Docs: Update the SAML role mapping docs with the new fields added (#88529)

* mention the auto_assign_org_role in saml role sync * add role_values_viewer to docs
2025-02-03 12:11:09 -06:00 · 2024-06-04 15:45:37 +03:00 · 2024-06-04 15:45:37 +03:00 · 6b7e4b223d
commit 6b7e4b223d
parent 4d002d85f9
2 changed files with 10 additions and 2 deletions
--- a/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md
+++ b/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md
@ -320,6 +320,10 @@ List of comma- or space-separated Organization:OrgId:Role mappings. Organization

 List of comma- or space-separated roles that will be mapped to the None role.

+### role_values_viewer
+
+List of comma- or space-separated roles that will be mapped to the Viewer role.
+
 ### role_values_editor

 List of comma- or space-separated roles that will be mapped to the Editor role.
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
@ -224,6 +224,7 @@ The table below describes all SAML configuration options. Continue reading below
 | `allowed_organizations`                                    | No       | List of comma- or space-separated organizations. User should be a member of at least one organization to log in.                                                                                             |                                                       |
 | `org_mapping`                                              | No       | List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be `*` meaning "All users". Role is optional and can have the following values: `None`, `Viewer`, `Editor` or `Admin`.  |                                                       |
 | `role_values_none`                                         | No       | List of comma- or space-separated roles which will be mapped into the None role                                                                                                                              |                                                       |
+| `role_values_viewer`                                       | No       | List of comma- or space-separated roles which will be mapped into the Viewer role                                                                                                                            |                                                       |
 | `role_values_editor`                                       | No       | List of comma- or space-separated roles which will be mapped into the Editor role                                                                                                                            |                                                       |
 | `role_values_admin`                                        | No       | List of comma- or space-separated roles which will be mapped into the Admin role                                                                                                                             |                                                       |
 | `role_values_grafana_admin`                                | No       | List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role                                                                                                       |                                                       |
@ -395,11 +396,12 @@ Role sync allows you to map user roles from an identity provider to Grafana. To

 1. In the configuration file, set [`assertion_attribute_role`]({{< relref "../../../configure-grafana/enterprise-configuration#assertion_attribute_role" >}}) option to the attribute name where the role information will be extracted from.
 1. Set the [`role_values_none`]({{< relref "../../../configure-grafana/enterprise-configuration#role_values_none" >}}) option to the values mapped to the `None` role.
+1. Set the [`role_values_viewer`]({{< relref "../../../configure-grafana/enterprise-configuration#role_values_viewer" >}}) option to the values mapped to the `Viewer` role.
 1. Set the [`role_values_editor`]({{< relref "../../../configure-grafana/enterprise-configuration#role_values_editor" >}}) option to the values mapped to the `Editor` role.
 1. Set the [`role_values_admin`]({{< relref "../../../configure-grafana/enterprise-configuration#role_values_admin" >}}) option to the values mapped to the organization `Admin` role.
 1. Set the [`role_values_grafana_admin`]({{< relref "../../../configure-grafana/enterprise-configuration#role_values_grafana_admin" >}}) option to the values mapped to the `Grafana Admin` role.

-If a user role doesn't match any of configured values, then the `Viewer` role will be assigned.
+If a user role doesn't match any of configured values, then the role specified by the `auto_assign_org_role` config option will be assigned. If the `auto_assign_org_role` field is not set then the user role will default to `Viewer`.

 For more information about roles and permissions in Grafana, refer to [Roles and permissions]({{< relref "../../../../administration/roles-and-permissions" >}}).

@ -408,7 +410,8 @@ Example configuration:
 ```ini
 [auth.saml]
 assertion_attribute_role = role
-role_values_none = none, external
+role_values_none = none
+role_values_viewer = external
 role_values_editor = editor, developer
 role_values_admin = admin, operator
 role_values_grafana_admin = superadmin
@ -498,6 +501,7 @@ assertion_attribute_email = mail
 assertion_attribute_groups = Group
 assertion_attribute_role = Role
 assertion_attribute_org = Org
+role_values_viewer = external
 role_values_editor = editor, developer
 role_values_admin = admin, operator
 role_values_grafana_admin = superadmin