AccessControl: Document new permissions restricting data source access. (#39091)

* Add data sources roles and permissions to docs

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Gabriel MABILLE 2021-09-29 17:45:27 +02:00 committed by GitHub
parent ff009bee9f
commit 6aa006b699
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 246 additions and 76 deletions

View File

@ -11,28 +11,32 @@ The reference information that follows complements conceptual information about
## Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
| `fixed:settings:admin:read` | `settings:read` | Read settings |
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
| `fixed:datasource:editor:read` | `datasources:explore` | Explore datasources |
| Fixed roles | Permissions | Descriptions |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
| `fixed:settings:admin:read` | `settings:read` | Read settings |
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
| `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
| `fixed:datasources:admin` | `datasources:read`<br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Allows to create, read, update, delete data sources. |
| `fixed:datasources:id:viewer` | `datasources:id:read` | Allows to read data source IDs. |
| `fixed:datasources:permissions:admin` | `datasources.permissions:create`<br> `datasources.permissions:read`<br> `datasources.permissions:delete`<br>`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
## Default built-in role assignments
| Built-in role | Associated role | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default. |
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read` | Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default. |
| Editor | `fixed:datasource:editor:read` |
| Built-in role | Associated role | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:datasources:admin`<br>`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |

View File

@ -23,62 +23,72 @@ scope
The following list contains fine-grained access control actions.
| Action | Applicable scope | Description |
| -------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:list` | `roles:*` | List available roles without permissions. |
| `roles:read` | `roles:*` | Read a specific role with its permissions. |
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
| `reports.admin:create` | `reports:*` | Create reports. |
| `reports.admin:write` | `reports:*` | Update reports. |
| `reports:delete` | `reports:*` | Delete reports. |
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` | Send a report email. |
| `reports.settings:write` | n/a | Update report settings. |
| `reports.settings:read` | n/a | Read report settings. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
| `users:read` | `global:users:*` | Read or search user profiles. |
| `users:write` | `global:users:*` | Update a users profile. |
| `users.teams:read` | `global:users:*` | Read a users teams. |
| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global:users:*` | Update a users password. |
| `users:delete` | `global:users:*` | Delete a user. |
| `users:create` | n/a | Create a user. |
| `users:enable` | `global:users:*` | Enable a user. |
| `users:disable` | `global:users:*` | Disable a user. |
| `users.permissions:update` | `global:users:*` | Update a users organization-level permissions. |
| `users:logout` | `global:users:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` | Update a users quotas. |
| `org.users.read` | `users:*` | Get user profiles within an organization. |
| `org.users.add` | `users:*` | Add a user to an organization. |
| `org.users.remove` | `users:*` | Remove a user from an organization. |
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
| `ldap.user:read` | n/a | Get a user via LDAP. |
| `ldap.user:sync` | n/a | Sync a user via LDAP. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `server.stats:read` | n/a | Read server stats |
| `datasources:explore` | n/a | Enable explore |
| Action | Applicable scope | Description |
| -------------------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:list` | `roles:*` | List available roles without permissions. |
| `roles:read` | `roles:*` | Read a specific role with its permissions. |
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
| `reports.admin:create` | `reports:*` | Create reports. |
| `reports.admin:write` | `reports:*` | Update reports. |
| `reports:delete` | `reports:*` | Delete reports. |
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` | Send a report email. |
| `reports.settings:write` | n/a | Update report settings. |
| `reports.settings:read` | n/a | Read report settings. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
| `users:read` | `global:users:*` | Read or search user profiles. |
| `users:write` | `global:users:*` | Update a users profile. |
| `users.teams:read` | `global:users:*` | Read a users teams. |
| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global:users:*` | Update a users password. |
| `users:delete` | `global:users:*` | Delete a user. |
| `users:create` | n/a | Create a user. |
| `users:enable` | `global:users:*` | Enable a user. |
| `users:disable` | `global:users:*` | Disable a user. |
| `users.permissions:update` | `global:users:*` | Update a users organization-level permissions. |
| `users:logout` | `global:users:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` | Update a users quotas. |
| `org.users:read` | `users:*` | Get user profiles within an organization. |
| `org.users:add` | `users:*` | Add a user to an organization. |
| `org.users:remove` | `users:*` | Remove a user from an organization. |
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
| `ldap.user:read` | n/a | Get a user via LDAP. |
| `ldap.user:sync` | n/a | Sync a user via LDAP. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `server.stats:read` | n/a | Read server stats |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
| `datasources:id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
| `datasources.permissions:create` | `datasources:*`<br>`datasources:id:*` | Create data source permissions. |
| `datasources.permissions:delete` | `datasources:*`<br>`datasources:id:*` | Delete data source permissions. |
| `datasources.permissions:toggle` | `datasources:*`<br>`datasources:id:*` | Enable or disable data source permissions. |
## Scope definitions
The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` | Restrict an action to a set of global users. |
| `users:*` | Restrict an action to a set of users from an organization. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
| Scopes | Descriptions |
| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` | Restrict an action to a set of global users. |
| `users:*` | Restrict an action to a set of users from an organization. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |

View File

@ -7,10 +7,23 @@ aliases = ["/docs/grafana/latest/http_api/datasource/"]
# Data source API
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
## Get all data sources
`GET /api/datasources`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | -------------- |
| datasources:read | datasources:\* |
### Examples
**Example Request**:
```http
@ -57,6 +70,16 @@ Content-Type: application/json
`GET /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ---------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**:
```http
@ -103,6 +126,16 @@ Content-Type: application/json
`GET /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | -------------------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
### Examples
**Example request:**
```http
@ -149,6 +182,16 @@ Content-Type: application/json
`GET /api/datasources/name/:name`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ---------------------------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**:
```http
@ -195,6 +238,16 @@ Content-Type: application/json
`GET /api/datasources/id/:name`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------- | ---------------------------------------------------------------------------------------------- |
| datasources:id:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**:
```http
@ -219,6 +272,16 @@ Content-Type: application/json
`POST /api/datasources`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ----- |
| datasources:create | n/a |
### Examples
**Example Graphite Request**:
```http
@ -357,6 +420,16 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
`PUT /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ----------------- | ---------------------------------------------------------------------------- |
| datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**:
```http
@ -427,6 +500,16 @@ Content-Type: application/json
`DELETE /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**:
```http
@ -449,6 +532,16 @@ Content-Type: application/json
`DELETE /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | -------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
### Examples
**Example request:**
```http
@ -471,6 +564,16 @@ Content-Type: application/json
`DELETE /api/datasources/name/:datasourceName`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**:
```http

View File

@ -9,6 +9,9 @@ aliases = ["/docs/grafana/latest/http_api/datasourcepermissions/"]
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
This API can be used to enable, disable, list, add and remove permissions for a data source.
Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything.
@ -23,6 +26,16 @@ The permission levels for the permission field:
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http
@ -58,6 +71,16 @@ Status codes:
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http
@ -93,6 +116,16 @@ Status codes:
Gets all existing permissions for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ---------------------------- | ---------------------------------------------------------------------------- |
| datasources.permissions:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http
@ -154,6 +187,16 @@ Status codes:
Adds a user permission for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:create | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http
@ -218,6 +261,16 @@ Status codes:
Removes the permission with the given `permissionId` for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http