
|
||||
|
@ -11,7 +11,7 @@ weight = 400
|
||||
|
||||
If you are a Grafana server admin, then you can view useful statistics about your Grafana server in the Stats & Licensing tab.
|
||||
|
||||
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [Grafana server admin]({{< relref "../../permissions/_index.md" >}}).
|
||||
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
## View server stats
|
||||
|
||||
|
@ -115,7 +115,7 @@ role_attribute_path = is_admin && 'Admin' || 'Viewer'
|
||||
|
||||
You can use GitLab OAuth to map roles. During mapping, Grafana checks for the presence of a role using the [JMESPath](http://jmespath.org/examples.html) specified via the `role_attribute_path` configuration option.
|
||||
|
||||
For the path lookup, Grafana uses JSON obtained from querying GitLab's API [`/api/v4/user`](https://docs.gitlab.com/ee/api/users.html#list-current-user-for-normal-users) endpoint. The result of evaluating the `role_attribute_path` JMESPath expression must be a valid Grafana role, for example, `Viewer`, `Editor` or `Admin`. For more information about roles and permissions in Grafana, refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}).
|
||||
For the path lookup, Grafana uses JSON obtained from querying GitLab's API [`/api/v4/user`](https://docs.gitlab.com/ee/api/users.html#list-current-user-for-normal-users) endpoint. The result of evaluating the `role_attribute_path` JMESPath expression must be a valid Grafana role, for example, `Viewer`, `Editor` or `Admin`. For more information about roles and permissions in Grafana, refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
An example Query could look like the following:
|
||||
|
||||
|
@ -70,7 +70,7 @@ allowed_domains = mycompany.com mycompany.org
|
||||
|
||||
Grafana can attempt to do role mapping through Okta OAuth. In order to achieve this, Grafana checks for the presence of a role using the [JMESPath](http://jmespath.org/examples.html) specified via the `role_attribute_path` configuration option.
|
||||
|
||||
Grafana uses JSON obtained from querying the `/userinfo` endpoint for the path lookup. The result after evaluating the `role_attribute_path` JMESPath expression needs to be a valid Grafana role, i.e. `Viewer`, `Editor` or `Admin`. Refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}) for more information about roles and permissions in Grafana.
|
||||
Grafana uses JSON obtained from querying the `/userinfo` endpoint for the path lookup. The result after evaluating the `role_attribute_path` JMESPath expression needs to be a valid Grafana role, i.e. `Viewer`, `Editor` or `Admin`. Refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}) for more information about roles and permissions in Grafana.
|
||||
|
||||
Read about how to [add custom claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/) to the user info in Okta. Also, check Generic OAuth page for [JMESPath examples]({{< relref "generic-oauth.md/#jmespath-examples" >}}).
|
||||
|
||||
|
@ -9,7 +9,7 @@ weight = 3
|
||||
|
||||
Folders are a way to organize and group dashboards - very useful if you have a lot of dashboards or multiple teams using the same Grafana instance.
|
||||
|
||||
> **Note:** Only Grafana Admins and Super Admins can create, edit, or delete folders. Refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}) for more information.
|
||||
> **Note:** Only Grafana Admins and Super Admins can create, edit, or delete folders. Refer to [Dashboard permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md#dashboard-permissions" >}}) for more information.
|
||||
|
||||
## How To Create A Folder
|
||||
|
||||
@ -46,5 +46,5 @@ The Dashboard Folder Page is similar to the Manage Dashboards page and is where
|
||||
|
||||
Permissions can be assigned to a folder and inherited by the containing dashboards. An Access Control List (ACL) is used where
|
||||
**Organization Role**, **Team** and Individual **User** can be assigned permissions. Read the
|
||||
[Dashboard and Folder Permissions]({{< relref "../permissions/dashboard-folder-permissions.md" >}}) docs for more detail
|
||||
on the permission system.
|
||||
[Dashboard permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md#dashboard-permissions" >}}) docs for more detail
|
||||
about permissions.
|
||||
|
@ -10,7 +10,7 @@ weight = 100
|
||||
> **Note:** Fine-grained access control is in beta, and you can expect changes in future releases.
|
||||
|
||||
Fine-grained access control provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as users and reports.
|
||||
Fine-grained access control works alongside the current [Grafana permissions]({{< relref "../../permissions/_index.md" >}}), and it allows you granular control of users’ actions.
|
||||
Fine-grained access control works alongside the current Grafana permissions, and it allows you granular control of users’ actions. For more information about Grafana permissions, refer to [About users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
To learn more about how fine-grained access control works, refer to [Roles]({{< relref "./roles.md" >}}) and [Permissions]({{< relref "./permissions.md" >}}).
|
||||
To use the fine-grained access control system, refer to [Fine-grained access control usage scenarios]({{< relref "./usage-scenarios.md" >}}).
|
||||
@ -28,7 +28,7 @@ Refer to [Assign roles]({{< relref "./roles.md#assign-roles" >}}) to learn about
|
||||
Fine-grained access control is available for the following capabilities:
|
||||
|
||||
- [Use Explore mode]({{< relref "../../explore/_index.md" >}})
|
||||
- [Manage users]({{< relref "../../manage-users/_index.md" >}})
|
||||
- [Manage users]({{< relref "../../administration/manage-users-and-permissions/manage-server-users/_index.md" >}})
|
||||
- [Manage LDAP authentication]({{< relref "../../auth/ldap/_index.md" >}})
|
||||
- [Manage data sources]({{< relref "../../datasources/_index.md" >}})
|
||||
- [Manage data source permissions]({{< relref "../datasource_permissions.md" >}})
|
||||
|
@ -43,9 +43,9 @@ The reference information that follows complements conceptual information about
|
||||
|
||||
## Default built-in role assignments
|
||||
|
||||
| Built-in role | Associated role | Description |
|
||||
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
|
||||
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br> | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
| Editor | `fixed:datasources:explorer` and <br> `fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
| Viewer | `fixed:datasources:id:reader`<br>`fixed:organization:reader` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
| Built-in role | Associated role | Description |
|
||||
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer` | Default [Grafana server administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) assignments. |
|
||||
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br> | Default [Grafana organization administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |
|
||||
| Editor | `fixed:datasources:explorer` and <br> `fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled | Default [Editor]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |
|
||||
| Viewer | `fixed:datasources:id:reader`<br>`fixed:organization:reader` | Default [Viewer]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |
|
||||
|
@ -7,7 +7,7 @@ weight = 115
|
||||
|
||||
# Manage role assignments
|
||||
|
||||
To grant or revoke access to your users, you can assign [Roles]({{< relref "../roles.md" >}}) to users and teams, or to [Organization roles]({{< relref "../../../permissions/organization_roles.md" >}}) and [Grafana Server Admin]({{< relref "../../../permissions/_index.md#grafana-server-admin-role" >}}) role.
|
||||
To grant or revoke access to your users, you can assign [Roles]({{< relref "../roles.md" >}}) to users and teams, or to [Organization roles]({{< relref "../../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) and the [Grafana Server Admin]({{< relref "../../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) role.
|
||||
|
||||
The following pages provide more information on how to manage role assignments:
|
||||
|
||||
|
@ -7,7 +7,8 @@ weight = 210
|
||||
|
||||
# Built-in role assignments
|
||||
|
||||
To control what your users can access or not, you can assign or unassign [Custom roles]({{< ref "#custom-roles" >}}) or [Fixed roles]({{< ref "#fixed-roles" >}}) to the existing [Organization roles]({{< relref "../../../permissions/organization_roles.md" >}}) or to [Grafana Server Admin]({{< relref "../../../permissions/_index.md#grafana-server-admin-role" >}}) role.
|
||||
To control what your users can access or not, you can assign or unassign [Custom roles]({{< ref "#custom-roles" >}}) or [Fixed roles]({{< ref "#fixed-roles" >}}) to the existing [Organization roles]({{< relref "../../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) or to the [Grafana Server Admin]({{< relref "../../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) role.
|
||||
|
||||
These assignments are called built-in role assignments.
|
||||
|
||||
During startup, Grafana will create default assignments for you. When you make any changes to the built-on role assignments, Grafana will take them into account and won’t overwrite during next start.
|
||||
|
@ -7,7 +7,7 @@ weight = 105
|
||||
|
||||
# Roles
|
||||
|
||||
A role represents set of permissions that allow you to perform specific actions on Grafana resources. Refer to [Permissions]({{< relref "./permissions.md" >}}) to understand how permissions work.
|
||||
A role represents set of permissions that allow you to perform specific actions on Grafana resources. Refer to [About users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}) to understand how permissions work.
|
||||
|
||||
There are two types of roles:
|
||||
|
||||
@ -81,7 +81,7 @@ Note that you won't be able to create, update or delete a custom role with permi
|
||||
|
||||
## Assign roles
|
||||
|
||||
[Custom roles]({{< ref "#custom-roles" >}}) and [Fixed roles]({{< ref "#fixed-roles" >}}) can be assigned to users, the existing [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}) and to [Grafana Server Admin]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) role.
|
||||
[Custom roles]({{< ref "#custom-roles" >}}) and [Fixed roles]({{< ref "#fixed-roles" >}}) can be assigned to users, the existing [Organization roles]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) and to the [Grafana Server Admin]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) role.
|
||||
|
||||
Visit [Manage role assignments]({{< relref "manage-role-assignments/_index.md" >}}) page for more details.
|
||||
|
||||
|
@ -1,6 +1,7 @@
|
||||
+++
|
||||
title = "Data source permissions"
|
||||
description = "Grafana Datasource Permissions Guide "
|
||||
description = "Grafana Datasource Permissions Guide"
|
||||
aliases = ["docs/sources/permissions/datasource_permissions.md"]
|
||||
keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams", "enterprise"]
|
||||
weight = 500
|
||||
+++
|
||||
@ -18,7 +19,7 @@ Data source permissions allow you to restrict access for users to query a data s
|
||||
By default, data sources in an organization can be queried by any user in that organization. For example, a user with the `Viewer` role can issue any possible query to a data source, not just
|
||||
queries that exist on dashboards they have access to.
|
||||
|
||||
When permissions are enabled for a data source in an organization, you restrict admin and query access for that data source to [admin users]({{< relref "../permissions/organization_roles/#admin-role" >}}) in that organization.
|
||||
When permissions are enabled for a data source in an organization, you restrict admin and query access for that data source to admin users in that organization.
|
||||
|
||||
**Enable permissions for a data source:**
|
||||
|
||||
|
@ -38,10 +38,10 @@ Your Grafana license includes a maximum number of _Viewer_ and _Editor/Admin_ ac
|
||||
|
||||
You can assign role permissions _globally_ and restrict access to a specific dashboard or set of dashboards.
|
||||
|
||||
**Organization permissions**: When you create a user, you select a role on the user details page. Your selection applies to all Grafana dashboards within the Organization. For example, a user with the viewer role can see all dashboards, but cannot create or edit dashboards. For more information about user roles and permissions, refer to
|
||||
[Organization roles]({{< relref "../../permissions/organization_roles.md" >}}).
|
||||
**Organization permissions**: When you create a user, you select a role on the user details page. Your selection applies to all Grafana dashboards within the Organization. For example, a user with the viewer role can see all dashboards, but cannot create or edit dashboards. For more information about user roles and permissions, refer to [About users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
**Dashboard permissions**: You can also assign permissions to dashboards or groups (folders) of dashboards. For example, you might want a viewer to also have editor permissions for a specific dashboard. While that user can see _all_ dashboards, they can only update one of them. For more information about dashboard permissions, refer to [Dashboard and Folder Permissions]({{< relref "../../permissions/dashboard-folder-permissions.md" >}}).
|
||||
**Dashboard permissions**: You can also assign permissions to dashboards or groups (folders) of dashboards. For example, you might want a viewer to also have editor permissions for a specific dashboard. While that user can see _all_ dashboards, they can only update one of them. For more information about dashboard permissions, refer to
|
||||
[Dashboard permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#dashboard-permissions" >}}).
|
||||
|
||||
When you grant editor/admin dashboard permissions to a viewer, the editor/admin active-user count increases by one as shown on the **Utilization** panel of the **Statistics and licensing** page, and the user’s licensed role changes to editor/admin.
|
||||
|
||||
|
@ -47,7 +47,7 @@ To tell if a data source works with query caching, follow the instructions below
|
||||
|
||||
## Enable and configure query caching
|
||||
|
||||
You must be an Org admin or Grafana admin to enable query caching for a data source. For more information on Grafana roles and permissions, visit the [Permissions page]({{< relref "../permissions/_index.md" >}}).
|
||||
You must be an Org admin or Grafana admin to enable query caching for a data source. For more information on Grafana roles and permissions, refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
By default, data source queries are not cached. To enable query caching for a single data source:
|
||||
|
||||
|
@ -152,7 +152,7 @@ To use SAML Team sync, set [`assertion_attribute_groups`]({{< relref "./enterpri
|
||||
|
||||
> Only available in Grafana v7.0+
|
||||
|
||||
Role sync allows you to map user roles from an identity provider to Grafana. To enable role sync, configure role attribute and possible values for the [Editor]({{< relref "../permissions/organization_roles.md#editor-role" >}}), [Admin]({{< relref "../permissions/organization_roles.md#admin-role" >}}) and [Grafana Admin]({{< relref "../permissions/_index.md#grafana-admin" >}}) roles.
|
||||
Role sync allows you to map user roles from an identity provider to Grafana. To enable role sync, configure role attribute and possible values for the Editor, Admin, and Grafana Admin roles. For more information about user roles, refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
1. In the configuration file, set [`assertion_attribute_role`]({{< relref "./enterprise-configuration.md#assertion-attribute-role" >}}) option to the attribute name where the role information will be extracted from.
|
||||
1. Set the [`role_values_editor`]({{< relref "./enterprise-configuration.md#role-values-editor" >}}) option to the values mapped to the `Editor` role.
|
||||
@ -161,7 +161,7 @@ Role sync allows you to map user roles from an identity provider to Grafana. To
|
||||
|
||||
If a user role doesn't match any of configured values, then the `Viewer` role will be assigned.
|
||||
|
||||
Refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}) for more information about roles and permissions in Grafana.
|
||||
Refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}) for more information about roles and permissions in Grafana.
|
||||
|
||||
Example configuration:
|
||||
|
||||
|
@ -22,7 +22,7 @@ If you just want to explore your data and do not want to create a dashboard, the
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to understand how you can manage Explore with fine-grained permissions.
|
||||
|
||||
In order to access Explore, you must have an editor or an administrator role, unless the [viewers_can_edit option]({{< relref "../administration/configuration/#viewers_can_edit" >}}) is enabled. Refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}) for more information on what each role has access to.
|
||||
In order to access Explore, you must have an editor or an administrator role, unless the [viewers_can_edit option]({{< relref "../administration/configuration/#viewers_can_edit" >}}) is enabled. Refer to [About users and permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}) for more information on what each role has access to.
|
||||
|
||||
To access Explore:
|
||||
|
||||
|
@ -55,6 +55,6 @@ The following topics are of interest to Grafana server admin users:
|
||||
|
||||
- [Grafana configuration]({{< relref "../administration/configuration.md" >}})
|
||||
- [Authentication]({{< relref "../auth/overview.md" >}})
|
||||
- [User permissions and roles]({{< relref "../permissions/_index.md" >}})
|
||||
- [User permissions and roles]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md" >}})
|
||||
- [Provisioning]({{< relref "../administration/provisioning.md" >}})
|
||||
- [Grafana CLI]({{< relref "../administration/cli.md" >}})
|
||||
|
@ -58,4 +58,4 @@ For example, if you're spinning up a new Kubernetes cluster, you can also spin u
|
||||
|
||||
## Permissions
|
||||
|
||||
When organizations have one Grafana and multiple teams, they often want the ability to both keep things separate and share dashboards. You can create a team of users and then set [permissions]({{< relref "../permissions/_index.md" >}}) on folders, dashboards, and down to the [data source level]({{< relref "../enterprise/datasource_permissions.md" >}}) if you're using [Grafana Enterprise]({{< relref "../enterprise/_index.md" >}}).
|
||||
When organizations have one Grafana and multiple teams, they often want the ability to both keep things separate and share dashboards. You can create a team of users and then set permissions on [folders and dashboards]({{< relref "../administration/manage-users-and-permissions/manage-dashboard-permissions/_index.md" >}}), and down to the [data source level]({{< relref "../enterprise/datasource_permissions.md" >}}) if you're using [Grafana Enterprise]({{< relref "../enterprise/_index.md" >}}).
|
||||
|
@ -1,60 +0,0 @@
|
||||
+++
|
||||
title = "Manage users"
|
||||
weight = 50
|
||||
+++
|
||||
|
||||
# Manage users
|
||||
|
||||
Grafana offers several options for grouping users. Each level has different tools for managing user accounts and different tasks that they can perform.
|
||||
|
||||
One of the most important user management tasks is assigning roles, which govern what [permissions]({{< relref "../permissions/_index.md" >}}) a user has. The correct permissions ensure that users have access to only the resources they need.
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to understand how you can manage users with fine-grained permissions.
|
||||
|
||||
## Server
|
||||
|
||||
The highest and broadest level of user group in Grafana is the server. Every user with an account in a Grafana instance is a member of the server group.
|
||||
|
||||
Grafana Server Admins are user accounts that have the Grafana Admin option set to **Yes**. They can manage individual user accounts and organizations on their server.
|
||||
|
||||
Server Admins can:
|
||||
|
||||
- [Manage users]({{< relref "server-admin/server-admin-manage-users.md" >}})
|
||||
- [Manage organizations]({{< relref "server-admin/server-admin-manage-orgs.md" >}})
|
||||
|
||||
## Organization
|
||||
|
||||
Organizations are groups of users on a server. Users can belong to one or more organizations, but each user must belong to at least one organization.
|
||||
|
||||
Data sources, plugins, and dashboards are associated with organizations. This means that you can have a server with two organizations, one with a Prometheus data source and another with an InfluxDB data source. Each organization has separate data and dashboards.
|
||||
|
||||
Members of organizations have permissions based on their _role_ in the organization. For more information, refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}).
|
||||
|
||||
Organization Admins are user accounts that are assigned the Admin role for an organization. They can manage their users and teams in their organization.
|
||||
|
||||
Organization Admins can:
|
||||
|
||||
- [Manage users]({{< relref "org-admin/_index.md" >}})
|
||||
- [Manage teams]({{< relref "manage-teams/index.md" >}})
|
||||
|
||||
## Teams
|
||||
|
||||
Teams are groups of users within the same organization. Teams allow you to grant permissions for a group of users. They are most often used to manage [permissions for folders and dashboards]({{< relref "../permissions/dashboard-folder-permissions.md" >}}). Enterprise users can use them to apply [data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}).
|
||||
|
||||
Teams are mostly managed by Organization Admins. However, if the Grafana server setting [editors_can_admin]({{< relref "../administration/configuration.md#editors_can_admin" >}}) is applied, then users who are assigned the Team Admin role can also manage teams in their organization and users assigned to their teams.
|
||||
|
||||
Team Admins can [Manage teams]({{< relref "manage-teams/index.md" >}}).
|
||||
|
||||
## Users
|
||||
|
||||
Users are named accounts in Grafana with granted permissions to access resources throughout Grafana. All users can manage their own accounts to a limited extent.
|
||||
|
||||
Users can:
|
||||
|
||||
- [View and edit user profile]({{< relref "user-admin/user-profile.md" >}})
|
||||
- [Change password]({{< relref "user-admin/change-your-password.md" >}})
|
||||
- [Switch organizations]({{< relref "user-admin/switch-org.md" >}})
|
||||
|
||||
## Learn more
|
||||
|
||||
Set up users and teams in our tutorial on how to [Create users and teams](https://grafana.com/tutorials/create-users-and-teams).
|
@ -1,95 +0,0 @@
|
||||
+++
|
||||
title = "Manage teams"
|
||||
aliases =["/docs/grafana/latest/manage-users/add-or-remove-user-from-team/","/docs/grafana/latest/manage-users/create-or-remove-team/"]
|
||||
weight = 300
|
||||
+++
|
||||
|
||||
# Manage teams
|
||||
|
||||
A _team_ is a group of users assigned to an organization on a Grafana server. Each user can belong to more than one organization and more than one team. Teams are generally managed by Organization Admins, but they can also be managed by Editors if the [editors_can_admin]({{< relref "../../administration/configuration.md#editors_can_admin" >}}) server setting is set to `true`. For more information, refer to [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}).
|
||||
|
||||
Teams members are assigned one of two permissions:
|
||||
|
||||
- Member - Required to be a member of the team.
|
||||
- Admin - A member of the team that can also manage team membership, change team permissions, change team settings, and add or delete the team.
|
||||
|
||||
> **Note:** You must have Organization Admin or Team Admin permissions, or Editor permissions with [editors_can_admin]({{< relref "../../administration/configuration.md#editors_can_admin" >}}) selected, in order to perform the tasks described in this page. Team Admins can only perform tasks that apply to their specific team.
|
||||
|
||||
## View team list
|
||||
|
||||
See the complete list of teams in your Grafana organization.
|
||||
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
### Org Admin view
|
||||
|
||||
![Team list](/static/img/docs/manage-users/org-admin-team-list-7-3.png)
|
||||
|
||||
### Team Admin view
|
||||
|
||||
![Team list](/static/img/docs/manage-users/team-admin-team-list-7-3.png)
|
||||
|
||||
## Create a team
|
||||
|
||||
Add a team to your Grafana organization.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
1. Click **New Team**.
|
||||
1. Enter team information:
|
||||
- **Name -** Enter the name of the new team.
|
||||
- **Email -** (Optional) Enter the team email.
|
||||
1. Click **Create**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Add a team member
|
||||
|
||||
Add an existing user account to a team.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
1. Click the name of the team that you want to add users to.
|
||||
1. Click **Add member**.
|
||||
1. In the **Add team member** list, click the user account that you want to add to the team. You can also type in the field to filter the list.
|
||||
1. Click **Add to team**.
|
||||
1. Repeat the process to add more team members.
|
||||
{{< /docs/list >}}
|
||||
|
||||
![Add team member](/static/img/docs/manage-users/add-team-member-7-3.png)
|
||||
|
||||
## Remove a team member
|
||||
|
||||
Remove a user account from the team.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
1. Click the name of the team that you want to remove users from.
|
||||
1. Click the red **X** next to the name of the user that you want to remove from the team and then click **Delete**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Set team member permissions
|
||||
|
||||
Change team member permission levels.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
1. Click the name of the team in which you want to change user permissions.
|
||||
1. In the team member list, find and click the user account that you want to change. You can use the search field to filter the list if necessary.
|
||||
1. Click the **Permission** list, and then click the new user permission level.
|
||||
{{< /docs/list >}}
|
||||
|
||||
![Change team member permissions](/static/img/docs/manage-users/change-team-permissions-7-3.png)
|
||||
|
||||
## Delete a team
|
||||
|
||||
Permanently delete the team and all special permissions assigned to it.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-team-list.md" >}}
|
||||
|
||||
1. Click the red **X** next to the team that you want to delete and then click **Delete**.
|
||||
{{< /docs/list >}}
|
@ -1,95 +0,0 @@
|
||||
+++
|
||||
title = "Org admin tasks"
|
||||
weight = 200
|
||||
+++
|
||||
|
||||
# Manage users as an Org Admin
|
||||
|
||||
An _organization_ is a group of users on a Grafana server. Each user can belong to more than one organization. Every member of the organization has a _role_ in that organization that grants them a certain level of permissions. For more information, refer to [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}).
|
||||
|
||||
Organization Admins, also called Org Admins, can manage users in their organization. Some of their tasks overlap with the [Server Admin tasks]({{< relref "../server-admin/_index.md" >}}).
|
||||
|
||||
> **Note:** You must have Admin permissions in an organization in order to perform the tasks described in this page.
|
||||
|
||||
## View organization user account list
|
||||
|
||||
See a complete list of users with accounts in your Grafana organization. If necessary, you can use the search field to filter the list.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
|
||||
Grafana displays all user accounts on the server, listed in alphabetical order by user name. The following information is displayed:
|
||||
|
||||
- **Login -** The value in the **Username** field of the account.
|
||||
- **Email -** The email associated with the user account.
|
||||
- **Name -** The value in the **Name** field of the account.
|
||||
- **Seen -** How long ago the user logged in. If they have never logged in, then the default longest time (10y) is displayed.
|
||||
- **Role -** The organization role currently assigned to the user.
|
||||
|
||||
![Org Admin user list](/static/img/docs/manage-users/org-user-list-7-3.png)
|
||||
|
||||
## Manage organization invitations
|
||||
|
||||
Organization Admins can invite users to their Grafana organizations and manage invitations. When an invited user signs in to Grafana, a user account is created for them if one does not already exist.
|
||||
|
||||
### Invite user to organization
|
||||
|
||||
Invite or add an existing user account to your organization.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
1. Click **Invite**.
|
||||
1. Enter the following information:
|
||||
- **Email or Username -** Either the email or username that the user will use to sign in to Grafana.
|
||||
- **Name -** (Optional) The value in the **Name** field of the account.
|
||||
- **Role -** Click the organization role to assign this user. For more information, refer to [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}).
|
||||
- **Send invite email**
|
||||
- **Yes -** If your organization has SMTP set up, then Grafana sends an email to the user inviting them to log in to Grafana and join your organization.
|
||||
- **No -** The user is not sent an invitation, but they can sign in to the Grafana server with the email or username that you entered.
|
||||
1. Click **Submit**.
|
||||
|
||||
![Invite User](/static/img/docs/manage-users/org-invite-user-7-3.png)
|
||||
|
||||
### View pending invitations
|
||||
|
||||
Review invitations of users that were invited but have not signed in.
|
||||
|
||||
![Pending Invites button](/static/img/docs/manage-users/pending-invites-button-7-3.png)
|
||||
|
||||
> **Note:** The button is only visible if there are unanswered invitations.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
1. Click **Pending Invites**.
|
||||
|
||||
Grafana displays a list of pending invitations. If necessary, you can use the search field to filter the list.
|
||||
|
||||
![Pending Invites list](/static/img/docs/manage-users/pending-invites-list-7-3.png)
|
||||
|
||||
### Cancel invitation
|
||||
|
||||
Revoke the invitation of a user that was invited but has not logged in.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
1. Click **Pending Invites**.
|
||||
1. Click the red **X** next to the invitation that you want to cancel.
|
||||
|
||||
## Change organization role
|
||||
|
||||
Every user account is assigned an [Organization role]({{< relref "../../permissions/organization_roles.md" >}}). Organization admins can change the role assigned to a user in their organization.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
1. Find the user account for which you want to change the role. Use the search field to filter the list if necessary.
|
||||
1. Click the **Role** list in the user account that you want to change. Grafana displays the list of available roles.
|
||||
1. Click the role that you want to assign.
|
||||
|
||||
## Remove user from organization
|
||||
|
||||
Remove a user account from your organization. This prevents them from accessing the dashboards and data sources associated with the organization, but it does not remove the user account from the server.
|
||||
|
||||
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
|
||||
1. Click **Users**.
|
||||
1. Find the user account that you want to delete. Use the search field to filter the list if necessary.
|
||||
1. Click the red **X** next to remove the user from your organization.
|
@ -9,6 +9,6 @@ Grafana Server Admins use the **Server Admin** menu to manage user accounts and
|
||||
|
||||
They perform tasks described in the following pages:
|
||||
|
||||
- [Manage users as a Server Admin]({{< relref "server-admin-manage-users.md" >}}) - Describes user management tasks that Grafana Server Admins can perform.
|
||||
- [Manage users as a Server Admin]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}) - Describes user management tasks that Grafana Server Admins can perform.
|
||||
- [Manage organizations as a Server Admin]({{< relref "server-admin-manage-orgs.md" >}}) - Describes organization management tasks that Grafana Server Admins can perform.
|
||||
- [User API]({{< relref "../../http_api/user.md" >}}) - Manage users or change passwords programmatically.
|
||||
|
@ -7,7 +7,8 @@ weight = 200
|
||||
|
||||
This topic explains organization management tasks performed by Grafana Server Admins.
|
||||
|
||||
In order to perform any of these tasks, you must be logged in to Grafana on an account with Grafana Server Admin permissions. For more information about Grafana Admin permissions, refer to [Grafana Server Admin role]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}})
|
||||
In order to perform any of these tasks, you must be logged in to Grafana on an account with Grafana Server Admin permissions. For more information about Grafana Admin permissions, refer to [Grafana Server Admin role]
|
||||
({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
||||
> **Note:** The Grafana Server Admin role does not exist in Grafana Cloud. Grafana Cloud users cannot perform tasks listed in this section.
|
||||
|
||||
|
@ -1,240 +0,0 @@
|
||||
+++
|
||||
title = "Manage users"
|
||||
weight = 100
|
||||
aliases =["/docs/grafana/latest/manage-users/add-or-remove-user/","/docs/grafana/latest/manage-users/enable-or-disable-user/"]
|
||||
+++
|
||||
|
||||
# Manage users as a Server Admin
|
||||
|
||||
This topic explains user management tasks performed by Grafana Server Admins.
|
||||
|
||||
In order to perform any of these tasks, you must be logged in to Grafana on an account with Grafana Server Admin permissions. For more information about Grafana Admin permissions, refer to [Grafana Server Admin role]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}).
|
||||
|
||||
> **Note:** The Grafana Server Admin role does not exist in Grafana Cloud. Grafana Cloud users cannot perform tasks listed in this section.
|
||||
|
||||
## View the server user account list
|
||||
|
||||
See a complete list of users with accounts on your Grafana server.
|
||||
|
||||
{{< docs/shared "manage-users/view-server-user-list.md" >}}
|
||||
|
||||
Grafana displays all user accounts on the server, listed in alphabetical order by user name. The following information is displayed:
|
||||
|
||||
- **Login -** The value in the **Username** field of the account.
|
||||
- **Email -** The email associated with the user account.
|
||||
- **Name -** The value in the **Name** field of the account.
|
||||
- **Seen -** How long ago the user logged in. If they have never logged in, then the default longest time (10y) is displayed.
|
||||
- **Server Admin status -** If the user account has **Grafana Admin** option set, then a shield icon is displayed.
|
||||
- **Account status -** If the account is disabled, then the **Disabled** label is displayed.
|
||||
|
||||
![Server Admin user list](/static/img/docs/manage-users/server-user-list-7-3.png)
|
||||
|
||||
## View user account details
|
||||
|
||||
See all details associated with a specific user account.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list.md" >}}
|
||||
|
||||
1. Click the user account you wish to view. If necessary, use the search field at the top of the tab to search for the specific user account that you need.
|
||||
{{< /docs/list >}}
|
||||
|
||||
Each user account contains the following sections.
|
||||
|
||||
### User information
|
||||
|
||||
This section of the account contains basic user information. Users can change values in these fields on their own account.
|
||||
|
||||
- **Name**
|
||||
- **Email**
|
||||
- **Username**
|
||||
- **Password**
|
||||
|
||||
![Server Admin user information section](/static/img/docs/manage-users/server-admin-user-information-7-3.png)
|
||||
|
||||
### Permissions
|
||||
|
||||
This indicates whether the user account has the Grafana Admin flag applied or not. If it is **Yes**, then the user is a Grafana Server Admin.
|
||||
|
||||
![Server Admin Permissions section](/static/img/docs/manage-users/server-admin-permissions-7-3.png)
|
||||
|
||||
### Organisations
|
||||
|
||||
This section lists the organizations the user account belongs to and the roles they hold within each organization.
|
||||
|
||||
![Server Admin Organizations section](/static/img/docs/manage-users/server-admin-organisations-7-3.png)
|
||||
|
||||
### Sessions
|
||||
|
||||
See recent sessions that the user was logged on, including when they logged on and information about the system the logged on with. You can force logouts if necessary.
|
||||
|
||||
![Server Admin Sessions section](/static/img/docs/manage-users/server-admin-sessions-7-3.png)
|
||||
|
||||
## Add a user account
|
||||
|
||||
Create a new user account at the server level.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list.md" >}}
|
||||
|
||||
1. Click **New user**.
|
||||
1. Enter the following information:
|
||||
|
||||
- **Name -** Required.
|
||||
- **E-mail -** Optional if a **Username** is entered.
|
||||
- **Username -** Optional if an **E-mail** is entered.
|
||||
- **Password -** Required.
|
||||
|
||||
1. Click **Create user**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
The user can change all this information after they log in. For instructions, refer to [Grafana user account profile]({{< relref "../user-admin/user-profile.md" >}}) and [Change your password]({{< relref "../user-admin/change-your-password.md" >}}).
|
||||
|
||||
## Edit a user account
|
||||
|
||||
Change information or settings in an individual user account.
|
||||
|
||||
### Edit user information
|
||||
|
||||
Edit information on an existing user account, including the user name, email, username, and password.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the User information section, click **Edit** next to the field that you want to change.
|
||||
1. Enter the new value and then click **Save**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
### Change the password on a user account
|
||||
|
||||
Users can change their own passwords, but Server Admins can change user passwords as well.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the User information section, click **Edit** next to the **Password** field.
|
||||
1. Enter the new value and then click **Save**. Grafana requires a value at least four characters long in this field.
|
||||
{{< /docs/list >}}
|
||||
|
||||
### Delete a user account
|
||||
|
||||
Permanently remove a user account from the server.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Click **Delete User**.
|
||||
1. Click **Delete user** to confirm the action.
|
||||
{{< /docs/list >}}
|
||||
|
||||
### Enable or disable a user account
|
||||
|
||||
Temporarily turn on or off account access, but do not remove the account from the server.
|
||||
|
||||
#### Disable user account
|
||||
|
||||
Prevent a user from logging in with this account, but do not delete the account. You might disable an account if a colleague goes on sabbatical.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Click **Disable User**.
|
||||
1. Click **Disable user** to confirm the action.
|
||||
{{< /docs/list >}}
|
||||
|
||||
#### Enable a user account
|
||||
|
||||
Reactivate a disabled user account.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Click **Enable User**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Add/remove Grafana Admin flag
|
||||
|
||||
Give or remove the Grafana Server Admin role from a user account.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the Permissions section, click **Change**.
|
||||
1. Click **Yes** or **No**, depending on whether or not you want this user account to have the Grafana Server Admin role.
|
||||
1. Click **Change**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
The next time this user logs in, their permissions will be updated.
|
||||
|
||||
## Add a user to an organization
|
||||
|
||||
Add a user account to an existing organization. User accounts can belong to multiple organizations, but each user account must belong to at least one organization.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the Organisations section, click **Add user to organisation**.
|
||||
1. In the **Add to an organization** window, select the **Organisation** that you are adding the user to.
|
||||
1. Select the **Role** that the user should have in the organization.
|
||||
1. Click **Add to organisation**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Remove a user from an organization
|
||||
|
||||
Remove a user account from an organization that it is currently assigned to.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the Organisations section, click **Remove from organisation** next to the organization that you want to remove the user from.
|
||||
1. Click **Confirm removal**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Change organization role
|
||||
|
||||
Change the organization role assigned to a user account.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. In the Organisations section, click **Change role** next to the organization that you want to change the user role for.
|
||||
1. Select the new role and then click **Save**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## View and manage user sessions
|
||||
|
||||
See when a user last logged in and information about how they logged in. You can also force the account to log out of Grafana.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Scroll down to the Sessions section to view sessions associated with this user account.
|
||||
{{< /docs/list >}}
|
||||
|
||||
## Force a user to log out of Grafana
|
||||
|
||||
If you suspect a user account is compromised or is no longer authorized to access the Grafana server, then you can force logout the account.
|
||||
|
||||
### Force logout of one device
|
||||
|
||||
Log the user account out of one specific device that is logged in to Grafana.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Scroll down to the Sessions section.
|
||||
1. Click **Force logout** next to the session entry that you want logged out of Grafana.
|
||||
1. Click **Confirm logout**.
|
||||
{{< /docs/list >}}
|
||||
|
||||
### Force logout of all devices
|
||||
|
||||
Log the user account out of all devices that are logged in to Grafana.
|
||||
|
||||
{{< docs/list >}}
|
||||
{{< docs/shared "manage-users/view-server-user-list-search.md" >}}
|
||||
|
||||
1. Scroll down to the Sessions section.
|
||||
1. Click **Force logout from all devices**.
|
||||
1. Click **Force logout**.
|
||||
{{< /docs/list >}}
|
@ -26,7 +26,7 @@ Every user is a member of at least one organization. You can have different role
|
||||
1. Navigate to the Preferences tab. Hover your cursor over your user icon in the lower left corner of the screen, and then click **Preferences.**
|
||||
1. Scroll down to the Organizations section.
|
||||
- **Name -** The name of the organizations you are a member of in that Grafana instance.
|
||||
- **Role -** The role you are assigned in the organization. Refer to [Organization roles]({{< relref "../../permissions/organization_roles.md" >}}) about permissions assigned to each role.
|
||||
- **Role -** The role you are assigned in the organization. Refer to [Organization users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) for more information about permissions assigned to each role.
|
||||
- **Current -** Grafana tags the organization that you are currently signed in to as _Current_. If you are part of multiple organizations, then you can click **Select** to switch to that organization.
|
||||
|
||||
## View your Grafana sessions
|
||||
|
@ -10,7 +10,7 @@ Panels allow you to show your data in visual form. Each panel needs at least one
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Ensure that you have the proper [organization role]({{< relref "../../permissions/organization_roles.md" >}}) or [permissions]({{< relref "../../permissions/_index.md" >}}).
|
||||
- Ensure that you have the proper permissions. For more information about permissions, refer to [About users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
- Identify the dashboard to which you want to add the panel.
|
||||
- Understand the query language of the target data source.
|
||||
- Ensure that data source for which you are writing a query has been added. For more information about adding a data source, refer to [Add a data source]({{< relref "../../datasources/add-a-data-source.md" >}}) if you need instructions.
|
||||
|
@ -1,57 +0,0 @@
|
||||
+++
|
||||
title = "Permissions"
|
||||
description = "Permissions"
|
||||
keywords = ["grafana", "configuration", "documentation", "admin", "users", "datasources", "permissions"]
|
||||
aliases = ["/docs/grafana/latest/permissions/overview/"]
|
||||
weight = 50
|
||||
+++
|
||||
|
||||
# Permissions
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise for managing access with fine-grained permissions.
|
||||
|
||||
What you can do in Grafana is defined by the _permissions_ associated with your user account.
|
||||
|
||||
There are three types of permissions:
|
||||
|
||||
- Permissions granted as a Grafana Server Admin
|
||||
- Permissions associated with your role in an organization
|
||||
- Permissions granted to a specific folder or dashboard
|
||||
|
||||
You can be granted permissions based on:
|
||||
|
||||
- Grafana Server Admin status.
|
||||
- Organization role (Admin, Editor, or Viewer).
|
||||
- Folder or dashboard permissions assigned to your team (Admin, Editor, or Viewer).
|
||||
- Folder or dashboard permissions assigned to your user account (Admin, Editor, or Viewer).
|
||||
- (Grafana Enterprise) Data source permissions. For more information, refer to [Data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).
|
||||
- (Grafana Cloud) Grafana Cloud has additional roles. For more information, refer to [Grafana Cloud roles and permissions](/docs/grafana-cloud/cloud-portal/cloud-roles/).
|
||||
|
||||
If you are running Grafana Enterprise, you can grant access by using fine-grained roles and permissions, refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) for more information.
|
||||
|
||||
## Grafana Server Admin role
|
||||
|
||||
Grafana server administrators have the **Grafana Admin** flag enabled on their account. They can access the **Server Admin** menu and perform the following tasks:
|
||||
|
||||
- Manage users and permissions.
|
||||
- Create, edit, and delete organizations.
|
||||
- View server-wide settings that are set in the [Configuration]({{< relref "../administration/configuration.md" >}}) file.
|
||||
- View Grafana server stats, including total users and active sessions.
|
||||
- Upgrade the server to Grafana Enterprise.
|
||||
|
||||
> **Note:** This role does not exist in Grafana Cloud.
|
||||
|
||||
## Organization roles
|
||||
|
||||
Users can belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do in that organization. For more information, refer to [Organization roles]({{< relref "../permissions/organization_roles.md" >}}).
|
||||
|
||||
## Dashboard and folder permissions
|
||||
|
||||
Dashboard and folder permissions allow you to remove the default role based permissions for Editors and Viewers and assign permissions to specific users and teams. Learn more about [Dashboard and folder permissions]({{< relref "dashboard-folder-permissions.md" >}}).
|
||||
|
||||
## Data source permissions
|
||||
|
||||
Per default, a data source in an organization can be queried by any user in that organization. For example a user with `Viewer` role can still
|
||||
issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
|
||||
|
||||
Data source permissions allows you to change the default permissions for data sources and restrict query permissions to specific **Users** and **Teams**. For more information, refer to [Data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).
|
@ -1,46 +0,0 @@
|
||||
+++
|
||||
title = "Dashboard and folder permissions"
|
||||
description = "Grafana Dashboard and Folder Permissions Guide "
|
||||
keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
|
||||
aliases = ["/docs/grafana/latest/permissions/dashboard_folder_permissions/"]
|
||||
weight = 200
|
||||
+++
|
||||
|
||||
# Grant dashboard and folder permissions
|
||||
|
||||
You can assign and remove permissions for organization roles, users, and teams for specific dashboards and dashboard folders. This topic explains how to grant permissions to specific folders and dashboards. To learn more about denying access to certain Grafana users, refer to [Restricting access]({{< relref "restricting-access.md">}}).
|
||||
|
||||
{{< figure src="/static/img/docs/permissions/folder-permissions-7-5.png" class="docs-image--no-shadow" max-width= "750px" caption="older permissions" >}}
|
||||
|
||||
## Permission levels
|
||||
|
||||
There are three permission levels for files and folders. Each of the permissions is processed independently. They permissions are separate from [organization roles]({{< relref "organization_roles.md">}}).
|
||||
|
||||
- **Admin -** Can create, edit, or delete dashboards. Can create, edit, and delete folders. Can also change dashboard and folder permissions.
|
||||
- **Edit -** Can create and edit dashboards. _Cannot_ change folder or dashboard permissions, or add, edit, or delete folders.
|
||||
- **View -** Can only view existing dashboards and folders.
|
||||
|
||||
## Grant folder permissions
|
||||
|
||||
Folder permissions apply to the folder and all dashboards contained within it.
|
||||
|
||||
1. In the sidebar, hover your mouse over the **Dashboards** (squares) icon and then click **Manage**.
|
||||
1. Hover your mouse cursor over a folder and then click **Go to folder**.
|
||||
1. Go to the **Permissions** tab, and then click **Add Permission**.
|
||||
1. In **Add Permission For**, select **User**, **Team**, or one of the role options.
|
||||
1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
|
||||
1. In the third box, select the permission you want to add.
|
||||
1. Click **Save**.
|
||||
|
||||
## Grant dashboard permissions
|
||||
|
||||
1. In the top right corner of your dashboard, click the cog icon to go to **Dashboard settings**.
|
||||
1. Go to the **Permissions** tab, and then click **Add Permission**.
|
||||
1. In **Add Permission For**, select **User**, **Team**, or one of the role options.
|
||||
1. In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
|
||||
1. In the third box, select the permission you want to add.
|
||||
1. Click **Save**.
|
||||
|
||||
## Edit permissions
|
||||
|
||||
To change existing permissions, navigate to the permissions page as described above. Instead of clicking **Add permission**, change or delete permissions already assigned. Changes take effect immediately.
|
@ -1,12 +0,0 @@
|
||||
+++
|
||||
title = "Data source permissions"
|
||||
description = "Grafana Datasource Permissions Guide "
|
||||
keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams", "enterprise"]
|
||||
weight = 900
|
||||
+++
|
||||
|
||||
# Data source permissions
|
||||
|
||||
Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific users and teams.
|
||||
|
||||
> **Note:** Data source permissions are only available in Grafana Enterprise. For more information, refer to [Data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).
|
@ -1,80 +0,0 @@
|
||||
+++
|
||||
title = "Organization roles"
|
||||
description = "Grafana organization roles guide "
|
||||
keywords = ["grafana", "configuration", "documentation", "organization", "roles", "permissions"]
|
||||
weight = 100
|
||||
+++
|
||||
|
||||
# Organization roles
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise for managing Organization roles with fine-grained permissions.
|
||||
|
||||
Users can belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do in that organization. Grafana supports multiple _organizations_ in order to support a wide variety of deployment models, including using a single Grafana instance to provide service to multiple potentially untrusted organizations.
|
||||
|
||||
In most cases, Grafana is deployed with a single organization.
|
||||
|
||||
Each organization can have one or more data sources.
|
||||
|
||||
All dashboards are owned by a particular organization.
|
||||
|
||||
> **Note:** Most metric databases do not provide per-user series authentication. This means that organization data sources and dashboards are available to all users in a particular organization.
|
||||
|
||||
## Compare roles
|
||||
|
||||
The table below compares what each role can do. Read the sections below for more detailed explanations.
|
||||
|
||||
| | Admin | Editor | Viewer |
|
||||
| :------------------------------- | :---: | :----: | :----: |
|
||||
| View dashboards | x | x | x |
|
||||
| Add, edit, delete dashboards | x | x | |
|
||||
| Add, edit, delete folders | x | x | |
|
||||
| View playlists | x | x | x |
|
||||
| Create, update, delete playlists | x | x | |
|
||||
| Access Explore | x | x | |
|
||||
| Add, edit, delete data sources | x | | |
|
||||
| Add and edit users | x | | |
|
||||
| Add and edit teams | x | | |
|
||||
| Change organizations settings | x | | |
|
||||
| Change team settings | x | | |
|
||||
| Configure app plugins | x | | |
|
||||
|
||||
If you are running Grafana Enterprise, you can grant and revoke access by using fine-grained roles and permissions, refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) for more information.
|
||||
|
||||
## Organization admin role
|
||||
|
||||
Can do everything scoped to the organization. For example:
|
||||
|
||||
- Can add, edit, and delete data sources.
|
||||
- Can add and edit users and teams in their organization.
|
||||
- Can add, edit, and delete folders containing dashboards for data sources associated with their organization. They can also edit folder permissions.
|
||||
- Can configure app plugins and organization settings.
|
||||
- Can do everything allowed by the Editor role.
|
||||
|
||||
## Editor role
|
||||
|
||||
- Can view, add, and edit dashboards, panels, and alert rules in dashboards they have access to. This can be disabled on specific folders and dashboards.
|
||||
- Can add, edit, and delete folders containing dashboards for data sources associated with their organization. They cannot edit folder permissions.
|
||||
- Can create, update, or delete playlists.
|
||||
- Can access Explore.
|
||||
- Can add, edit, or delete alert notification channels.
|
||||
- Cannot add, edit, or delete data sources.
|
||||
- Cannot manage other organizations, users, and teams.
|
||||
|
||||
This role can be changed with the Grafana server setting [editors_can_admin]({{< relref "../administration/configuration.md#editors_can_admin" >}}). If you set this to `true`, then users with the Editor role can also administrate dashboards, folders, and teams they create. This is especially useful for enabling self-organizing teams to administer their own dashboards.
|
||||
|
||||
## Viewer role
|
||||
|
||||
- Can view any dashboard they have access to. This can be disabled on specific folders and dashboards.
|
||||
- Cannot add, edit, or delete data sources.
|
||||
- Cannot add, edit, or delete dashboards or panels.
|
||||
- Cannot create, update, or delete playlists.
|
||||
- Cannot add, edit, or delete alert notification channels.
|
||||
- Cannot access Explore.
|
||||
- Cannot manage other organizations, users, and teams.
|
||||
|
||||
This role can be changed with the Grafana server setting [viewers_can_edit]({{< relref "../administration/configuration.md#viewers-can-edit" >}}). If you set this to `true`, then users with the Viewer role can:
|
||||
|
||||
- Make transient dashboard edits, meaning they can modify panels and queries but not save the changes or create new dashboards.
|
||||
- Access and use [Explore]({{< relref "../explore/_index.md" >}}).
|
||||
|
||||
This is especially useful for public Grafana installations where you want anonymous users to be able to edit panels and queries but not save or create new dashboards.
|
@ -1,43 +0,0 @@
|
||||
+++
|
||||
title = "Restricting access"
|
||||
weight = 500
|
||||
+++
|
||||
|
||||
# Restricting access
|
||||
|
||||
> Refer to [Fine-grained access Control]({{< relref "../enterprise/access-control/_index.md" >}}) in Grafana Enterprise to understand how to use fine-grained permissions to restrict access.
|
||||
|
||||
The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
|
||||
|
||||
- You cannot override permissions for users with the Organization Admin role. Admins always have access to everything.
|
||||
- A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
|
||||
|
||||
Here are some examples of how Grafana resolves multiple permissions.
|
||||
|
||||
## Example 1 (user1 has the Editor Role)
|
||||
|
||||
Permissions for a dashboard:
|
||||
|
||||
- Everyone with Editor role can edit
|
||||
- user1 can view
|
||||
|
||||
Result: `user1` has Edit permission as the highest permission always wins.
|
||||
|
||||
## Example 2 (user1 has the Viewer Role and is a member of team1)
|
||||
|
||||
Permissions for a dashboard:
|
||||
|
||||
- Everyone with Viewer role can view
|
||||
- user1 Can Edit
|
||||
- team1 Can Admin
|
||||
|
||||
Result: `user1` has Admin permission as the highest permission always wins.
|
||||
|
||||
## Example 3
|
||||
|
||||
Permissions for a dashboard:
|
||||
|
||||
- user1 can admin (inherited from parent folder)
|
||||
- user1 can edit
|
||||
|
||||
Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins.
|
@ -2,4 +2,4 @@
|
||||
title: Some tasks require permissions
|
||||
---
|
||||
|
||||
Some tasks require certain permissions. For more information about roles, refer to [Permissions]({{< relref "../../permissions/_index.md" >}}).
|
||||
Some tasks require certain permissions. For more information about roles, refer to [About users and permission]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md" >}}).
|
||||
|
@ -186,7 +186,7 @@ These features are included in the Grafana Enterprise edition.
|
||||
|
||||
### Licensing changes
|
||||
|
||||
When determining a user’s role for billing purposes, a user who has the ability to edit and save dashboards is considered an Editor. This includes any user who is an Editor or Admin at the Org level, and who has granted Admin or Edit permissions via [Dashboard and folder permissions]({{< relref "../permissions/dashboard-folder-permissions.md">}}).
|
||||
When determining a user’s role for billing purposes, a user who has the ability to edit and save dashboards is considered an Editor. This includes any user who is an Editor or Admin at the Org level, and who has granted Admin or Edit permissions via [Dashboard permissions]({{< relref "../administration/manage-users-and-permissions/about-users-and-permissions.md#dashboard-permissions" >}}).
|
||||
|
||||
After the number of Viewers or Editors has reached its license limit, only Admins will see a banner in Grafana indicating that the license limit has been reached. Previously, all users saw the banner.
|
||||
|
||||
|
@ -129,7 +129,7 @@ Under the hood, the new theme architecture enables us to bring more sophisticate
|
||||
|
||||
When you inspect a panel, you can now download log results as a text (.txt) file.
|
||||
|
||||
[Download log results]({{< relref "../panels/working-with-panels/download-log-results.md" >}}) was added as a result of this feature.
|
||||
[Download log results]({{< relref "../panels/working-with-panels/download-query-results.md" >}}) was added as a result of this feature.
|
||||
|
||||
### Inspector in Explore
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user