restructure administration/permissions page into a section with sub pages

2025-02-25 18:55:37 -06:00 · 2018-10-30 18:43:54 +01:00
parent a8e2840f15
commit 621525d10f
7 changed files with 232 additions and 118 deletions
--- a/docs/sources/administration/permissions.md
+++ b/docs/sources/administration/permissions.md
@@ -1,116 +0,0 @@
 +++
 title = "Permissions"
 description = "Grafana user permissions"
 keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
 type = "docs"
 aliases = ["/reference/admin"]
 [menu.docs]
 name = "Permissions"
 parent = "admin"
 weight = 3
 +++
 # Permissions
 Grafana users have permissions that are determined by their:
 - **Organization Role** (Admin, Editor, Viewer)
 - Via **Team** memberships where the **Team** has been assigned specific permissions.
 - Via permissions assigned directly to user (on folders or dashboards)
 - The Grafana Admin (i.e. Super Admin) user flag.
 ## Organization Roles
 Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
 in that organization.
 ### Admin Role
 Can do everything scoped to the organization. For example:
 - Add & Edit data sources.
 - Add & Edit organization users & teams.
 - Configure App plugins & set org settings.
 ### Editor Role
 - Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
 - **Cannot** create or edit data sources nor invite new users.
 ### Viewer Role
 - View any dashboard. This can be disabled on specific folders and dashboards.
 - **Cannot** create or edit dashboards nor data sources.
 This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
 with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
 Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
 ## Grafana Admin
 This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
 ### Dashboard & Folder Permissions
 {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
 For dashboards and dashboard folders there is a **Permissions** page that make it possible to
 remove the default role based permissions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**.
 You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**.
 Permission levels:
 - **Admin**: Can edit & create dashboards and edit permissions.
 - **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
 - **View**: Can only view existing dashboards/folders.
 #### Restricting Access
 The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
 - You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything.
 - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
 #### How Grafana Resolves Multiple Permissions - Examples
 ##### Example 1 (`user1` has the Editor Role)
 Permissions for a dashboard:
 - `Everyone with Editor Role Can Edit`
 - `user1 Can View`
 Result: `user1` has Edit permission as the highest permission always wins.
 ##### Example 2 (`user1` has the Viewer Role and is a member of `team1`)
 Permissions for a dashboard:
 - `Everyone with Viewer Role Can View`
 - `user1 Can Edit`
 - `team1 Can Admin`
 Result: `user1` has Admin permission as the highest permission always wins.
 ##### Example 3
 Permissions for a dashboard:
 - `user1 Can Admin (inherited from parent folder)`
 - `user1 Can Edit`
 Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins.
 - **View**: Can only view existing dashboards/folders.
 - You cannot override permissions for users with **Org Admin Role**
 - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
 ### Data source permissions
 Permissions on dashboards and folders **do not** include permissions on data sources. A user with `Viewer` role
 can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
 We hope to add permissions on data sources in a future release. Until then **do not** view dashboard permissions as a secure
 way to restrict user data access. Dashboard permissions only limits what dashboards & folders a user can view & edit not which
 data sources a user can access nor what queries a user can issue.
--- a/docs/sources/enterprise/index.md
+++ b/docs/sources/enterprise/index.md
@@ -22,9 +22,9 @@ that can only be found in the Enterprise edition.
 With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link).
-### Data source permissions
+### Datasource Permissions
-Assign and restrict query permissions on Data Sources to specific teams or users. [Learn More](link).
+Datasource permissions allows you to restrict access for users to query a datasource. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}).
 ## Try Grafana Enterprise
--- a/docs/sources/permissions/dashboard_folder_permissions.md
+++ b/docs/sources/permissions/dashboard_folder_permissions.md
@@ -0,0 +1,67 @@
 +++
 title = "Dashboard & Folder Permissions"
 description = "Grafana Dashboard & Folder Permissions Guide "
 keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
 type = "docs"
 [menu.docs]
 name = "Dashboard & Folder Permissions"
 identifier = "dashboard-folder-permissions"
 parent = "permissions"
 weight = 3
 +++
 # Dashboard & Folder Permissions
 {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
 For dashboards and dashboard folders there is a **Permissions** page that make it possible to
 remove the default role based permissions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**.
 You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**.
 Permission levels:
 - **Admin**: Can edit & create dashboards and edit permissions.
 - **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
 - **View**: Can only view existing dashboards/folders.
 ## Restricting Access
 The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
 - You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything.
 - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
 ### How Grafana Resolves Multiple Permissions - Examples
 #### Example 1 (`user1` has the Editor Role)
 Permissions for a dashboard:
 - `Everyone with Editor Role Can Edit`
 - `user1 Can View`
 Result: `user1` has Edit permission as the highest permission always wins.
 #### Example 2 (`user1` has the Viewer Role and is a member of `team1`)
 Permissions for a dashboard:
 - `Everyone with Viewer Role Can View`
 - `user1 Can Edit`
 - `team1 Can Admin`
 Result: `user1` has Admin permission as the highest permission always wins.
 #### Example 3
 Permissions for a dashboard:
 - `user1 Can Admin (inherited from parent folder)`
 - `user1 Can Edit`
 Result: You cannot override to a lower permission. `user1` has Admin permission as the highest permission always wins.
 - **View**: Can only view existing dashboards/folders.
 - You cannot override permissions for users with **Org Admin Role**
 - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
--- a/docs/sources/permissions/datasource_permissions.md
+++ b/docs/sources/permissions/datasource_permissions.md
@@ -0,0 +1,71 @@
 +++
 title = "Datasource Permissions"
 description = "Grafana Datasource Permissions Guide "
 keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams"]
 type = "docs"
 [menu.docs]
 name = "Datasource Permissions"
 identifier = "datasource-permissions"
 parent = "permissions"
 weight = 4
 +++
 # Datasource Permissions
 > Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}).
 Datasource permissions allows you to restrict access for users to query a datasource. For each datasource there is
 a permission page that makes it possible to enable permissions and add restrict query permissions to specific
 **Users** and **Teams**.
 ## Restricting Access - Enable Permissions
 {{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}}
 By default, permissions are disabled for datasources and a datasource in an organization can be queried by any user in
 that organization. For example a user with `Viewer` role can still issue any possible query to a datasource, not just
 those queries that exist on dashboards he/she has access to.
 When permissions are enabled for a datasource in an organization you will restrict admin and query access for that
 datasource to [admin users](/permissions/organization_roles/#admin-role) in that organization.
 **To enable permissions for a datasource:**
 1. Navigate to Configuration / Data Sources.
 2. Select the datasource you want to enable permissions for.
 3. Select the Permissions tab and click on the `Enable` button.
 <div class="clearfix"></div>
 ## Allow users and teams to query a datasource
 {{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}}
 After you have [enabled permissions](#restricting-access-enable-permissions) for a datasource you can assign query
 permissions to users and teams which will allow access to query the datasource.
 **Assign query permission to users and teams:**
 1. Navigate to Configuration / Data Sources.
 2. Select the datasource you want to assign query permissions for.
 3. Select the Permissions tab.
 4. click on the `Add Permission` button.
 5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button.
 <div class="clearfix"></div>
 ## Restore Default Access - Disable Permissions
 {{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}}
 If you have enabled permissions for a datasource and want to revoke datasource permissions to the default, i.e.
 datasource can be queried by any user in that organization, you can disable permissions with a click of a button.
 Note that all existing permissions created for datasource will be deleted.
 **To disable permissions for a datasource:**
 1. Navigate to Configuration / Data Sources.
 2. Select the datasource you want to disable permissions for.
 3. Select the Permissions tab and click on the `Disable Permissions` button.
 <div class="clearfix"></div>
--- a/docs/sources/permissions/index.md
+++ b/docs/sources/permissions/index.md
@@ -0,0 +1,12 @@
 +++
 title = "Permissions"
 description = "Permissions"
 type = "docs"
 [menu.docs]
 name = "Permissions"
 identifier = "permissions"
 parent = "admin"
 weight = 3
 +++
--- a/docs/sources/permissions/organization_roles.md
+++ b/docs/sources/permissions/organization_roles.md
@@ -0,0 +1,38 @@
 +++
 title = "Organization Roles"
 description = "Grafana Organization Roles Guide "
 keywords = ["grafana", "configuration", "documentation", "organization", "roles", "permissions"]
 type = "docs"
 [menu.docs]
 name = "Organization Roles"
 identifier = "organization-roles"
 parent = "permissions"
 weight = 2
 +++
 # Organization Roles
 Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
 in that organization.
 ## Admin Role
 Can do everything scoped to the organization. For example:
 - Add & Edit data sources.
 - Add & Edit organization users & teams.
 - Configure App plugins & set org settings.
 ## Editor Role
 - Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
 - **Cannot** create or edit data sources nor invite new users.
 ## Viewer Role
 - View any dashboard. This can be disabled on specific folders and dashboards.
 - **Cannot** create or edit dashboards nor data sources.
 This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
 with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
 Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
--- a/docs/sources/permissions/overview.md
+++ b/docs/sources/permissions/overview.md
@@ -0,0 +1,42 @@
 +++
 title = "Overview"
 description = "Overview for permissions"
 keywords = ["grafana", "configuration", "documentation", "admin", "users", "datasources", "permissions"]
 type = "docs"
 aliases = ["/reference/admin", "/administration/permissions/"]
 [menu.docs]
 name = "Overview"
 identifier = "overview-permissions"
 parent = "permissions"
 weight = 1
 +++
 # Permissions Overview
 Grafana users have permissions that are determined by their:
 - **Organization Role** (Admin, Editor, Viewer)
 - Via **Team** memberships where the **Team** has been assigned specific permissions.
 - Via permissions assigned directly to user (on folders, dashboards, datasources)
 - The Grafana Admin (i.e. Super Admin) user flag.
 ## Grafana Admin
 This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
 ## Organization Roles
 Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
 in that organization. Learn more about [Organization Roles]({{< relref "permissions/organization_roles.md" >}}).
 ## Dashboard & Folder Permissions
 Dashboard and folder permissions allows you to remove the default role based permissions for Editors and Viewers and assign permissions to specific **Users** and **Teams**. Learn more about [Dashboard & Folder Permissions]({{< relref "permissions/dashboard_folder_permissions.md" >}}).
 ## Datasource Permissions
 Per default, a datasource in an organization can be queried by any user in that organization. For example a user with `Viewer` role can still
 issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
 Datasource permissions allows you to change the default permissions for datasources and restrict query permissions to specific **Users** and **Teams**. Read more about [Datasource Permissions]({{< relref "permissions/datasource_permissions.md" >}}).