IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Refactor administration docs (#50592)

Browse Source 
* Move data source management to administration

* Move RBAC to administration

* Move team management up a docs org level

* Combine and rename admin preferences docs

* Move plugin management to administration

* Combine plugin management docs

* Combine API key docs

* Combine service account docs

* Combine server user management docs

* Move datasource management to administration

* Move enterprise licenses to administration

* Move CLI out of admin, update links to admin

* Merge org user management docs

* Restructure to Torkel's plan

* Fix typo

* Weigh admin topics for navigation

* Weigh administration topics and align to Torkel's plan

* Move server user management from server admin to admin/user management

* Move configure docker image to setup guide

* Move the remaining server admin docs to the root admin directory

* Reweight docker config
This commit is contained in:
Garrett Guillotte
2022-06-16 12:09:16 -07:00
committed by GitHub
parent c043a8818a
commit 845cebdee2
105 changed files with 1602 additions and 1710 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/sources/administration/_index.md
View File

@@ -10,9 +10,4 @@ weight: 40
This section includes information for Grafana administrators, team administrators, and users performing administrative tasks:
- [Change Preferences]({{< relref "preferences/" >}})
- [Configuration]({{< relref "../setup-grafana/configure-grafana/" >}})
- [Configure Docker image]({{< relref "configure-docker/" >}})
- [Security]({{< relref "../setup-grafana/configure-security/" >}})
- [Database encryption]({{< relref "../setup-grafana/configure-security/configure-database-encryption/" >}})
- [Service accounts]({{< relref "service-accounts/" >}})
{{< section >}}

41
docs/sources/administration/api-keys/_index.md
View File

@@ -1,19 +1,52 @@
---
aliases:
- /docs/grafana/latest/administration/api-keys/about-api-keys/
- /docs/grafana/latest/administration/api-keys/
- /docs/grafana/latest/administration/api-keys/create-api-key/
description: This section contains information about API keys in Grafana
keywords:
- API keys
- Service accounts
menuTitle: API keys
title: API keys in Grafana
weight: 300
title: API keys
weight: 700
---
# API keys in Grafana
# API keys
API Keys can be used to interact with Grafana HTTP APIs.
API keys can be used to interact with Grafana HTTP APIs.
We recommend using service accounts instead of API keys if you are on Grafana 8.5+, for more information refer to [About service accounts]({{< relref "../service-accounts/about-service-accounts/#" >}}).
{{< section >}}
## About API keys
An API key is a randomly generated string that external systems use to interact with Grafana HTTP APIs.
When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources. For more information about creating API keys, refer to [Create an API key]({{< relref "create-api-key/#" >}}).
## Create an API key
Create an API key when you want to manage your computed workload with a user.
For more information about API keys, refer to [About API keys in Grafana]({{< relref "about-api-keys/" >}}).
This topic shows you how to create an API key using the Grafana UI. You can also create an API key using the Grafana HTTP API. For more information about creating API keys via the API, refer to [Create API key via API]({{< relref "../../developers/http_api/create-api-tokens-for-org/#how-to-create-a-new-organization-and-an-api-token" >}}).
### Before you begin:
- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
**To create an API key:**
1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**.
1. Click **New API key**.
1. Enter a unique name for the key.
1. In the **Role** field, select one of the following access levels you want to assign to the key.
- **Admin**: Enables a user to use APIs at the broadest, most powerful administrative level.
- **Editor** or **Viewer** to limit the key's users to those levels of power.
1. In the **Time to live** field, specify how long you want the key to be valid.
- The maximum length of time is 30 days (one month). You enter a number and a letter. Valid letters include `s` for seconds,`m` for minutes, `h` for hours, `d `for days, `w` for weeks, and `M `for month. For example, `12h` is 12 hours and `1M` is 1 month (30 days).
- If you are unsure about how long an API key should be valid, we recommend that you choose a short duration, such as a few hours. This approach limits the risk of having API keys that are valid for a long time.
1. Click **Add**.

14
docs/sources/administration/api-keys/about-api-keys.md
View File

@@ -1,14 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/api-keys/about-api-keys/
description: Learn about using API keys in Grafana
menuTitle: About API keys
title: About API keys in Grafana
weight: 30
---
# About API keys in Grafana
An API key is a randomly generated string that external systems use to interact with Grafana HTTP APIs.
When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources. For more information about creating API keys, refer to [Create an API key]({{< relref "create-api-key/#" >}}).

36
docs/sources/administration/api-keys/create-api-key.md
View File

@@ -1,36 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/api-keys/create-api-key/
description: How to create an API key in Grafana
keywords:
- API keys
- Service accounts
menuTitle: Create an API key
title: Create an API key in Grafana
weight: 50
---
# Create an API key in Grafana
Create an API key when you want to manage your computed workload with a user.
For more information about API keys, refer to [About API keys in Grafana]({{< relref "about-api-keys/" >}}).
This topic shows you how to create an API key using the Grafana UI. You can also create an API key using the Grafana HTTP API. For more information about creating API keys via the API, refer to [Create API key via API]({{< relref "../../developers/http_api/create-api-tokens-for-org/#how-to-create-a-new-organization-and-an-api-token" >}}).
## Before you begin:
- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#" >}}).
**To create an API key:**
1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**.
1. Click **New API key**.
1. Enter a unique name for the key.
1. In the **Role** field, select one of the following access levels you want to assign to the key.
- **Admin**: Enables a user to use APIs at the broadest, most powerful administrative level.
- **Editor** or **Viewer** to limit the key's users to those levels of power.
1. In the **Time to live** field, specify how long you want the key to be valid.
- The maximum length of time is 30 days (one month). You enter a number and a letter. Valid letters include `s` for seconds,`m` for minutes, `h` for hours, `d `for days, `w` for weeks, and `M `for month. For example, `12h` is 12 hours and `1M` is 1 month (30 days).
- If you are unsure about how long an API key should be valid, we recommend that you choose a short duration, such as a few hours. This approach limits the risk of having API keys that are valid for a long time.
1. Click **Add**.

234
docs/sources/administration/cli.md
View File

@@ -1,234 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/cli/
description: Guide to using grafana-cli
keywords:
- grafana
- cli
- grafana-cli
- command line interface
title: Grafana CLI
weight: 400
---
# Grafana CLI
Grafana CLI is a small executable that is bundled with Grafana server. It can be executed on the same machine Grafana server is running on. Grafana CLI has `plugins` and `admin` commands, as well as global options.
To list all commands and options:
```
grafana-cli -h
```
## Invoking Grafana CLI
To invoke Grafana CLI, add the path to the grafana binaries in your `PATH` environment variable. Alternately, if your current directory is the `bin` directory, use `./grafana-cli`. Otherwise, you can specify full path to the CLI. For example, on Linux `/usr/share/grafana/bin/grafana-cli` and on Windows `C:\Program Files\GrafanaLabs\grafana\bin\grafana-cli.exe`.
> **Note:** Some commands, such as installing or removing plugins, require `sudo` on Linux. If you are on Windows, run Windows PowerShell as Administrator.
## Grafana CLI command syntax
The general syntax for commands in Grafana CLI is:
```bash
grafana-cli [global options] command [command options] [arguments...]
```
## Global options
Grafana CLI allows you to temporarily override certain Grafana default settings. Except for `--help` and `--version`, most global options are only used by developers.
Each global option applies only to the command in which it is used. For example, `--pluginsDir value` does not permanently change where Grafana saves plugins. It only changes it for command in which you apply the option.
### Display Grafana CLI help
`--help` or `-h` displays the help, including default paths and Docker configuration information.
**Example:**
```bash
grafana-cli -h
```
### Display Grafana CLI version
`--version` or `-v` prints the version of Grafana CLI currently running.
**Example:**
```bash
grafana-cli -v
```
### Override default plugin directory
`--pluginsDir value` overrides the path to where your local Grafana instance stores plugins. Use this option if you want to install, update, or remove a plugin somewhere other than the default directory ("/var/lib/grafana/plugins") [$GF_PLUGIN_DIR].
**Example:**
```bash
grafana-cli --pluginsDir "/var/lib/grafana/devplugins" plugins install <plugin-id>
```
### Override default plugin repo URL
`--repo value` allows you to download and install or update plugins from a repository other than the default Grafana repo.
**Example:**
```bash
grafana-cli --repo "https://example.com/plugins" plugins install <plugin-id>
```
### Override default plugin .zip URL
`--pluginUrl value` allows you to download a .zip file containing a plugin from a local URL instead of downloading it from the default Grafana source.
**Example:**
```bash
grafana-cli --pluginUrl https://company.com/grafana/plugins/<plugin-id>-<plugin-version>.zip plugins install <plugin-id>
```
### Override Transport Layer Security
**Warning:** Turning off TLS is a significant security risk. We do not recommend using this option.
`--insecure` allows you to turn off Transport Layer Security (TLS) verification (insecure). You might want to do this if you are downloading a plugin from a non-default source.
**Example:**
```bash
grafana-cli --insecure --pluginUrl https://company.com/grafana/plugins/<plugin-id>-<plugin-version>.zip plugins install <plugin-id>
```
### Enable debug logging
`--debug` or `-d` enables debug logging. Debug output is returned and shown in the terminal.
**Example:**
```bash
grafana-cli --debug plugins install <plugin-id>
```
### Override a configuration setting
`--configOverrides` is a command line argument that acts like an environmental variable override.
For example, you can use it to redirect logging to another file (maybe to log plugin installations in Grafana Cloud) or when resetting the admin password and you have non-default values for some important configuration value (like where the database is located).
**Example:**
```bash
grafana-cli --configOverrides cfg:default.paths.log=/dev/null plugins install <plugin-id>
```
### Override homepath value
Sets the path for the Grafana install/home path, defaults to working directory. You do not need to use this if you are in the Grafana installation directory when using the CLI.
**Example:**
```bash
grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password <new password>
```
### Override config file
`--config value` overrides the default location where Grafana expects the configuration file. Refer to [Configuration]({{< relref "../setup-grafana/configure-grafana/" >}}) for more information about configuring Grafana and default configuration file locations.
**Example:**
```bash
grafana-cli --config "/etc/configuration/" admin reset-admin-password mynewpassword
```
## Plugins commands
Grafana CLI allows you to install, upgrade, and manage your Grafana plugins. For more information about installing plugins, refer to [plugins page]({{< relref "../plugins/installation/" >}}).
All listed commands apply to the Grafana default repositories and directories. You can override the defaults with [Global Options](#global-options).
### List available plugins
```bash
grafana-cli plugins list-remote
```
### Install the latest version of a plugin
```bash
grafana-cli plugins install <plugin-id>
```
### Install a specific version of a plugin
```bash
grafana-cli plugins install <plugin-id> <version>
```
### List installed plugins
```bash
grafana-cli plugins ls
```
### Update all installed plugins
```bash
grafana-cli plugins update-all
```
### Update one plugin
```bash
grafana-cli plugins update <plugin-id>
```
### Remove one plugin
```bash
grafana-cli plugins remove <plugin-id>
```
## Admin commands
Admin commands are only available in Grafana 4.1 and later.
### Show all admin commands
```bash
grafana-cli admin
```
### Reset admin password
`grafana-cli admin reset-admin-password <new password>` resets the password for the admin user using the CLI. You might need to do this if you lose the admin password.
If there are two flags being used to set the homepath and the config file path, then running the command returns this error:
> Could not find config defaults, make sure homepath command line parameter is set or working directory is homepath
To correct this, use the `--homepath` global option to specify the Grafana default homepath for this command:
```bash
grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password <new password>
```
If you have not lost the admin password, we recommend that you change the user password either in the User Preferences or in the Server Admin > User tab.
If you need to set the password in a script, then you can use the [Grafana User API]({{< relref "../developers/http_api/user/#change-password" >}}).
### Migrate data and encrypt passwords
`data-migration` runs a script that migrates or cleans up data in your database.
`encrypt-datasource-passwords` migrates passwords from unsecured fields to secure_json_data field. Returns `ok` unless there is an error. Safe to execute multiple times.
**Example:**
```bash
grafana-cli admin data-migration encrypt-datasource-passwords
```

104
docs/sources/administration/configure-docker.md
View File

@@ -1,104 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/configure-docker/
- /docs/grafana/latest/installation/configure-docker/
description: Guide for configuring the Grafana Docker image
keywords:
- grafana
- configuration
- documentation
- docker
title: Configure Grafana Docker image
weight: 200
---
# Configure a Grafana Docker image
If you are running Grafana in a Docker image, then you configure Grafana using [environment variables]({{< relref "../setup-grafana/configure-grafana/#configure-with-environment-variables" >}}) rather than directly editing the configuration file. If you want to save your data, then you also need to designate persistent storage or bind mounts for the Grafana container.
> **Note:** These examples use the Grafana Enterprise docker image. You can use the Grafana Open Source edition by changing the docker image to `grafana/grafana-oss`.
## Save your Grafana data
If you do not designate a location for information storage, then all your Grafana data disappears as soon as you stop your container. To save your data, you need to set up persistent storage or bind mounts for your container.
### Run Grafana container with persistent storage (recommended)
```bash
# create a persistent volume for your data in /var/lib/grafana (database and plugins)
docker volume create grafana-storage
# start grafana
docker run -d -p 3000:3000 --name=grafana -v grafana-storage:/var/lib/grafana grafana/grafana-enterprise
```
### Run Grafana container using bind mounts
You may want to run Grafana in Docker but use folders on your host for the database or configuration. When doing so, it becomes important to start the container with a user that is able to access and write to the folder you map into the container.
```bash
mkdir data # creates a folder for your data
ID=$(id -u) # saves your user id in the ID variable
# starts grafana with your user id and using the data folder
docker run -d --user $ID --volume "$PWD/data:/var/lib/grafana" -p 3000:3000 grafana/grafana-enterprise:8.2.1
```
## Default paths
The following settings are hard-coded when launching the Grafana Docker container and can only be overridden using environment variables, not in `conf/grafana.ini`.
| Setting | Default value |
| --------------------- | ------------------------- |
| GF_PATHS_CONFIG | /etc/grafana/grafana.ini |
| GF_PATHS_DATA | /var/lib/grafana |
| GF_PATHS_HOME | /usr/share/grafana |
| GF_PATHS_LOGS | /var/log/grafana |
| GF_PATHS_PLUGINS | /var/lib/grafana/plugins |
| GF_PATHS_PROVISIONING | /etc/grafana/provisioning |
## Logging
Logs in the Docker container go to standard out by default, as is common in the Docker world. Change this by setting a different [log mode]({{< relref "../setup-grafana/configure-grafana/#mode" >}}).
Example:
```bash
# Run Grafana while logging to both standard out and /var/log/grafana/grafana.log
docker run -p 3000:3000 -e "GF_LOG_MODE=console file" grafana/grafana-enterprise
```
## Configure Grafana with Docker Secrets
> Only available in Grafana v5.2 and later.
It's possible to supply Grafana with configuration through files. This works well with [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) as the secrets by default gets mapped into `/run/secrets/<name of secret>` of the container.
You can do this with any of the configuration options in conf/grafana.ini by setting `GF_<SectionName>_<KeyName>__FILE` to the path of the file holding the secret.
For example, you could set the admin password this way:
- Admin password secret: `/run/secrets/admin_password`
- Environment variable: `GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/admin_password`
## Configure AWS credentials for CloudWatch Support
```bash
docker run -d \
-p 3000:3000 \
--name=grafana \
-e "GF_AWS_PROFILES=default" \
-e "GF_AWS_default_ACCESS_KEY_ID=YOUR_ACCESS_KEY" \
-e "GF_AWS_default_SECRET_ACCESS_KEY=YOUR_SECRET_KEY" \
-e "GF_AWS_default_REGION=us-east-1" \
grafana/grafana-enterprise
```
You may also specify multiple profiles to `GF_AWS_PROFILES` (e.g.
`GF_AWS_PROFILES=default another`).
Supported variables:
- `GF_AWS_${profile}_ACCESS_KEY_ID`: AWS access key ID (required).
- `GF_AWS_${profile}_SECRET_ACCESS_KEY`: AWS secret access key (required).
- `GF_AWS_${profile}_REGION`: AWS region (optional).

98
docs/sources/administration/data-source-management/_index.md Normal file
View File

@@ -0,0 +1,98 @@
---
aliases:
- /docs/grafana/latest/datasources/add-a-data-source/
- /docs/grafana/latest/features/datasources/add-a-data-source/
- /docs/grafana/latest/enterprise/datasource_permissions/
- /docs/sources/permissions/datasource_permissions/
title: Data source management
weight: 100
---
# Data source management
Grafana supports many different storage backends for your time series data (data source). Refer to [data sources]({{< relref "../../datasources/" >}}) for more information about using data sources in Grafana. Only users with the organization admin role can add data sources.
## Add a data source
Before you can create your first dashboard, you need to add your data source.
> **Note:** Only users with the organization Admin role can add data sources.
To add a data source:
1. Move your cursor to the cog icon on the side menu which will show the configuration options.
{{< figure src="/static/img/docs/v75/sidemenu-datasource-7-5.png" max-width="150px" class="docs-image--no-shadow">}}
1. Click on **Data sources**. The data sources page opens showing a list of previously configured data sources for the Grafana instance.
1. Click **Add data source** to see a list of all supported data sources.
{{< figure src="/static/img/docs/v75/add-data-source-7-5.png" max-width="600px" class="docs-image--no-shadow">}}
1. Search for a specific data source by entering the name in the search dialog. Or you can scroll through supported data sources grouped into time series, logging, tracing and other categories.
1. Move the cursor over the data source you want to add.
{{< figure src="/static/img/docs/v75/select-data-source-7-5.png" max-width="700px" class="docs-image--no-shadow">}}
1. Click **Select**. The data source configuration page opens.
1. Configure the data source following instructions specific to that data source. See [Data sources]({{< relref "/" >}}) for links to configuration instructions for all supported data sources.
## Data source permissions
Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific **Users** and **Teams**.
> **Note:** Available in [Grafana Enterprise]({{< relref "../enterprise/" >}}) and [Grafana Cloud Pro and Advanced]({{< ref "/docs/grafana-cloud" >}}).
### Enable data source permissions
{{< figure src="/static/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/static/img/docs/enterprise/datasource_permissions_enable.gif" >}}
By default, data sources in an organization can be queried by any user in that organization. For example, a user with the `Viewer` role can issue any possible query to a data source, not just
queries that exist on dashboards they have access to.
When permissions are enabled for a data source in an organization, the user who created the datasource can edit the datasource and in addition, viewers can query the datasource.
**Enable permissions for a data source:**
1. Navigate to **Configuration > Data Sources**.
1. Select the data source you want to enable permissions for.
1. On the Permissions tab, click **Enable**.
<div class="clearfix"></div>
> **Caution:** Enabling permissions for the default data source makes users not listed in the permissions unable to invoke queries. Panels using default data source will return `Access denied to data source` error for those users.
### Allow users and teams to query a data source
{{< figure src="/static/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/static/img/docs/enterprise/datasource_permissions_add.gif" >}}
After you have enabled permissions for a data source you can assign query permissions to users and teams which will allow access to query the data source.
**Assign query permission to users and teams:**
1. Navigate to **Configuration > Data Sources**.
1. Select the data source you want to assign query permissions for.
1. On the Permissions tab, click **Add Permission**.
1. Select **Team** or **User**.
1. Select the entity you want to allow query access and then click **Save**.
<div class="clearfix"></div>
### Disable data source permissions
{{< figure src="/static/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/static/img/docs/enterprise/datasource_permissions_disable.gif" >}}
If you have enabled permissions for a data source and want to return data source permissions to the default, then you can disable permissions with a click of a button.
Note that _all_ existing permissions created for the data source will be deleted.
**Disable permissions for a data source:**
1. Navigate to **Configuration > Data Sources**.
1. Select the data source you want to disable permissions for.
1. On the Permissions tab, click **Disable Permissions**.
<div class="clearfix"></div>

245
docs/sources/administration/enterprise-licensing/_index.md Normal file
View File

@@ -0,0 +1,245 @@
---
aliases:
- /docs/grafana/latest/enterprise/license/
- /docs/grafana/latest/enterprise/activate-license/
- /docs/grafana/latest/enterprise/license/activate-license/
- /docs/grafana/latest/enterprise/license-expiration/
- /docs/grafana/latest/enterprise/license/license-expiration/
- /docs/grafana/latest/enterprise/license-restrictions/
- /docs/grafana/latest/enterprise/license/license-restrictions/
description: Activate and manage a Grafana Enterprise license
keywords:
- grafana
- licensing
- enterprise
title: Enterprise licensing
weight: 500
---
# Grafana Enterprise license
When you become a Grafana Enterprise customer, you gain access to Grafana's premium observability features, including enterprise data source plugins, reporting, and role-based access control. In order to use these [enhanced features of Grafana Enterprise]({{< relref "../enterprise/" >}}), you must purchase and activate a Grafana Enterprise license.
To purchase a license directly from Grafana Labs, [Contact a Grafana Labs representative](https://grafana.com/contact?about=grafana-enterprise). To activate an Enterprise license purchased from Grafana Labs, refer to [Activate an Enterprise license]({{< relref "../server-administration/enterprise-licensing/activate-license/" >}}).
You can also purchase a Grafana Enterprise license through the AWS Marketplace. To learn more about activating a license purchased through AWS, refer to [Activate a Grafana Enterprise license purchased through AWS Marketplace]({{< relref "activate-aws-marketplace-license/" >}}).
{{< section >}}
## Activate an Enterprise license
Follow these steps to activate your Grafana Enterprise license:
### Step 1. Download your license file
To download your Grafana Enterprise license:
1. Sign in to your [Grafana Cloud](https://grafana.com) account.
1. Go to **My Account** and select an organization from the drop-down menu at the top left of the page. On the Overview page for each organization, you can see a section for Grafana Enterprise licenses. Click **Details** next to a license.
1. At the bottom of the license details page, select **Download token** to download the `license.jwt` file that contains your license.
### Step 2. Add your license to a Grafana instance
There is more than one way to add the license to a Grafana instance:
#### Upload the license file via the Grafana server administrator page
This is the preferred option for single instance installations of Grafana Enterprise.
1. Sign in as a Grafana server administrator.
1. Navigate to **Server Admin > Upgrade** within Grafana.
1. Click **Upload license token file**.
1. Select your license file, and upload it.
#### Put the `license.jwt` file into the data directory of Grafana
On Linux systems, the data directory is usually at `/var/lib/grafana`.
You can also configure a custom location for the license file using the grafana.ini setting:
```bash
[enterprise]
license_path = /company/secrets/license.jwt
```
This setting can also be set with an environment variable, which is useful if you're running Grafana with Docker and have a custom volume where you have placed the license file. In this case, set the environment variable `GF_ENTERPRISE_LICENSE_PATH` to point to the location of your license file.
#### Set the content of the license file as a configuration option
You can add a license by pasting the content of the `license.jwt`
to the grafana.ini configuration file:
```bash
[enterprise]
license_text = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aGlzIjoiaXMiLCJub3QiOiJhIiwidmFsaWQiOiJsaWNlbnNlIn0.bxDzxIoJlYMwiEYKYT_l2s42z0Y30tY-6KKoyz9RuLE
```
This option can be set using the `GF_ENTERPRISE_LICENSE_TEXT`
environment variable.
### Step 3. Ensure that the license file's root URL matches the root_url configuration option
Update the [`root_url`]({{< relref "../../enterprise/setup-grafana/configure-grafana/#root-url" >}}) in your configuration. It should be the URL that users type in their browsers to access the frontend, not the node hostname(s).
This is important, because as part of the validation checks at startup, Grafana compares the license URL to the [`root_url`]({{< relref "../../enterprise/setup-grafana/configure-grafana/#root-url" >}}) in your configuration.
In your configuration file:
```
[server]
root_url = https://grafana.example.com/
```
Or with an environment variable:
```
GF_SERVER_ROOT_URL=https://grafana.example.com/
```
### Step 4. Restart Grafana
To finalize the installation of Grafana Enterprise, restart Grafana to enable all Grafana Enterprise features. Refer to [restart Grafana]({{< relref "../../enterprise/setup-grafana/restart-grafana/" >}}) for more information.
## License expiration
If your license has expired, most of Grafana keeps working as normal. Some enterprise functionality stops or runs with reduced functionality and Grafana displays a banner informing the users that Grafana is running on an expired license. Your Grafana admin needs to upload a new license file to restore full functionality.
> Replace your license as soon as possible. Running Grafana Enterprise with an expired license is unsupported and can lead to unexpected consequences.
### Update your license
1. Locate your current `license.jwt` file. In a standard installation it is stored inside the Grafana data directory, which on a typical Linux installation is in `/var/lib/grafana/data`. This location might be overridden in the ini file [Configuration]({{< relref "../../enterprise/setup-grafana/configure-grafana/" >}}).
```ini
[enterprise]
license_path = /path/to/your/license.jwt
```
The configuration file's location may also be overridden by the `GF_ENTERPRISE_LICENSE_PATH` environment variable.
2. Log in to your [Grafana Cloud Account](https://grafana.com/login) and make sure you're in the correct organization in the dropdown at the top of the page.
3. Under the **Grafana Enterprise** section in the menu bar to the left, choose licenses and download the currently valid license with which you want to run Grafana. If you cannot see a valid license on Grafana.com, please contact your account manager at Grafana Labs to renew your subscription.
4. Replace the current `license.jwt`-file with the one you've just downloaded.
5. [Restart Grafana]({{< relref "../../enterprise/setup-grafana/restart-grafana/" >}}).
### If your license expires
If your Grafana Enterprise license expires, you can expect the following changes in feature behavior.
#### Data source permissions
Your current data source permissions will keep working as expected, but you'll be unable to add new data source permissions until the license has been renewed.
#### LDAP authentication
- LDAP synchronization is not affected by an expired license.
- Team sync debugging is unavailable.
#### SAML authentication
SAML authentication is not affected by an expired license.
#### Role-based access control (RBAC)
- Creating, updating and deleting custom roles is not available.
- Modifying permissions for custom roles is not available.
#### Reporting
- You're unable to configure new reports or generate previews.
- Existing reports continue to be sent.
#### Enterprise plugins
Enterprise plugins might stop working.
#### White labeling
The white labeling feature is turned off, meaning that any white labeling options will not have any effect.
#### Usage insights
Exporting usage insights logs to Loki will be turned off for licenses expired for more than 7 days.
All the other usage insights features are turned off as soon as the license expires, meaning that you will not be able to see dashboard usage, presence indicators, or use improved search. Grafana continues to collect usage data and you will have access to it as soon as you update your license.
#### Vault integration
Vault integration is not affected by an expired license.
#### Auditing
Auditing is not affected by an expired license.
#### License restrictions
The concurrent session limit remains active for seven days after the expiration date, after which it will be turned off.
The active users limit is turned off immediately.
#### Settings updates at runtime
Settings updates at runtime are not affected by an expired license.
## Grafana Enterprise license restrictions
When you become a Grafana Enterprise customer, you receive a license that governs your use of Grafana Enterprise.
### Active users limit
Your Grafana license includes a maximum number of active users.
- An _active user_ is a user who has signed in to Grafana within the last 30 days. This is a rolling window that is updated daily.
- When you reach the maximum number of active users, only currently active users (users who have signed in over the past 30 days) can sign in. When a new user or a previously-inactive user tries to sign in, the user will see an error message indicating that Grafana has reached its license limit.
- The user's role, number of dashboards that a user can view or edit, and the number of organizations that they can access does not affect the active user count.
- A license limit banner appears to administrators when Grafana reaches its active user limit; editors and viewers do not see the banner.
#### Determine the number of active users
To determine the number of active users:
1. Sign in to Grafana Enterprise as a System Administrator.
1. Click **Server Admin** (the shield icon).
1. Click **Statistics and licensing**.
1. Review the utilization count on the **Utilization** panel.
### Tiered licensing (deprecated)
A tiered license defines dashboard viewers, and dashboard editors and administrators, as two distinct user types that each have their own user limit.
As of Grafana Enterprise version 9.0, Grafana only counts and enforces the _total_ number of active users in your Grafana instance. For example, if you purchase 150 active users, you can have 20 admins, 70 editors, and 60 viewers, or you can have 150 admins. Grafana will enforce the total number of active users even if you use a license that grants a specific number of admins or editors and a certain number of viewers. This is a more permissive policy than before, which gives you the flexibility to change users' roles.
If you are running a pre-9.0 version of Grafana Enterprise, please refer to the documentation for that version to learn more about license enforcement in your current version.
### Additional license restrictions
Your license is controlled by the following rules:
**License expiration date:** The license includes an expiration date, which is the date when a license becomes inactive.
As the license expiration date approaches, you will see a banner in Grafana that encourages you to renew. To learn about how to renew your license and what happens in Grafana when a license expires, refer to [License expiration]({{< relref "../../enterprise/license/license-restrictions/license-expiration/" >}}).
**Grafana License URL:** Your license does not work with an instance of Grafana with a different root URL.
The License URL is the complete URL of your Grafana instance, for example `https://grafana.your-company.com/`. It is defined in the [root_url]({{< relref "../../enterprise/setup-grafana/configure-grafana/#root_url" >}}) configuration setting.
**Concurrent sessions limit**: As of Grafana Enterprise 7.5, users can initiate up to three concurrent sessions of Grafana.
The system creates a session when a user signs in to Grafana from a new device, a different browser, or an incognito window. If a user signs in to Grafana from another tab or window within the same browser, only one session is used.
When a user reaches the session limit, the fourth connection succeeds and the longest inactive session is signed out.
### Request usage billing
You can request Grafana Labs to activate usage billing which allows an unlimited number of active users. When usage billing is enabled, Grafana does not enforce active user limits or display warning banners. Instead, you are charged for active users that exceed the limit, according to your customer contract.
Usage billing involves a contractual agreement between you and Grafana Labs, and it is only available if Grafana Enterprise is configured to [automatically refresh its license token]({{< relref "../../enterprise/setup-grafana/configure-grafana/enterprise-configuration/#auto_refresh_license" >}}).
### Request a change to your license
To increase the number of licensed users within Grafana, extend a license, or change your licensed URL, contact [Grafana support](https://grafana.com/profile/org#support) or your Grafana Labs account team. They will update your license, which you can activate from within Grafana.
For instructions about how to activate your license after it is updated, refer to [Activate an Enterprise license]({{< relref "../../enterprise/license/license-restrictions/activate-license/" >}}).

34
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/_index.md Normal file
View File

@@ -0,0 +1,34 @@
---
aliases:
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/
description: Activate Enterprise license purchased through AWS Marketplace
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/about-ge-license-through-aws/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/about-ge-license-through-aws/
keywords:
- grafana
- aws
- marketplace
- enterprise
- license
title: Enterprise licenses through AWS Marketplace
weight: 400
---
# Activate a Grafana Enterprise license purchased through AWS Marketplace
AWS Marketplace is a convenient place for AWS customers to buy and manage a license for Grafana Enterprise versions 8.3.0 and later.
{{< section >}}
You can deploy Grafana Enterprise in the following ways:
- Using AWS services like ECS, EKS or EC2.
- In an instance outside AWS.
In each case, you must activate the Grafana Enterprise license purchased in AWS Marketplace to take advantage of Grafana Enterprise observability features. Grafana Enterprise licenses purchased through AWS Marketplace are subject to the same [restrictions]({{< relref "../../../../enterprise/license/activate-aws-marketplace-license/license-restrictions/" >}}) as Grafana Enterprise licensed purchased directly from Grafana Labs.
> To purchase a license directly from Grafana Labs or learn more about other Grafana offerings, [Contact a Grafana Labs representative](https://grafana.com/contact?about=grafana-enterprise).
## Before you begin
Become an AWS customer. Only AWS customers have access to purchase services through AWS Marketplace. To learn more about becoming an AWS customer, refer to [Sign up for AWS](https://portal.aws.amazon.com/billing/signup#/start).

113
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/activate-license-on-ecs.md Normal file
View File

@@ -0,0 +1,113 @@
---
aliases:
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/activate-license-on-ecs/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/activate-license-on-ecs/
description: Activate a Grafana Enterprise license from AWS Marketplace on ECS
keywords:
- grafana
- ecs
- enterprise
- aws
- marketplace
- activate
title: Activate a Grafana Enterprise license from AWS Marketplace on ECS
weight: 250
---
# Activate a Grafana Enterprise license from AWS Marketplace on ECS
If you have purchased a Grafana Enterprise subscription through AWS Marketplace, you must activate it in order to use Grafana Enterprise data source plugins and features in Grafana.
## Before you begin
- Purchase a subscription to [Grafana Enterprise from AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-dlncd4kzt5kx6).
- Be sure that the IAM user that was used to purchase Grafana Enterprise has permission to manage subscriptions, create new IAM users and roles, and create access policies.
To activate your license, complete the following tasks.
## Task 1: Deploy Grafana Enterprise on Amazon ECS
1. Deploy Grafana Enterprise on Amazon ECS.
For more information about deploying an application on Amazon ECS, refer to [Creating an Amazon ECS service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-service.html).
1. As you create the Amazon ECS service, use the Grafana Enterprise version 8.3.0 or later container image.
For example, enter `grafana/grafana-enterprise:8.3.3`.
> Only Grafana Enterprise versions 8.3.0 and later support licenses granted through AWS Marketplace.
## Task 2: Configure Grafana for high availability
Grafana requires that you configure a database to hold dashboards, users, and other persistent data.
### Before you begin
- Ensure that you have a supported Grafana database available.
- For a list of supported databases, refer to [Supported databases]({{< relref "../../../../enterprise/setup-grafana/installation/#supported-databases" >}}).
- For information about creating a database, refer to [Creating an Amazon RDS DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html).
- Review the information required to connect to the RDS DB instance. For more information, refer to [Connecting to an Amazon RDS DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html).
To configure Grafana for high availability:
1. In AWS ECS, use environment variables to update the `database` parameters.
For a list of database parameters, refer to [Configuration]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/#database" >}}).
1. Create a revision of the task definition for the ECS Task that runs Grafana Enterprise.
For more information about creating a task, refer to [Updating a task definition using the classic console](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition.html).
1. Within the new revision, edit the Grafana Enterprise container for this task, and add the following environment variables to the container:
```
GF_DATABASE_TYPE=[database type]
GF_DATABASE_HOST=[database address and port]
GF_DATABASE_NAME=[database name]
GF_DATABASE_USER=[database username]
GF_DATABASE_PASSWORD=[database password]
```
> For more information about how to update your ECS service with an environment variable, refer to [Updating a service using the new console](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service-console-v2.html).
## Task 3: Configure Grafana Enterprise to validate its license with AWS
In this task you configure Grafana Enterprise to validate the license with AWS instead of Grafana Labs.
1. In AWS IAM, create an access policy with the following permissions:
- `"license-manager:CheckoutLicense"`
- `"license-manager:ListReceivedLicenses"`
- `"license-manager:GetLicenseUsage"`
- `"license-manager:CheckInLicense"`
For more information about creating an access policy, refer to [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).
For more information about AWS license permissions, refer to [Actions, resources, and condition keys for AWS License Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html).
1. Create an Elastic Container Service task role and attach the policy you created in the previous step.
For more information about creating a task role, refer to [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
1. Create a revision of the task definition for the ECS Task that runs Grafana Enterprise.
For more information about creating a revision of the task definition, refer to [Updating a task definition using the classic console](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition.html).
1. Within the new revision, perform the following steps:
a. Update the Task Role of your ECS Task to the role that you created, with permission to access license information.
b. Edit the Grafana Enterprise container for this task, and add the following environment variable to the container:
```
GF_ENTERPRISE_LICENSE_VALIDATION_TYPE=aws
```
For more information about how to update your ECS service with an environment variable, refer to [Updating a service using the new console](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service-console-v2.html).
### Task 4: Start or restart Grafana
1. To restart Grafana and activate your license, update the service running Grafana to use the latest revision of the task definition that you created.
1. After you update the service, navigate to your Grafana instance, sign in with Grafana Admin credentials, and navigate to the **Statistics and Licensing** page to validate that your license is active.
For more information about validating that your license is active, refer to [Determine the number of active users for each licensed role](../../license-restrictions/#determine-the-number-of-active-users-for-each-licensed-role).

126
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/activate-license-on-eks.md Normal file
View File

@@ -0,0 +1,126 @@
---
aliases:
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/activate-license-on-eks/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/activate-license-on-eks/
description: Activate a Grafana Enterprise license from AWS Marketplace on EKS
keywords:
- grafana
- enterprise
- aws
- marketplace
- eks
- activate
title: Activate a Grafana Enterprise license from AWS Marketplace on EKS
weight: 200
---
# Activate a Grafana Enterprise license from AWS Marketplace on EKS
If you have purchased a Grafana Enterprise subscription through AWS Marketplace, you must activate it in order to use Grafana Enterprise data source plugins and features in Grafana.
## Before you begin:
- Purchase a subscription to [Grafana Enterprise from AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-dlncd4kzt5kx6).
- Be sure that the IAM user that was used to purchase Grafana Enterprise has permission to manage subscriptions, create new IAM users and roles, and create access policies.
To activate your license, complete the following tasks:
## Task 1: Deploy Grafana Enterprise on Amazon EKS
1. Deploy Grafana Enterprise on Amazon EKS.
For more information about deploying an application on Amazon EKS, refer to [Getting started with Amazon EKS AWS Management Console and AWS CLI](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html).
For more information about installing Grafana on Kubernetes using the Helm Chart, refer to the [Grafana Helm Chart](https://github.com/grafana/helm-charts/tree/main/charts/grafana#readme).
1. Use `kubectl set image deployment/my-release grafana=grafana/grafana-enterprise:<version>` to update the container image to Grafana Enterprise version 8.3.0 or later.
For example, enter `grafana/grafana-enterprise:8.3.3`.
> Only Grafana Enterprise versions 8.3.0 and later support licenses granted through AWS Marketplace.
## Task 2: Configure Grafana for high availability
Grafana requires that you configure a database to hold dashboards, users, and other persistent data.
### Before you begin
- Ensure that you have a supported Grafana database available.
- For a list of supported databases, refer to [Supported databases]({{< relref "../../../../setup-grafana/installation/#supported-databases" >}}).
- For information about creating a database, refer to [Creating an Amazon RDS DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html).
- Review the information required to connect to the RDS DB instance. For more information, refer to [Connecting to an Amazon RDS DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html).
To configure Grafana for high availability, choose **one** of the following options:
- **Option 1:** Use `kubectl edit configmap grafana` to edit `grafana.ini` add the following section to the configuration:
```
[database]
type = [database type]
host = [database address and port]
name = [database name]
user = [database username]
password = [database password]
```
- **Option 2:** use `kubectl edit deployment my-release` to edit the pod `env` variables and add the following database variables:
```
- name: GF_DATABASE_TYPE
value: [database type]
- name: GF_DATABASE_HOST
value: [database address and port]
- name: GF_DATABASE_NAME
value: [database name]
- name: GF_DATABASE_USER
value: [database username]
- name: GF_DATABASE_PASSWORD
value: [database password]
```
For more information on Grafana High Availability setup, refer to [Set up Grafana for high availability]({{< relref "../../../../enterprise/setup-grafana/set-up-for-high-availability/" >}}).
## Task 3: Configure Grafana Enterprise to validate its license with AWS
In this task, you configure Grafana Enterprise to validate the license with AWS instead of Grafana Labs.
1. In AWS IAM, assign the following permissions to the Node IAM role (if you are using a Node Group), or the Pod Execution role (if you are using a Fargate profile):
- `"license-manager:CheckoutLicense"`
- `"license-manager:ListReceivedLicenses"`
- `"license-manager:GetLicenseUsage"`
- `"license-manager:CheckInLicense"`
For more information about creating an access policy, refer to [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).
For more information about AWS license permissions, refer to [Actions, resources, and condition keys for AWS License Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html).
1. Choose **one** of the following options to update the [license_validation_type]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/enterprise-configuration/#license_validation_type" >}}) configuration to `aws`:
- **Option 1:** Use `kubectl edit configmap grafana` to edit `grafana.ini` add the following section to the configuration:
```
[enterprise]
license_validation_type=aws
```
- **Option 2:** Use `kubectl edit deployment my-release` to edit the pod `env` variables and add the following variable:
```
name: GF_ENTERPRISE_LICENSE_VALIDATION_TYPE
value: aws
```
### Task 4: Start or restart Grafana
To activate Grafana Enterprise features, you must start (or restart) Grafana.
To restart Grafana on a Kubernetes cluster,
1. Run the command `kubectl rollout restart deployment my-release`.
1. After you update the service, navigate to your Grafana instance, sign in with Grafana Admin credentials, and navigate to the Statistics and Licensing page to validate that your license is active.
For more information about restarting Grafana, refer to [Restart Grafana]({{< relref "../../../../enterprise/setup-grafana/restart-grafana/" >}}).
> If you experience issues when you update the EKS cluster, refer to [Amazon EKS troubleshooting](https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html).

130
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/activate-license-on-instance-outside-aws.md Normal file
View File

@@ -0,0 +1,130 @@
---
aliases:
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/activate-license-on-instance-outside-aws/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/activate-license-on-instance-outside-aws/
description: Activate a Grafana Enterprise license from AWS on an instance deployed
outside of AWS
keywords:
- grafana
- enterprise
- aws
- marketplace
- activate
title: Activate a Grafana Enterprise license from AWS on an instance deployed outside
of AWS
weight: 300
---
# Activate a Grafana Enterprise license from AWS on an instance deployed outside of AWS
While AWS Marketplace lists ECS and EKS as the supported environments for Grafana Enterprise, you can apply a Grafana Enterprise license from AWS Marketplace to any Grafana instance with network access to the AWS licensing service.
## Before you begin
- Purchase a subscription to [Grafana Enterprise from AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-dlncd4kzt5kx6).
- Be sure that the IAM user that was used to purchase Grafana Enterprise has permission to manage subscriptions, create new IAM users, and create access policies.
- Be sure there is network access between AWS and the environment where you intend to run Grafana. Network access is required because your Grafana instance communicates with the [AWS License Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/licensemanager.html) to retrieve license and subscription information. Grafana instances with access to the public internet will have access to AWS license manager.
To activate a Grafana Enterprise license from AWS on a Grafana Enterprise instance deployed outside of AWS, complete the following tasks.
## Task 1: Install Grafana Enterprise
To install Grafana, refer to the documentation specific to your implementation.
- [Install Grafana]({{< relref "../../../../enterprise/setup-grafana/installation/" >}}).
- [Run Grafana Docker image]({{< relref "../../../../enterprise/setup-grafana/installation/docker/" >}}).
- [Deploy Grafana on Kubernetes]({{< relref "../../../../enterprise/setup-grafana/installation/kubernetes/#deploy-grafana-enterprise-on-kubernetes" >}}).
## Task 2: Create an AWS IAM user with access to your Grafana Enterprise license
To retrieve your license, Grafana Enterprise requires access to your AWS account and license information. To grant access, create an IAM user in AWS with access to the license, and pass its credentials as environment variables on the host or container where Grafana is running. These environment variables allow Grafana to retrieve license details from AWS.
1. In the AWS License Manager service, create an IAM policy with the following permissions:
- `"license-manager:CheckoutLicense"`
- `"license-manager:ListReceivedLicenses"`
- `"license-manager:GetLicenseUsage"`
- `"license-manager:CheckInLicense"`
For more information about creating a policy in AWS, refer to [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html).
For more information about AWS Identity and Access Management, refer to [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html).
1. To limit the policy to obtain usage data just for Grafana Enterprise, in the **Resources** section of the policy, specify your license ARN.
You can find your license ID in the **Granted Licenses** section of [AWS License Manager](https://console.aws.amazon.com/license-manager/home).
The policy JSON should look similar to the following example:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "license-manager:GetLicenseUsage",
"Resource": "arn:aws:license-manager::[YOUR_ACCOUNT]:license:[YOUR_LICENSE_ID]"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"license-manager:CheckoutLicense",
"license-manager:ListReceivedLicenses",
"license-manager:CheckInLicense"
],
"Resource": "*"
}
]
}
```
1. Create an IAM user and choose access key credentials as its authentication method.
For more information about creating an IAM user, refer to [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html).
For more information about access key credentials, refer to [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
1. Attach the policy you created to the IAM user.
1. Add the following values as environment variables to the host or container running Grafana:
- AWS region
- IAM user's access key ID
- IAM user's secret access key
The environment variables should look similar to the following example:
```
AWS_ACCESS_KEY_ID=ABCD5E75FGHIJKTM7
AWS_SECRET_ACCESS_KEY=k8fhYAQVy+5NhCejhe6HeSjSphjRuy+12C06
AWS_REGION=us-east-1
```
## Task 3: Configure Grafana Enterprise to validate its license with AWS
In this task you configure Grafana Enterprise to validate the license with AWS instead of Grafana Labs.
Choose one of the following options to update the [license_validation_type]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/enterprise-configuration/#license_validation_type" >}}) configuration to `aws`:
- **Option 1:** In the `[enterprise]` section of the grafana.ini configuration file, add `license_validation_type=aws`.
For example:
```
[enterprise]
license_validation_type=aws
```
- **Option 2:** Add the following environment variable to the container or host:
```
GF_ENTERPRISE_LICENSE_VALIDATION_TYPE=aws
```
## Task 4: Start or restart Grafana
To activate Grafana Enterprise features, start (or restart) Grafana.
For information about restarting Grafana, refer to [Restart Grafana]({{< relref "../../../../enterprise/setup-grafana/restart-grafana/" >}}).

41
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/manage-license-in-aws-marketplace.md Normal file
View File

@@ -0,0 +1,41 @@
---
aliases:
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/manage-license-in-aws-marketplace/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/manage-license-in-aws-marketplace/
description: Manage your Grafana Enterprise license in AWS Marketplace
keywords:
- grafana
- enterprise
- aws
- marketplace
- manage
- add
- remove
- users
title: Manage your Grafana Enterprise license in AWS Marketplace
weight: 400
---
## Manage your Grafana Enterprise license in AWS Marketplace
You can use AWS Marketplace to make the following modifications to your Grafana Enterprise license:
- Add active users
- Remove active users
- Cancel your subscription to Grafana Enterprise.
**To modify your Grafana Enterprise subscription in AWS Marketplace:**
1. Open the AWS Console and navigate to [Subscription Management](https://console.aws.amazon.com/marketplace/home/subscriptions#/subscriptions).
1. Update your license.
1. Sign in to Grafana as a Server Administrator.
1. Hover over **Server Admin** in the navigation bar and click **Statistics and Licensing**.
1. In the **Token** section under **Enterprise License**, click **Renew License**.
This action retrieves updated license information from AWS.
> To learn more about licensing and active users, refer to [Understanding Grafana Enterprise licensing]({{< relref "../../../../enterprise/license/activate-aws-marketplace-license/license-restrictions/" >}}).

30
docs/sources/administration/enterprise-licensing/activate-aws-marketplace-license/transfer-ge-license.md Normal file
View File

@@ -0,0 +1,30 @@
---
aliases:
- /docs/grafana/latest/enterprise/activate-aws-marketplace-license/transfer-ge-license/
- /docs/grafana/latest/enterprise/license/activate-aws-marketplace-license/transfer-ge-license/
description: Transfer your AWS Marketplace Grafana Enterprise license
keywords:
- grafana
- enterprise
- aws
- marketplace
- transfer
- move
title: Transfer your AWS Marketplace Grafana Enterprise license
weight: 400
---
# Transfer your AWS Marketplace Grafana Enterprise license
You can transfer your AWS Marketplace Grafana Enterprise license to another Grafana Enterprise instance. The transfer process requires that you first remove your license from one instance, and then apply the license to another instance.
> When you remove an Enterprise license, the system immediately disables all Grafana Enterprise features.
To remove an Enterprise license from a Grafana Enterprise instance, perform one of the following steps:
- If you are using Amazon ECS or Amazon EKS, remove the `GF_ENTERPRISE_LICENSE_VALIDATION_TYPE` environment variable from the container.
- If you have deployed Grafana Enterprise outside of AWS, remove the `aws` license_validation_type value from the grafana.ini configuration file.
It can take the system up to one hour to clear the license. After the system clears the license, you can apply the same license to another Grafana Enterprise instance.
To determine that the system has returned your license, check the license details in AWS License Manager.

15
docs/sources/administration/manage-users-and-permissions/manage-org-users/_index.md
View File

@@ -1,15 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/
- /docs/grafana/latest/manage-users/org-admin/
title: Manage users in an organization
weight: 400
---
# Manage users in an organization
Organization administrators can invite users to join their organization. Organization users have access to organization resources based on their role, which is **Admin**, **Editor**, or **Viewer**. Permissions associated with each role determine the tasks a user can perform in the system.
For more information about organization user permissions, refer to [Organization users and permissions]({{< relref "../about-users-and-permissions/#organization-users-and-permissions" >}}).
{{< section >}}

28
docs/sources/administration/manage-users-and-permissions/manage-org-users/change-user-org-permissions.md
View File

@@ -1,28 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/change-user-org-permissions/
title: Change a user's organization permissions
weight: 30
---
# Change a user's organization permissions
Update user permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles" >}}).
## Before you begin
- Ensure you have organization administrator privileges
**To change the organization role of a user**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Find the user account for which you want to change the role.
If necessary, use the search field to filter the list.
1. Locate the user on the list and in the **Role** column, click the user role.
1. Select the role that you want to assign.
1. Click **Update**.
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [change a user's organization permissions]({{< relref "../manage-server-users/change-user-org-permissions/" >}}) in the Server Admin section.

45
docs/sources/administration/manage-users-and-permissions/manage-org-users/invite-user-join-org.md
View File

@@ -1,45 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/invite-user-join-org/
title: Invite a user to join an organization
weight: 10
---
# Invite a user to join an organization
When you invite users to join an organization, you assign the **Admin**, **Editor**, or **Viewer** role which controls user access to the dashboards and data sources owned by the organization. Users receive an email that prompts them to accept the invitation.
- If you know that the user already has access Grafana and you know their user name, then you issue an invitation by entering their user name.
- If the user is new to Grafana, then use their email address to issue an invitation. The system automatically creates the user account on first sign in.
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can also manually [add a user to an organization]({{< relref "../manage-server-users/add-remove-user-to-org/" >}}).
## Before you begin
- Ensure you have organization administrator privileges.
- If the user already has access to Grafana, obtain their user name.
- Determine the permissions you want to assign to the user. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles" >}}).
**To invite or add an existing user account to your organization**:
1. Sign in to Grafana as an organization administrator.
1. To switch to the organization to which you want to invite a user, hover your mouse over your profile and click **Switch organization** and select an organization.
> **Note**: It might be that you are currently in the proper organization and don't need to switch organizations.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Click **Invite**.
1. Enter the following information:
| Field | Description |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Email or username | Either the email or username that the user will use to sign in to Grafana. |
| Name | The user's name. |
| Role | Click the organization role to assign this user. For more information about organization roles, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles" >}}).. |
| Send invite email | Switch to on if your organization has configured. The system sends an email to the user inviting them to sign in to Grafana and join the organization. Switch to off if you are not using email. The user can sign in to Grafana with the email or username you entered. |
1. Click **Submit**.
If the invitee is not already a user, the system adds them.
![Invite User](/static/img/docs/manage-users/org-invite-user-7-3.png).

32
docs/sources/administration/manage-users-and-permissions/manage-org-users/manage-pending-invites.md
View File

@@ -1,32 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/manage-pending-invites/
title: Manage a pending invitation
weight: 20
---
# Manage a pending invitation
Periodically review invitations you have sent so that you can see a list of users that have not yet accepted the invitation or cancel a pending invitation.
> **Note:** The **Pending Invites** button is only visible if there are unanswered invitations.
## Before you begin
- Ensure you have organization administrator privileges
**To manage a pending invitation**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Click **Pending Invites**.
The **Pending Invites** button appears only when there are unaccepted invitations.
![Pending Invites button](/static/img/docs/manage-users/pending-invites-button-7-3.png)
To cancel an invitation, click the red **X** next to the invitation.
To copy an invitation link and send it directly to a user, click Copy Invite. You can then paste the invite link into a message.
![Pending Invites list](/static/img/docs/manage-users/pending-invites-list-7-3.png)

28
docs/sources/administration/manage-users-and-permissions/manage-org-users/remove-user-from-org.md
View File

@@ -1,28 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/remove-user-from-org/
title: Remove a user from an organization
weight: 40
---
# Remove a user from an organization
You can remove a user from an organization when they no longer require access to the dashboard or data sources owned by the organization. No longer requiring access to an organization might occur when the user has left your company or has internally moved to another organization.
This action does not remove the user account from the Grafana server.
## Before you begin
- Ensure you have organization administrator privileges
**To remove a user from an organization**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Find the user account that you want to remove from the organization.
Use the search field to filter the list, if necessary.
1. Click the red **X** to remove the user from the organization.
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [remove a user from an organization]({{< relref "../manage-server-users/add-remove-user-to-org/#remove-a-user-from-an-organization" >}}) on the Users page of the Server Admin section.

23
docs/sources/administration/manage-users-and-permissions/manage-org-users/view-list-org-users.md
View File

@@ -1,23 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/view-list-org-users/
title: View a list of organization users
weight: 50
---
# View a list of organization users
You can see a list of users with accounts in your Grafana organization. If necessary, you can use the search field to filter the list.
## Before you begin
- Ensure you have organization administrator privileges
**To view a list of organization users**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
![Org Admin user list](/static/img/docs/manage-users/org-user-list-7-3.png)
> **Note:** If you have [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [view a global list of users]({{< relref "../manage-server-users/view-list-users/" >}}) in the Server Admin section of Grafana.

20
docs/sources/administration/manage-users-and-permissions/manage-server-users/_index.md
View File

@@ -1,20 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/
- /docs/grafana/latest/manage-users/server-admin/
- /docs/grafana/latest/manage-users/server-admin/server-admin-manage-users/
title: Manage users globally
weight: 300
---
# Manage users globally
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system.
If you have [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions in Grafana, you can manage all users for a Grafana instance in the Server Admin section:
{{< section >}}
If you have [organization administrator]({{< relref "../about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, refer to [Manage users in a organization]({{< relref "../manage-org-users/" >}}).
For more information about users and permissions, refer to [About users and permissions]({{< relref "../about-users-and-permissions/" >}}).

29
docs/sources/administration/manage-users-and-permissions/manage-server-users/add-user.md
View File

@@ -1,29 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/add-user/
title: Add a user
weight: 10
---
# Add a user
Add users when you want to manually provide individuals with access to Grafana.
When you create a user using this method, you must create their password. The user does not receive a notification by email. To invite a user to Grafana and allow them to create their own password, [invite a user to join an organization]({{< relref "../manage-org-users/invite-user-join-org/" >}}).
When you configure advanced authentication using Oauth, SAML, LDAP, or the Auth proxy, users are created automatically.
## Before you begin
- Ensure that you have Grafana server administrator privileges
**To add a user**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click **New user**.
1. Complete the fields and click **Create user**.
When you create a user, the system assigns the user viewer permissions in a default organization, which you can change. You can now [add a user to a second organization]({{< relref "add-remove-user-to-org/" >}}).
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still add users by [inviting a user to join an organization]({{< relref "../manage-org-users/invite-user-join-org/" >}}).

70
docs/sources/administration/manage-users-and-permissions/manage-server-users/view-edit-user-account.md
View File

@@ -1,70 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-edit-user-account/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-user-account-details/
title: View and edit a user account
weight: 110
---
# View user details
View user details when you want to see login, and organizations and permissions settings associated with a user.
## Before you begin:
- Ensure you have Grafana server administrator privileges
**To view user details**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click a user.
A user account contains the following sections.
### User information
This section contains basic user information, which users can update.
![Server Admin user information section](/static/img/docs/manage-users/server-admin-user-information-7-3.png)
### Permissions
This indicates whether the user account has the Grafana administrator flag applied. If the flag is set to **Yes**, then the user is a Grafana server administrator.
![Server Admin Permissions section](/static/img/docs/manage-users/server-admin-permissions-7-3.png)
### Organisations
This section lists the organizations the user belongs to and their assigned role.
![Server Admin Organizations section](/static/img/docs/manage-users/server-admin-organisations-7-3.png)
### Sessions
This section includes recent user sessions and information about the time the user logged in and they system they used. You can force logouts, if necessary.
![Server Admin Sessions section](/static/img/docs/manage-users/server-admin-sessions-7-3.png)
# Edit a user account
Edit a user account when you want to modify user login credentials, or delete, disable, or enable a user.
## Before you begin
- Ensure you have Grafana server administrator privileges
**To edit a user account**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click a user.
1. Complete any of the following actions, as necessary.
| Action | Description |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Update name, email, or username | **Is the user notified of these changes?**. Click **Save** after you make a change. |
| Change the user's password | The new password must be at least four characters long. Click **Save** after you make a change. |
| Delete a user | This action permanently removes the user from the Grafana server. The user can no longer sign in after you make this change. |
| Disable user account | This action prevents a user from signing in with this account, but does not delete the account. You might disable an account if a colleague goes on sabbatical. |
| Enable a user account | This action enables a user account. |

23
docs/sources/administration/manage-users-and-permissions/manage-server-users/view-list-users.md
View File

@@ -1,23 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-list-users/
title: View a list of users
weight: 100
---
# View a list of users
You can see a list of users with accounts on your Grafana server. This action might be useful when you want to know which role you assigned to each user.
## Before you begin
- Ensure you have Grafana server administrator privileges
**To view a list of users**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
![Server Admin user list](/static/img/docs/manage-users/server-user-list-7-3.png)
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [view of list of users in a given organization]({{< relref "../manage-org-users/view-list-org-users/" >}}).

8
docs/sources/administration/manage-organizations/_index.md → docs/sources/administration/organization-management/_index.md
View File

@@ -10,7 +10,7 @@ keywords:
- dashboards
menuTitle: Manage organizations
title: Manage organizations
weight: 300
weight: 200
---
# Manage organizations
@@ -42,7 +42,7 @@ The following table summarizes the resources you can share and/or isolate using
The member of one organization cannot view dashboards assigned to another organization. However, a user can belong to multiple organizations.
Grafana Server Administrators are responsible for creating organizations. For more information about the Grafana Server Administrator role, refer to [Grafana server administrators]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#Grafana server administrators" >}}).
Grafana Server Administrators are responsible for creating organizations. For more information about the Grafana Server Administrator role, refer to [Grafana server administrators]({{< relref "../roles-and-permissions/#Grafana server administrators" >}}).
## View a list of organizations
@@ -80,9 +80,9 @@ Create an organization when you want to isolate dashboards and other resources f
1. On the **Preferences** tab, select a home dashboard, time zone, and week start.
For more information about preferences, refer to [Preferences]({{< relref "../preferences/" >}}).
For more information about preferences, refer to [Preferences]({{< relref "../organization-preferences/" >}}).
For more information about adding users to an organization, refer to [Add a user to an organization]({{< relref "../manage-users-and-permissions/manage-server-users/add-remove-user-to-org/" >}}).
For more information about adding users to an organization, refer to [Add a user to an organization]({{< relref "../user-management/server-user-management/add-remove-user-to-org/" >}}).
## Delete an organization

245
docs/sources/administration/organization-preferences/_index.md Normal file
View File

@@ -0,0 +1,245 @@
---
aliases:
- /docs/grafana/latest/administration/preferences/
- /docs/grafana/latest/administration/preferences/change-grafana-name/
- /docs/grafana/latest/administration/preferences/change-grafana-theme/
- /docs/grafana/latest/administration/preferences/change-grafana-timezone/
- /docs/grafana/latest/administration/change-home-dashboard/
- /docs/grafana/latest/administration/preferences/change-home-dashboard/
title: Organization preferences
weight: 500
---
# Organization preferences
Grafana preferences are basic settings. They control the Grafana UI theme, home dashboard, time zone, and so on.
Preferences are sometimes confusing because they can be set at four different levels, listed from highest level to lowest:
- **Server -** Affects all users on the Grafana server. Set by a [Grafana server admin]({{< relref "../roles-and-permissions/#grafana-server-administrators" >}}).
- **Organization -** Affects all users in an organization. Set by an [Organization admin]({{< relref "../roles-and-permissions/#organization-roles" >}}).
- **Team -** Affects all users assigned to a team. Set by an Organization Admin or Team Admin. To learn more about these roles, refer to [Teams and permissions]({{< relref "../roles-and-permissions/#teams-and-permissions" >}}).
- **User account -** Affects the individual user. Set by the user on their own account.
The lowest level always takes precedence. For example, if a user sets their theme to **Light**, then their visualization of Grafana displays the light theme. Nothing at any higher level can override that.
If the user is aware of the change and intended it, then that's great! But if the user is a Server Admin who made the change to their user preferences a long time ago, they might have forgotten they did that. Then, if that Server Admin is trying to change the theme at the server level, they'll get frustrated as none of their changes have any effect that they can see. (Also, the users on the server might be confused, because _they_ can see the server-level changes!)
## Change Grafana name and email
In Grafana, you can change your names and emails associated with groups or accounts in the Settings or Preferences. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
### Change organization name
Grafana server administrators and organization administrators can change organization names.
#### Grafana Server Admin change organization name
Follow these instructions if you are a Grafana Server Admin.
{{< docs/list >}}
{{< docs/shared "manage-users/view-server-org-list.md" >}}
1. In the organization list, click the name of the organization that you want to change.
1. In **Name**, enter the new organization name.
1. Click **Update**.
{{< /docs/list >}}
#### Organization Admin change organization name
If you are an Organization Admin, follow these steps:
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
1. In **Organization name**, enter the new name.
1. Click **Update organization name**.
{{< /docs/list >}}
### Change team name or email
Organization administrators and team administrators can change team names and email addresses.
To change the team name or email, follow these steps:
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
1. Click **Teams**. Grafana displays the team list.
1. In the team list, click the name of the team that you want to change.
1. Click the **Settings** tab.
1. In the Team Settings section, you can edit the following:
- **Name -** Edit this field to change the display name associated with the team.
- **Email -** Edit this field to change the email address associated with the team.
1. Click **Update**.
### Change user name or email
To learn how to edit your user information, refer to [Edit your profile]({{< relref "../user-management/user-preferences/#edit-your-profile" >}}).
## Change Grafana UI theme
In Grafana, you can modify the UI theme configured in the Settings or Preferences. Set the UI theme for the server, an organization, a team, or your personal user account using the instructions in this topic.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
### Theme options
The theme affects how Grafana displays graphs, menus, other UI elements.
#### Default
**Default** is either the dark theme or the theme selected in a higher level. For example, if an Organization administrator set the **Light** theme, then that is the default for all the teams in that organization.
#### Dark
Here is an example of the dark theme.
![Dark theme example](/static/img/docs/preferences/dark-theme-7-4.png)
#### Light
Here is an example of the light theme.
![Light theme example](/static/img/docs/preferences/light-theme-7-4.png)
### Change server UI theme
Grafana server administrators can change the Grafana UI theme for all users on the server by setting the [default_theme]({{< relref "../../setup-grafana/configure-grafana/#default-theme" >}}) option in the Grafana configuration file.
To see what the current settings are, refer to [View server settings]({{< relref "../view-server/view-server-settings/" >}}).
### Change organization UI theme
Organization administrators can change the UI theme for all users in an organization.
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}
### Change team UI theme
Organization and team administrators can change the UI theme for all users in a team.
{{< docs/list >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team that you want to change the UI theme for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}
### Change your personal UI theme
You can change the UI theme for your user account. This setting overrides UI theme settings at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}
## Change the Grafana default timezone
By default, Grafana uses the timezone in your web browser. However, you can override this setting at the server, organization, team, or individual user level. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
### Set server timezone
Grafana server administrators can choose a default timezone for all users on the server by setting the [default_timezone]({{< relref "../../setup-grafana/configure-grafana/#default-timezone" >}}) option in the Grafana configuration file.
### Set organization timezone
Organization administrators can choose a default timezone for their organization.
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}
### Set team timezone
Organization administrators and team administrators can choose a default timezone for all users in a team.
{{< docs/list >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team you that you want to change the timezone for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}
### Set your personal timezone
You can change the timezone for your user account. This setting overrides timezone settings at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}
## Change the default home dashboard
The home dashboard you set is the one all users will see by default when they log in. You can set the home dashboard for the server, an organization, a team, or your personal user account. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
### Navigate to the home dashboard
The home dashboard is the first dashboard a user sees when they sign in to Grafana. You can also navigate to the home dashboard manually.
1. Hover your cursor over the **Dashboards** (four squares) icon.
1. Click **Home**.
### Set the home dashboard for the server
Users with the Grafana Server Admin flag on their account or access to the configuration file can define a JSON file to use as the home dashboard for all users on the server.
#### [Optional] Convert an existing dashboard into a JSON file
1. Navigate to the page of the dashboard you want to use as the home dashboard.
1. Click the **Share dashboard** icon next to the dashboard title.
1. In the Export tab, click **Save to file**. Grafana converts the dashboard to a JSON file and saves it locally.
#### Use a JSON file as the home dashboard
1. Save your JSON file somewhere that Grafana can access it. For example, in the Grafana `data` folder of Grafana.
1. Update your configuration file to set the path to the JSON file. Refer to [default_home_dashboard_path]({{< relref "../../setup-grafana/configure-grafana/#default_home_dashboard_path" >}}) for more information about modifying the Grafana configuration files.
```ini
[dashboards]
# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
default_home_dashboard_path = data/main-dashboard.json
```
> **Note:** On Linux, Grafana uses `/usr/share/grafana/public/dashboards/home.json` as the default home dashboard location.
### Set the home dashboard for your organization
Organization administrators can choose a home dashboard for their organization.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}
### Set home dashboard for your team
Organization administrators and Team Admins can choose a home dashboard for a team.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team that you want to change the home dashboard for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}
### Set your personal home dashboard
You can choose your own personal home dashboard. This setting overrides all home dashboards set at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}

203
docs/sources/administration/plugin-management/_index.md Normal file
View File

@@ -0,0 +1,203 @@
---
aliases:
- /docs/grafana/latest/plugins/
- /docs/grafana/latest/plugins/catalog/
- /docs/grafana/latest/plugins/installation/
- /docs/grafana/latest/plugins/plugin-signature-verification/
- /docs/grafana/latest/plugins/plugin-signatures/
title: Plugin management
weight: 600
---
# Plugin management
Besides the wide range of visualizations and data sources that are available immediately after you install Grafana, you can extend your Grafana experience with _plugins_.
You can [install]({{< relref "../plugins/installation/" >}}) one of the plugins built by the Grafana community, or [build one yourself]({{< relref "../../developers/plugins/" >}}).
Grafana supports three types of plugins: [panels](https://grafana.com/grafana/plugins?type=panel), [data sources](https://grafana.com/grafana/plugins?type=datasource), and [apps](https://grafana.com/grafana/plugins?type=app).
## Panel plugins
Add new visualizations to your dashboard with panel plugins, such as the [Worldmap Panel](https://grafana.com/grafana/plugins/grafana-worldmap-panel), [Clock](https://grafana.com/grafana/plugins/grafana-clock-panel), and [Pie Chart](https://grafana.com/grafana/plugins/grafana-piechart-panel).
Use panel plugins when you want to:
- Visualize data returned by data source queries.
- Navigate between dashboards.
- Control external systems, such as smart home devices.
## Data source plugins
Data source plugins add support for new databases, such as [Google BigQuery](https://grafana.com/grafana/plugins/doitintl-bigquery-datasource).
Data source plugins communicate with external sources of data and return the data in a format that Grafana understands. By adding a data source plugin, you can immediately use the data in any of your existing dashboards.
Use data source plugins when you want to import data from external systems.
## App plugins
Applications, or _app plugins_, bundle data sources and panels to provide a cohesive experience, such as the [Zabbix](https://grafana.com/grafana/plugins/alexanderzobnin-zabbix-app) app.
Apps can also add custom pages for things like control panels.
Use app plugins when you want to create an custom out-of-the-box monitoring experience.
## Plugin catalog
The Plugin catalog allows you to browse and manage plugins from within Grafana. Only Grafana server administrators and organization administrators can access and use the plugin catalog. The following access rules apply depending on the user role:
| Org Admin | Server Admin | Permissions |
| --------- | ------------ | ------------------------------------------------------------------------------------------- |
| &check; | &check; | <ul><li>Can configure app plugins</li><li>Can install/uninstall/update plugins</li></ul> |
| &check; | &times; | <ul><li>Can configure app plugins</li><li>Cannot install/uninstall/update plugins</li></ul> |
| &times; | &check; | <ul><li>Cannot configure app plugins</li><li>Can install/uninstall/update plugins</li></ul> |
> **Note:** The Plugin catalog is designed to work with a single Grafana server instance only. Support for Grafana clusters will be added in future Grafana releases.
<div class="medium-6 columns">
<video width="700" height="600" controls>
<source src="/static/assets/videos/plugins-catalog-install-8-1.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
</div>
In order to be able to install / uninstall / update plugins using plugin catalog, you must enable it via the `plugin_admin_enabled` flag in the [configuration]({{< relref "../../../plugins/setup-grafana/configure-grafana/#plugin_admin_enabled" >}}) file.
Before following the steps below, make sure you are logged in as a Grafana administrator.
<a id="#plugin-catalog-entry"></a>
Currently, there are two entry points to the Plugin catalog.
- Grafana server administrators can find it at **Server Admin >
Plugins**.
- Organization administrators can find it at **Configuration > Plugins**.
### Browse plugins
To browse for available plugins:
1. In Grafana, [navigate to the Plugin catalog](#plugin-catalog-entry) to view installed plugins.
1. Click the **All** filter to browse all available plugins.
1. Click the **Data sources**, **Panels**, or **Applications** buttons to filter by plugin type.
![Plugin catalog browse](/static/img/docs/plugins/plugins-catalog-browse-8-1.png)
### Install a plugin
To install a plugin:
1. In Grafana, [navigate to the Plugin catalog](#plugin-catalog-entry) to view installed plugins.
1. Browse and find a plugin.
1. Click on the plugin logo.
1. Click **Install**.
When the update is complete, you see a confirmation message that the installation was successful.
![Plugin catalog install](/static/img/docs/plugins/plugins-catalog-install-8-1.png)
### Update a plugin
To update a plugin:
1. In Grafana, [navigate to the Plugin catalog](#plugin-catalog-entry) to view installed plugins.
1. Click on the plugin logo.
1. Click **Update**.
When the update is complete, you see a confirmation message that the update was successful.
![Plugin catalog update](/static/img/docs/plugins/plugins-catalog-update-8-1.png)
### Uninstall a plugin
To uninstall a plugin:
1. In Grafana, [navigate to the Plugin catalog](#plugin-catalog-entry) to view installed plugins.
1. Click on the plugin logo.
1. Click **Uninstall**.
When the update is complete, you see a confirmation message that the uninstall was successful.
![Plugin catalog uninstall](/static/img/docs/plugins/plugins-catalog-uninstall-8-1.png)
## Install Grafana plugins
Grafana supports data source, panel, and app plugins. Having panels as plugins makes it easy to create and add any kind of panel, to show your data, or improve your favorite dashboards. Apps enable the bundling of data sources, panels, dashboards, and Grafana pages into a cohesive experience.
1. In a web browser, navigate to the official [Grafana Plugins page](https://grafana.com/plugins) and find a plugin that you want to install.
1. Click the plugin, and then click the **Installation** tab.
### Install plugin on Grafana Cloud
On the Installation tab, in the **For** field, click the name of the Grafana instance that you want to install the plugin on.
Grafana Cloud handles the plugin installation automatically.
If you are logged in to Grafana Cloud when you add a plugin, log out and back in again to use the new plugin.
### Install plugin on local Grafana
Follow the instructions on the Install tab. You can either install the plugin with a Grafana CLI command or by downloading and uncompress a .zip file into the Grafana plugins directory. We recommend using Grafana CLI in most instances. The .zip option is available if your Grafana server does not have access to the internet.
For more information about Grafana CLI plugin commands, refer to [Plugin commands]({{< relref "../../../plugins/administration/cli/#plugins-commands" >}}).
As of Grafana v8.0, a plugin catalog app was introduced in order to make managing plugins easier. For more information, refer to [Plugin catalog]({{< relref "../../../plugins/installation/catalog/" >}}).
#### Install a packaged plugin
After the user has downloaded the archive containing the plugin assets, they can install it by extracting the archive into their plugin directory.
```
unzip my-plugin-0.2.0.zip -d YOUR_PLUGIN_DIR/my-plugin
```
The path to the plugin directory is defined in the configuration file. For more information, refer to [Configuration]({{< relref "../../../plugins/setup-grafana/configure-grafana/#plugins" >}}).
## Plugin signatures
Plugin signature verification (signing) is a security measure to make sure plugins haven't been tampered with. Upon loading, Grafana checks to see if a plugin is signed or unsigned when inspecting and verifying its digital signature.
At startup, Grafana verifies the signatures of every plugin in the plugin directory. If a plugin is unsigned, then Grafana does not load nor start it. To see the result of this verification for each plugin, navigate to **Configuration** -> **Plugins**.
Grafana also writes an error message to the server log:
```bash
WARN[05-26|12:00:00] Some plugin scanning errors were found errors="plugin '<plugin id>' is unsigned, plugin '<plugin id>' has an invalid signature"
```
If you are a plugin developer and want to know how to sign your plugin, refer to [Sign a plugin]({{< relref "../../../plugins/developers/plugins/sign-a-plugin/" >}}).
| Signature status | Description |
| ------------------ | ------------------------------------------------------------------------------- |
| Core | Core plugin built into Grafana. |
| Invalid signature | The plugin has a invalid signature. |
| Modified signature | The plugin has changed since it was signed. This may indicate malicious intent. |
| Unsigned | The plugin is not signed. |
| Signed | The plugin signature was successfully verified. |
### Plugin signature levels
All plugins is signed under a _signature level_. The signature level determines how the plugin can be distributed.
| **Plugin Level** | **Description** |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Private | <p>Private plugins are for use on your own Grafana. They may not be distributed to the Grafana community, and are not published in the Grafana catalog.</p> |
| Community | <p>Community plugins have dependent technologies that are open source and not for profit.</p><p>Community plugins are published in the official Grafana catalog, and are available to the Grafana community.</p> |
| Commercial | <p>Commercial plugins have dependent technologies that are closed source or commercially backed.</p><p>Commercial Plugins are published on the official Grafana catalog, and are available to the Grafana community.</p> |
### Allow unsigned plugins
> **Note:** Unsigned plugins are not supported in Grafana Cloud.
We strongly recommend that you don't run unsigned plugins in your Grafana instance. If you're aware of the risks and you still want to load an unsigned plugin, refer to [Configuration]({{< relref "../../../plugins/setup-grafana/configure-grafana/#allow_loading_unsigned_plugins" >}}).
If you've allowed loading of an unsigned plugin, then Grafana writes a warning message to the server log:
```bash
WARN[06-01|16:45:59] Running an unsigned plugin pluginID=<plugin id>
```
> **Note:** If you're developing a plugin, then you can enable development mode to allow all unsigned plugins.
## Learn more
- Browse the available [Plugins](https://grafana.com/grafana/plugins)

21
docs/sources/administration/preferences/_index.md
View File

@@ -1,21 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/preferences/
title: Preferences
weight: 50
---
# Grafana preferences
Grafana preferences are basic settings. They control the Grafana UI theme, home dashboard, time zone, and so on.
Preferences are sometimes confusing because they can be set at four different levels, listed from highest level to lowest:
- **Server -** Affects all users on the Grafana server. Set by a [Grafana server admin]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#grafana-server-administrators" >}}).
- **Organization -** Affects all users in an organization. Set by an [Organization admin]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#organization-roles" >}}).
- **Team -** Affects all users assigned to a team. Set by an Organization Admin or Team Admin. To learn more about these roles, refer to [Teams and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#teams-and-permissions" >}}).
- **User account -** Affects the individual user. Set by the user on their own account.
The lowest level always takes precedence. For example, if a user sets their theme to **Light**, then their visualization of Grafana displays the light theme. Nothing at any higher level can override that.
If the user is aware of the change and intended it, then that's great! But if the user is a Server Admin who made the change to their user preferences a long time ago, they might have forgotten they did that. Then, if that Server Admin is trying to change the theme at the server level, they'll get frustrated as none of their changes have any effect that they can see. (Also, the users on the server might be confused, because _they_ can see the server-level changes!)

62
docs/sources/administration/preferences/change-grafana-name.md
View File

@@ -1,62 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/preferences/change-grafana-name/
keywords:
- grafana
- configuration
- documentation
- home
title: Change name and email
weight: 100
---
# Change Grafana name and email
In Grafana, you can change your names and emails associated with groups or accounts in the Settings or Preferences. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
## Change organization name
Grafana server administrators and organization administrators can change organization names.
### Grafana Server Admin change organization name
Follow these instructions if you are a Grafana Server Admin.
{{< docs/list >}}
{{< docs/shared "manage-users/view-server-org-list.md" >}}
1. In the organization list, click the name of the organization that you want to change.
1. In **Name**, enter the new organization name.
1. Click **Update**.
{{< /docs/list >}}
### Organization Admin change organization name
If you are an Organization Admin, follow these steps:
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
1. In **Organization name**, enter the new name.
1. Click **Update organization name**.
{{< /docs/list >}}
## Change team name or email
Organization administrators and team administrators can change team names and email addresses.
To change the team name or email, follow these steps:
1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
1. Click **Teams**. Grafana displays the team list.
1. In the team list, click the name of the team that you want to change.
1. Click the **Settings** tab.
1. In the Team Settings section, you can edit the following:
- **Name -** Edit this field to change the display name associated with the team.
- **Email -** Edit this field to change the email address associated with the team.
1. Click **Update**.
## Change user name or email
To learn how to edit your user information, refer to [Edit your profile]({{< relref "../manage-user-preferences/#edit-your-profile" >}}).

73
docs/sources/administration/preferences/change-grafana-theme.md
View File

@@ -1,73 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/preferences/change-grafana-theme/
description: How to set the Grafana UI theme
keywords:
- grafana
- configuration
- documentation
- home
title: Change UI theme
weight: 200
---
# Change Grafana UI theme
In Grafana, you can modify the UI theme configured in the Settings or Preferences. Set the UI theme for the server, an organization, a team, or your personal user account using the instructions in this topic.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
## Theme options
The theme affects how Grafana displays graphs, menus, other UI elements.
### Default
**Default** is either the dark theme or the theme selected in a higher level. For example, if an Organization administrator set the **Light** theme, then that is the default for all the teams in that organization.
### Dark
Here is an example of the dark theme.
![Dark theme example](/static/img/docs/preferences/dark-theme-7-4.png)
### Light
Here is an example of the light theme.
![Light theme example](/static/img/docs/preferences/light-theme-7-4.png)
## Change server UI theme
Grafana server administrators can change the Grafana UI theme for all users on the server by setting the [default_theme]({{< relref "../../setup-grafana/configure-grafana/#default-theme" >}}) option in the Grafana configuration file.
To see what the current settings are, refer to [View server settings]({{< relref "../view-server/view-server-settings/" >}}).
## Change organization UI theme
Organization administrators can change the UI theme for all users in an organization.
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}
## Change team UI theme
Organization and team administrators can change the UI theme for all users in a team.
{{< docs/list >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team that you want to change the UI theme for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}
## Change your personal UI theme
You can change the UI theme for your user account. This setting overrides UI theme settings at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-ui-theme-list.md" >}}
{{< /docs/list >}}

51
docs/sources/administration/preferences/change-grafana-timezone.md
View File

@@ -1,51 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/preferences/change-grafana-timezone/
description: How to change your Grafana timezone
keywords:
- grafana
- configuration
- documentation
- home
title: Change default timezone
weight: 400
---
# Change the Grafana default timezone
By default, Grafana uses the timezone in your web browser. However, you can override this setting at the server, organization, team, or individual user level. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
## Set server timezone
Grafana server administrators can choose a default timezone for all users on the server by setting the [default_timezone]({{< relref "../../setup-grafana/configure-grafana/#default-timezone" >}}) option in the Grafana configuration file.
## Set organization timezone
Organization administrators can choose a default timezone for their organization.
{{< docs/list >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}
## Set team timezone
Organization administrators and team administrators can choose a default timezone for all users in a team.
{{< docs/list >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team you that you want to change the timezone for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}
## Set your personal timezone
You can change the timezone for your user account. This setting overrides timezone settings at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-timezone-list.md" >}}
{{< /docs/list >}}

81
docs/sources/administration/preferences/change-home-dashboard.md
View File

@@ -1,81 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/change-home-dashboard/
- /docs/grafana/latest/administration/preferences/change-home-dashboard/
description: How to replace the default home dashboard
keywords:
- grafana
- configuration
- documentation
- home
title: Change home dashboard
weight: 300
---
# Change the default home dashboard
The home dashboard you set is the one all users will see by default when they log in. You can set the home dashboard for the server, an organization, a team, or your personal user account. This topic provides instructions for each task.
{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
## Navigate to the home dashboard
The home dashboard is the first dashboard a user sees when they sign in to Grafana. You can also navigate to the home dashboard manually.
1. Hover your cursor over the **Dashboards** (four squares) icon.
1. Click **Home**.
## Set the home dashboard for the server
Users with the Grafana Server Admin flag on their account or access to the configuration file can define a JSON file to use as the home dashboard for all users on the server.
### [Optional] Convert an existing dashboard into a JSON file
1. Navigate to the page of the dashboard you want to use as the home dashboard.
1. Click the **Share dashboard** icon next to the dashboard title.
1. In the Export tab, click **Save to file**. Grafana converts the dashboard to a JSON file and saves it locally.
### Use a JSON file as the home dashboard
1. Save your JSON file somewhere that Grafana can access it. For example, in the Grafana `data` folder of Grafana.
1. Update your configuration file to set the path to the JSON file. Refer to [default_home_dashboard_path]({{< relref "../../setup-grafana/configure-grafana/#default_home_dashboard_path" >}}) for more information about modifying the Grafana configuration files.
```ini
[dashboards]
# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
default_home_dashboard_path = data/main-dashboard.json
```
> **Note:** On Linux, Grafana uses `/usr/share/grafana/public/dashboards/home.json` as the default home dashboard location.
## Set the home dashboard for your organization
Organization administrators can choose a home dashboard for their organization.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "preferences/org-preferences-list.md" >}}
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}
## Set home dashboard for your team
Organization administrators and Team Admins can choose a home dashboard for a team.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "manage-users/view-team-list.md" >}}
1. Click on the team that you want to change the home dashboard for and then navigate to the **Settings** tab.
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}
## Set your personal home dashboard
You can choose your own personal home dashboard. This setting overrides all home dashboards set at higher levels.
{{< docs/list >}}
{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
{{< /docs/list >}}

6
docs/sources/administration/provisioning.md → docs/sources/administration/provisioning/_index.md
View File

@@ -6,11 +6,11 @@ description: ''
keywords:
- grafana
- provisioning
title: Provisioning
weight: 800
title: Provision Grafana
weight: 600
---
# Provisioning Grafana
# Provision Grafana
In previous versions of Grafana, you could only use the API for provisioning data sources and dashboards. But that required the service to be running before you started creating dashboards and you also needed to set up credentials for the HTTP API. In v5.0 we decided to improve this experience by adding a new active provisioning system that uses config files. This will make GitOps more natural as data sources and dashboards can be defined via files that can be version controlled. We hope to extend this system to later add support for users, orgs and alerts as well.

26
docs/sources/administration/manage-users-and-permissions/about-users-and-permissions.md → docs/sources/administration/roles-and-permissions/_index.md
View File

@@ -5,11 +5,11 @@ aliases:
- /docs/grafana/latest/permissions/
- /docs/grafana/latest/permissions/organization_roles/
- /docs/grafana/latest/permissions/overview/
title: About users and permissions
weight: 100
title: Roles and permissions
weight: 300
---
# About users and permissions
# Roles and permissions
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.
@@ -31,7 +31,7 @@ A server administrator can perform the following tasks:
- Manage users and permissions
- Create, edit, and delete organizations
- View server-wide settings defined in the [Configuration]({{< relref "../../setup-grafana/configure-grafana/" >}}) file
- View server-wide settings defined in the [Configuration]({{< relref "../setup-grafana/configure-grafana/" >}}) file
- View Grafana server statistics, including total users and active sessions
- Upgrade the server to Grafana Enterprise.
@@ -57,7 +57,7 @@ Permissions assigned to a user within an organization control the extent to whic
### Organization roles
Organization role-based permissions are global, which means that each permission level applies to all Grafana resources within an given organization. For example, an editor can see and update _all_ dashboards in an organization, unless those dashboards have been specifically restricted using [dashboard permissions]({{< relref "manage-dashboard-permissions/" >}}).
Organization role-based permissions are global, which means that each permission level applies to all Grafana resources within an given organization. For example, an editor can see and update _all_ dashboards in an organization, unless those dashboards have been specifically restricted using [dashboard permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-dashboard-permissions/" >}}).
Grafana uses the following roles to control user access:
@@ -97,9 +97,9 @@ You can specify the following permissions to dashboards and folders.
- **Edit**: Can create and edit dashboards. Editors _cannot_ change folder or dashboard permissions, or add, edit, or delete folders.
- **View**: Can only view dashboards and folders.
For more information about assigning dashboard folder permissions, refer to [Grant dashboard folder permissions]({{< relref "manage-dashboard-permissions/#grant-dashboard-folder-permissions" >}}).
For more information about assigning dashboard folder permissions, refer to [Grant dashboard folder permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-dashboard-permissions/#grant-dashboard-folder-permissions" >}}).
For more information about assigning dashboard permissions, refer to [Grant dashboard permissions]({{< relref "manage-dashboard-permissions/#grant-dashboard-permissions" >}}).
For more information about assigning dashboard permissions, refer to [Grant dashboard permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-dashboard-permissions/#grant-dashboard-permissions" >}}).
## Editors with administrator permissions
@@ -109,18 +109,18 @@ If you have access to the Grafana server, you can modify the default editor role
This setting can be used to enable self-organizing teams to administer their own dashboards.
For more information about assigning administrator permissions to editors, refer to [Grant editors administrator permissions]({{< relref "manage-server-users/grant-editor-admin-permissions/" >}}).
For more information about assigning administrator permissions to editors, refer to [Grant editors administrator permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-server-users/grant-editor-admin-permissions/" >}}).
## Viewers with dashboard preview and Explore permissions
If you have access to the Grafana server, you can modify the default viewer role so that viewers can:
- Edit and preview dashboards, but cannot save their changes or create new dashboards.
- Access and use [Explore]({{< relref "../../explore/" >}}).
- Access and use [Explore]({{< relref "../explore/" >}}).
Extending the viewer role is useful for public Grafana installations where you want anonymous users to be able to edit panels and queries, but not be able to save or create new dashboards.
For more information about assigning dashboard preview permissions to viewers, refer to [Enable viewers to preview dashboards and use Explore]({{< relref "manage-dashboard-permissions/#enable-viewers-to-preview-dashboards-and-use-explore" >}}).
For more information about assigning dashboard preview permissions to viewers, refer to [Enable viewers to preview dashboards and use Explore]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-dashboard-permissions/#enable-viewers-to-preview-dashboards-and-use-explore" >}}).
## Teams and permissions
@@ -131,7 +131,7 @@ You can assign a team member one of the following permissions:
- **Member**: Includes the user as a member of the team. Members do not have team administrator privileges.
- **Admin**: Administrators have permission to manage various aspects of the team, including team membership, permissions, and settings.
Because teams exist inside an organization, the organization administrator can manage all teams. When the `editors_can_admin` setting is enabled, editors can create teams and manage teams that they create. For more information about the `editors_can_admin` setting, refer to [Grant editors administrator permissions]({{< relref "manage-server-users/grant-editor-admin-permissions/" >}}).
Because teams exist inside an organization, the organization administrator can manage all teams. When the `editors_can_admin` setting is enabled, editors can create teams and manage teams that they create. For more information about the `editors_can_admin` setting, refer to [Grant editors administrator permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/manage-server-users/grant-editor-admin-permissions/" >}}).
## Grafana Enterprise user permissions features
@@ -146,13 +146,13 @@ Grafana Enterprise provides the following permissions-related features:
By default, a user can query any data source in an organization, even if the data source is not linked to the user's dashboards.
Data source permissions enable you to restrict data source query permissions to specific **Users** and **Teams**. For more information about assigning data source permissions, refer to [Data source permissions]({{< relref "../../enterprise/datasource_permissions/" >}}).
Data source permissions enable you to restrict data source query permissions to specific **Users** and **Teams**. For more information about assigning data source permissions, refer to [Data source permissions]({{< relref "../enterprise/datasource_permissions/" >}}).
### Role-based access control
RBAC provides you a way of granting, changing, and revoking user read and write access to Grafana resources, such as users, reports, and authentication.
For more information about RBAC, refer to [Role-based access control]({{< relref "../../enterprise/access-control/" >}}).
For more information about RBAC, refer to [Role-based access control]({{< relref "../manage-users-and-permissions/about-users-and-permissions/access-control/" >}}).
### Learn more

118
docs/sources/administration/roles-and-permissions/access-control/_index.md Normal file
View File

@@ -0,0 +1,118 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/
- /docs/grafana/latest/enterprise/access-control/
- /docs/grafana/latest/enterprise/access-control/about-rbac/
- /docs/grafana/latest/enterprise/access-control/roles/
description: Role-based access control (RBAC) provides a standardized way of granting,
changing, and revoking access so that users can view and modify Grafana resources,
such as users and reports.
menuTitle: Role-based access control (RBAC)
title: Grafana Role-based access control (RBAC)
weight: 120
---
# Role-based access control (RBAC)
RBAC provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as dashboards, reports, and administrative settings.
{{< section >}}
## About RBAC
Role-based access control (RBAC) provides a standardized way of granting, changing, and revoking access so that users can view and modify Grafana resources, such as users and reports.
RBAC extends Grafana basic roles that are included in Grafana OSS, and enables you more granular control of users actions.
By using RBAC you can provide users with permissions that extend the permissions available with basic roles. For example, you can use RBAC to:
- Modify existing basic roles: for example, enable an editor to create reports
- Assign fixed roles to users and teams: for example, grant an engineering team the ability to create data sources
- Create custom roles: for example, a role that allows users to create and edit dashboards, but not delete them
RBAC roles contain multiple permissions, each of which has an action and a scope:
- **Role:** `fixed:datasources:reader`
- **Permission:**
- **Action:** `datasources:read`
- **Scope:** `datasources:*`
### Basic roles
Basic roles are the standard roles that are available in Grafana OSS. If you have purchased a Grafana Enterprise license, you can still use basic roles.
Grafana includes the following basic roles:
- Grafana administrator
- Organization administrator
- Editor
- Viewer
Each basic role is comprised of a number of _permissions_. For example, the viewer basic role contains the following permissions among others:
- `Action: datasources.id:read, Scope: datasources:*`: Enables the viewer to see the ID of a data source.
- `Action: orgs:read`: Enables the viewer to see their organization details
- `Action: annotations:read, Scope: annotations:*`: Enables the viewer to see annotations that other users have added to a dashboard.
- `Action: annotations:create, Scope: annotations:type:dashboard`: Enables the viewer to add annotations to a dashboard.
- `Action: annotations:write, Scope: annotations:type:dashboard`: Enables the viewer to modify annotations of a dashboard.
- `Action: annotations:delete, Scope: annotations:type:dashboard`: Enables the viewer to remove annotations from a dashboard.
> **Note:** You can't have a Grafana user without a basic role assigned.
#### Basic role modification
You can use RBAC to modify the permissions associated with any basic role, which changes what viewers, editors, or admins can do. You can't delete basic roles.
Note that any modification to any of these basic role is not propagated to the other basic roles.
For example, if you modify Viewer basic role and grant additional permission, Editors or Admins won't have that additional grant.
For more information about the permissions associated with each basic role, refer to [Basic role definitions]({{< relref "../../../../enterprise/access-control/about-rbac/rbac-fixed-basic-role-definitions/#basic-role-assignments" >}}).
To interact with the API and view or modify basic roles permissions, refer to [the table]({{< relref "../../../../enterprise/access-control/about-rbac/manage-rbac-roles/#basic-role-uid-mapping" >}}) that maps basic role names to the associated UID.
### Fixed roles
Grafana Enterprise includes the ability for you to assign discrete fixed roles to users, teams, and service accounts. This gives you fine-grained control over user permissions than you would have with basic roles alone. These roles are called "fixed" because you cannot change or delete fixed roles. You can also create _custom_ roles of your own; see more information in the [custom roles section]({{< relref "#custom-roles" >}}) below.
Assign fixed roles when the basic roles do not meet your permission requirements. For example, you might want a user with the basic viewer role to also edit dashboards. Or, you might want anyone with the editor role to also add and manage users. Fixed roles provide users more granular access to create, view, and update the following Grafana resources:
- [Alerting]({{< relref "../../../../enterprise/alerting/" >}})
- [Annotations]({{< relref "../../../../enterprise/dashboards/annotations/" >}})
- [API keys]({{< relref "../../../../enterprise/administration/api-keys/" >}})
- [Dashboards and folders]({{< relref "../../../../enterprise/dashboards/" >}})
- [Data sources]({{< relref "../../../../enterprise/datasources/" >}})
- [Explore]({{< relref "../../../../enterprise/explore/" >}})
- [Folders]({{< relref "../../../../enterprise/dashboards/dashboard-folders/" >}})
- [LDAP]({{< relref "../../../../enterprise/setup-grafana/configure-security/configure-authentication/ldap/" >}})
- [Licenses]({{< relref "../../../../enterprise/access-control/license/" >}})
- [Organizations]({{< relref "../../../../enterprise/administration/manage-organizations/" >}})
- [Provisioning]({{< relref "../../../../enterprise/administration/provisioning/" >}})
- [Reports]({{< relref "../../../../enterprise/access-control/reporting/" >}})
- [Roles]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/" >}})
- [Settings]({{< relref "../../../../enterprise/access-control/settings-updates/" >}})
- [Service accounts]({{< relref "../../../../enterprise/administration/service-accounts/" >}})
- [Teams]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/manage-teams/" >}})
- [Users]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/manage-server-users/" >}})
To learn more about the permissions you can grant for each resource, refer to [RBAC role definitions]({{< relref "../../../../enterprise/access-control/about-rbac/rbac-fixed-basic-role-definitions/" >}}).
### Custom roles
If you are a Grafana Enterprise customer, you can create custom roles to manage user permissions in a way that meets your security requirements.
Custom roles contain unique combinations of permissions _actions_ and _scopes_. An action defines the action a use can perform on a Grafana resource. For example, the `teams.roles:read` action allows a user to see a list of roles associated with each team.
A scope describes where an action can be performed. For example, the `teams:id:1` scope restricts the user's action to the team with ID `1`. When paired with the `teams.roles:read` action, this permission prohibits the user from viewing the roles for teams other than team `1`.
Consider creating a custom role when fixed roles do not meet your permissions requirements.
#### Custom role creation
You can use either of the following methods to create, assign, and manage custom roles:
- Grafana provisioning: You can use a YAML file to configure roles. For more information about using provisioning to create custom roles, refer to [Manage RBAC roles]({{< relref "../../../../enterprise/access-control/about-rbac/manage-rbac-roles/" >}}). For more information about using provisioning to assign RBAC roles to users or teams, refer to [Assign RBAC roles]({{< relref "../../../../enterprise/access-control/about-rbac/assign-rbac-roles/" >}}).
- RBAC API: As an alternative, you can use the Grafana HTTP API to create and manage roles. For more information about the HTTP API, refer to [RBAC API]({{< relref "../../../../enterprise/developers/http_api/access_control/" >}}).
### Limitation
If you have created a folder with the name `General` or `general`, you cannot manage its permissions with RBAC.
If you set [folder permissions]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/manage-dashboard-permissions/" >}}) for a folder named `General` or `general`, the system disregards the folder when RBAC is enabled.

192
docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles.md Normal file
View File

@@ -0,0 +1,192 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/assign-rbac-roles/
- /docs/grafana/latest/enterprise/access-control/manage-role-assignments/manage-built-in-role-assignments/
- /docs/grafana/latest/enterprise/access-control/manage-role-assignments/manage-user-role-assignments/
description: Learn how to assign RBAC roles to users and teams in Grafana.
menuTitle: Assign RBAC roles
title: Assign Grafana RBAC roles
weight: 40
---
# Assign RBAC roles
In this topic you'll learn how to use the role picker, provisioning, and the HTTP API to assign fixed and custom roles to users and teams.
## Assign fixed roles in the UI using the role picker
This section describes how to:
- Assign a fixed role to a user or team as an organization administrator.
- Assign a fixed role to a user as a server administrator. This approach enables you to assign a fixed role to a user in multiple organizations, without needing to switch organizations.
In both cases, the assignment applies only to the user or team within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
> **Note:** After you apply your changes, user and team permissions update immediately, and the UI reflects the new permissions the next time they reload their browser or visit another page.
<br/>
**Before you begin:**
- [Plan your RBAC rollout strategy]({{< relref "../../../../enterprise/access-control/assign-rbac-roles/plan-rbac-rollout-strategy/" >}}).
- Identify the fixed roles that you want to assign to the user or team.
For more information about available fixed roles, refer to [RBAC role definitions]({{< relref "../../../../enterprise/access-control/assign-rbac-roles/rbac-fixed-basic-role-definitions/" >}}).
- Ensure that your own user account has the correct permissions:
- If you are assigning permissions to a user or team within an organization, you must have organization administrator or server administrator permissions.
- If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
- Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
- Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
<br/>
**To assign a fixed role to a user or team:**
1. Sign in to Grafana.
2. Switch to the organization that contains the user or team.
For more information about switching organizations, refer to [Switch organizations](../../administration/manage-user-preferences/_index.md#switch-organizations).
3. Hover your cursor over **Configuration** (the gear icon) in the left navigation menu, and click **Users** or **Teams**.
4. In the **Role** column, select the fixed role that you want to assign to the user or team.
5. Click **Update**.
![User role picker in an organization](/static/img/docs/enterprise/user_role_picker_in_org.png)
**To assign a fixed role as a server administrator:**
1. Sign in to Grafana, hover your cursor over **Server Admin** (the shield icon) in the left navigation menu, and click **Users**.
1. Click a user.
1. In the **Organizations** section, select a role within an organization that you want to assign to the user.
1. Click **Update**.
![User role picker in Organization](/static/img/docs/enterprise/user_role_picker_global.png)
## Assign fixed or custom roles to a team using provisioning
Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.
**Before you begin:**
- Refer to [Role provisioning]({{< relref "../../../../enterprise/access-control/assign-rbac-roles/rbac-provisioning/#rbac-provisioning" >}})
- Ensure that the team to which you are adding the fixed role exists. For more information about creating teams, refer to [Manage teams]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/manage-teams/" >}})
**To assign a role to a team:**
1. Open the YAML configuration file.
1. Refer to the following table to add attributes and values.
| Attribute | Description |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles` | Enter the custom role or custom roles you want to create/update. |
| `roles > name` | Enter the name of the custom role. |
| `roles > version` | Enter the custom role version number. Role assignments are independent of the role version number. |
| `roles > global` | Enter `true`. You can specify the `orgId` otherwise. |
| `roles > permissions` | Enter the permissions `action` and `scope` values. For more information about permissions actions and scopes, refer to [RBAC permissions, actions, and scopes]({{< relref "../../../../enterprise/access-control/assign-rbac-roles/custom-role-actions-scopes/" >}}) |
| `teams` | Enter the team or teams to which you are adding the custom role. |
| `teams > orgId` | Because teams belong to organizations, you must add the `orgId` value. |
| `teams > name` | Enter the name of the team. |
| `teams > roles` | Enter the custom or fixed role or roles that you want to grant to the team. |
| `teams > roles > name` | Enter the name of the role. |
| `teams > roles > global` | Enter `true`, or specify `orgId` of the role you want to assign to the team. Fixed roles are global. |
For more information about managing custom roles, refer to [Create custom roles using provisioning]({{< relref "../../../../enterprise/access-control/assign-rbac-roles/manage-rbac-roles/#create-custom-roles-using-provisioning" >}}).
1. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../../../enterprise/developers/http_api/admin/#reload-provisioning-configurations" >}}).
The following example creates the `custom:users:writer` role and assigns it to the `user writers` and `user admins` teams along with the `fixed:users:writer` role:
The following example:
- Creates the `custom:users:writer` role.
- Assigns the `custom:users:writer` role and the `fixed:users:writer` role to the `user admins` and `user writers` teams.
```yaml
# config file version
apiVersion: 2
# Roles to insert/update in the database
roles:
- name: 'custom:users:writer'
description: 'List/update other users in the organization'
version: 1
global: true
permissions:
- action: 'org.users:read'
scope: 'users:*'
- action: 'org.users:write'
scope: 'users:*'
# Assignments to teams
teams:
- name: 'user writers'
orgId: 1
roles:
# Custom role assignment
- name: 'custom:users:writer'
global: true
# Fixed role assignment
- name: 'fixed:users:writer'
global: true
- name: 'user admins'
orgId: 1
roles:
- name: 'custom:users:writer'
global: true
- name: 'fixed:users:writer'
global: true
```
> **Note**: The roles don't have to be defined in the provisioning configuration files to be assigned. If roles exist in the database, they can be assigned.
**Remove a role assignment from a team:**
If you want to remove an assignment from a team, add `state: absent` to the `teams > roles` section, and reload the configuration file.
The following example:
- Creates the `custom:users:writer` role
- Assigns the `custom:users:writer` role and the `fixed:users:writer` role to the `user admins` team
- Removes the `custom:users:writer` and the `fixed:users:writer` assignments from the `user writers` team, if those assignments exist.
```yaml
# config file version
apiVersion: 2
# Roles to insert/update in the database
roles:
- name: 'custom:users:writer'
description: 'List/update other users in the organization'
version: 1
global: true
permissions:
- action: 'org.users:read'
scope: 'users:*'
- action: 'org.users:write'
scope: 'users:*'
# Assignments to teams
teams:
- name: 'user writers'
orgId: 1
roles:
- name: 'fixed:users:writer'
global: true
state: 'absent' # Remove assignment
- name: 'custom:users:writer'
global: true
state: 'absent' # Remove assignment
- name: 'user admins'
orgId: 1
roles:
- name: 'fixed:users:writer'
global: true
- name: 'custom:users:writer'
global: true
```
> **Note**: The roles don't have to be defined in the provisioning configuration files to be revoked. If roles exist in the database, they can be revoked.

24
docs/sources/administration/roles-and-permissions/access-control/configure-rbac.md Normal file
View File

@@ -0,0 +1,24 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/configure-rbac/
description: Learn how to configure RBAC.
menuTitle: Configure RBAC
title: Configure RBAC in Grafana
weight: 30
---
# Configure RBAC in Grafana
The table below describes all RBAC configuration options. Like any other Grafana configuration, you can apply these options as [environment variables]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/#configure-with-environment-variables" >}}).
| Setting | Required | Description | Default |
| ------------------ | -------- | ---------------------------------------------------------------------------- | ------- |
| `permission_cache` | No | Enable to use in memory cache for loading and evaluating users' permissions. | `true` |
## Example RBAC configuration
```bash
[rbac]
permission_cache = true
```

155
docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes.md Normal file
View File

@@ -0,0 +1,155 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/custom-role-actions-scopes/
- /docs/grafana/latest/enterprise/access-control/permissions/
description: Learn about Grafana RBAC permissions, actions, and scopes.
menuTitle: RBAC permissions, actions, and scopes
title: Grafana RBAC permissions, actions, and scopes
weight: 80
---
# RBAC permissions, actions, and scopes
A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.
To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions]({{< relref "../../../../enterprise/access-control/custom-role-actions-scopes/about-rbac/#fixed-roles" >}}).
- **Action:** An action describes what tasks a user can perform on a resource.
- **Scope:** A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope `users:<userId>` to the relevant role.
## Action definitions
The following list contains role-based access control actions.
| Action | Applicable scope | Description |
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
| `alert.instances:create` | n/a | Create silences in the current organization. |
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
| `alert.instances:write` | n/a | Update and expire silences in the current organization. |
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `annotations:create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
| `annotations:delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
| `annotations:read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
| `annotations:write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
| `apikeys:create` | n/a | Create API keys. |
| `apikeys:read` | `apikeys:*`<br>`apikeys:id:*` | Read API keys. |
| `apikeys:delete` | `apikeys:*`<br>`apikeys:id:*` | Delete API keys. |
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders. |
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
| `folders.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders. |
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders. |
| `folders:create` | n/a | Create folders. |
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders. |
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders. |
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.user:read` | n/a | Read users via LDAP. |
| `ldap.user:sync` | n/a | Sync users via LDAP. |
| `licensing.reports:read` | n/a | Get custom permission reports. |
| `licensing:delete` | n/a | Delete the license token. |
| `licensing:read` | n/a | Read licensing information. |
| `licensing:write` | n/a | Update the license token. |
| `org.users:write` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. |
| `org.users:add` | `users:*` | Add a user to an organization. |
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
| `org:create` | n/a | Create an organization. |
| `orgs.preferences:read` | `orgs:*` <br> `orgs:id:*` | Read organization preferences. |
| `orgs.preferences:write` | `orgs:*` <br> `orgs:id:*` | Update organization preferences. |
| `orgs.quotas:read` | `orgs:*` <br> `orgs:id:*` | Read organization quotas. |
| `orgs.quotas:write` | `orgs:*` <br> `orgs:id:*` | Update organization quotas. |
| `orgs:delete` | `orgs:*` <br> `orgs:id:*` | Delete one or more organizations. |
| `orgs:read` | `orgs:*` <br> `orgs:id:*` | Read one or more organizations. |
| `orgs:write` | `orgs:*` <br> `orgs:id:*` | Update one or more organizations. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
| `reports:create` | n/a | Create reports. |
| `reports:write` | `reports:*` <br> `reports:id:*` | Update reports. |
| `reports.settings:read` | n/a | Read report settings. |
| `reports.settings:write` | n/a | Update report settings. |
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` | Send a report email. |
| `roles:delete` | `permissions:type:delegate` | Delete a custom role. |
| `roles:read` | `roles:*` <br> `roles:uid:*` | List roles and read a specific with its permissions. |
| `roles:write` | `permissions:type:delegate` | Create or update a custom role. |
| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. |
| `server.stats:read` | n/a | Read Grafana instance statistics. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../enterprise/access-control/settings-updates/" >}}). |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and External Group Synchronization setup for teams. |
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. |
| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. |
| `teams.roles:read` | `teams:*` | List roles assigned directly to a team. |
| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. |
| `teams:create` | n/a | Create teams. |
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
| `users.authtoken:read` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:write` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:write` | `global.users:*` <br> `global.users:id:*` | Update a users password. |
| `users.permissions:read` | `users:*` | List permissions of a user. |
| `users.permissions:write` | `global.users:*` <br> `global.users:id:*` | Update a users organization-level permissions. |
| `users.quotas:read` | `global.users:*` <br> `global.users:id:*` | List a users quotas. |
| `users.quotas:write` | `global.users:*` <br> `global.users:id:*` | Update a users quotas. |
| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user. |
| `users.roles:read` | `users:*` | List roles assigned directly to a user. |
| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user. |
| `users:create` | n/a | Create a user. |
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
| `users:enable` | `globa.users:*` <br> `global.users:id:*` | Enable a user. |
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
| `users:read` | `global.users:*` | Read or search user profiles. |
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a users profile. |
## Scope definitions
The following list contains role-based access control scopes.
| Scopes | Descriptions |
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `annotations:*`<br>`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
| `apikeys:*`<br>`apikeys:id:*` | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. |
| `dashboards:*`<br>`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. |
| `datasources:*`<br>`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. |
| `folders:*`<br>`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. |
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
| `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `permissions:type:escalate` | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "../../../../enterprise/access-control/custom-role-actions-scopes/custom-role-actions-scopes/" >}}). |
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |

371
docs/sources/administration/roles-and-permissions/access-control/manage-rbac-roles.md Normal file
View File

@@ -0,0 +1,371 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/manage-rbac-roles/
- /docs/grafana/latest/enterprise/access-control/manage-role-assignments/
- /docs/grafana/latest/enterprise/access-control/provisioning/
description: Learn how to view permissions associated with roles, create custom roles,
and update and delete roles in Grafana.
menuTitle: Manage RBAC roles
title: Manage Grafana RBAC roles
weight: 50
---
# Manage RBAC roles
This section includes instructions for how to view permissions associated with roles, create custom roles, and update and delete roles.
The following example includes the base64 username:password Basic Authorization. You cannot use authorization tokens in the request.
### List permissions associated with roles
Use a `GET` command to see the actions and scopes associated with a role. For more information about seeing a list of permissions for each role, refer to [Get a role]({{< relref "../../../../enterprise/developers/http_api/access_control/#get-a-role" >}}).
To see the permissions associated with basic roles, refer to the following basic role UIDs:
| Basic role | UID |
| --------------- | --------------------- |
| `Viewer` | `basic_viewer` |
| `Editor` | `basic_editor` |
| `Admin` | `basic_admin` |
| `Grafana Admin` | `basic_grafana_admin` |
**Example request**
```
curl --location --request GET '<grafana_url>/api/access-control/roles/qQui_LCMk' --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
```
**Example response**
```
{
"version": 2,
"uid": "qQui_LCMk",
"name": "fixed:users:writer",
"displayName": "User writer",
"description": "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users.",
"global": true,
"permissions": [
{
"action": "org.users:add",
"scope": "users:*",
"updated": "2021-05-17T20:49:18+02:00",
"created": "2021-05-17T20:49:18+02:00"
},
{
"action": "org.users:read",
"scope": "users:*",
"updated": "2021-05-17T20:49:18+02:00",
"created": "2021-05-17T20:49:18+02:00"
},
{
"action": "org.users:remove",
"scope": "users:*",
"updated": "2021-05-17T20:49:18+02:00",
"created": "2021-05-17T20:49:18+02:00"
},
{
"action": "org.users:write",
"scope": "users:*",
"updated": "2021-05-17T20:49:18+02:00",
"created": "2021-05-17T20:49:18+02:00"
}
],
"updated": "2021-05-17T20:49:18+02:00",
"created": "2021-05-13T16:24:26+02:00"
}
```
Refer to the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#get-a-role" >}}) for more details.
## Create custom roles
This section shows you how to create a custom RBAC role using Grafana provisioning and the HTTP API.
Create a custom role when basic roles and fixed roles do not meet your permissions requirements.
**Before you begin:**
- [Plan your RBAC rollout strategy]({{< relref "../../../../enterprise/access-control/manage-rbac-roles/plan-rbac-rollout-strategy/" >}}).
- Determine which permissions you want to add to the custom role. To see a list of actions and scope, refer to [RBAC permissions actions and scopes]({{< relref "../../../../enterprise/access-control/manage-rbac-roles/custom-role-actions-scopes/" >}}).
- [Enable role provisioning]({{< relref "../../../../enterprise/access-control/manage-rbac-roles/rbac-provisioning/" >}}).
- Ensure that you have permissions to create a custom role.
- By default, the Grafana Admin role has permission to create custom roles.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the `permissions:type:delegate` scope.
### Create custom roles using provisioning
File-based provisioning is one method you can use to create custom roles.
1. Open the YAML configuration file and locate the `roles` section.
1. Refer to the following table to add attributes and values.
| Attribute | Description |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `name` | A human-friendly identifier for the role that helps administrators understand the purpose of a role. `name` is required and cannot be longer than 190 characters. We recommend that you use ASCII characters. Role names must be unique within an organization. |
| `uid` | A unique identifier associated with the role. The UID enables you to change or delete the role. You can either generate a UID yourself, or let Grafana generate one for you. You cannot use the same UID within the same Grafana instance. |
| `orgId` | Identifies the organization to which the role belongs. The [default org ID]({{< relref "../../../../enterprise/setup-grafana/configure-grafana/#auto_assign_org_id" >}}) is used if you do not specify `orgId`. |
| `global` | Global roles are not associated with any specific organization, which means that you can reuse them across all organizations. This setting overrides `orgId`. |
| `displayName` | Human-friendly text that is displayed in the UI. Role display name cannot be longer than 190 ASCII-based characters. For fixed roles, the display name is shown as specified. If you do not set a display name the display name replaces `':'` (a colon) with `' '` (a space). |
| `description` | Human-friendly text that describes the permissions a role provides. |
| `group` | Organizes roles in the role picker. |
| `version` | A positive integer that defines the current version of the role, which prevents overwriting newer changes. |
| `hidden` | Hidden roles do not appear in the role picker. |
| `state` | State of the role. Defaults to `present`, but if set to `absent` the role will be removed. |
| `force` | Can be used in addition to state `absent`, to force the removal of a role and all its assignments. |
| `from` | An optional list of roles from which you want to copy permissions. |
| `permissions` | Provides users access to Grafana resources. For a list of permissions, refer to [RBAC permissions actions and scopes]({{< relref "../../../../enterprise/access-control/manage-rbac-roles/rbac-fixed-basic-role-definitions/" >}}). If you do not know which permissions to assign, you can create and assign roles without any permissions as a placeholder. Using the `from` attribute, you can specify additional permissions or permissions to remove by adding a `state` to your permission list. |
1. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../../../enterprise/developers/http_api/admin/#reload-provisioning-configurations" >}}).
The following example creates a local role:
```yaml
# config file version
apiVersion: 2
roles:
- name: custom:users:writer
description: 'List, create, or update other users.'
version: 1
orgId: 1
permissions:
- action: 'users:read'
scope: 'global.users:*'
- action: 'users:write'
scope: 'global.users:*'
- action: 'users:create'
```
The following example creates a hidden global role. The `global: true` option creates a global role, and the `hidden: true` option hides the role from the role picker.
```yaml
# config file version
apiVersion: 2
roles:
- name: custom:users:writer
description: 'List, create, or update other users.'
version: 1
global: true
hidden: true
permissions:
- action: 'users:read'
scope: 'global.users:*'
- action: 'users:write'
scope: 'global.users:*'
- action: 'users:create'
```
The following example creates a global role based on other fixed roles. The `from` option contains the roles from which we want to
copy permissions. The permission `state: absent` option can be used to specify permissions to exclude from the copy.
```yaml
# config file version
apiVersion: 2
roles:
- name: custom:org.users:writer
description: 'List and remove other users from the organization.'
version: 1
global: true
from:
- name: 'fixed:org.users:reader'
global: true
- name: 'fixed:org.users:writer'
global: true
permissions:
- action: 'org.users:write'
scope: 'users:*'
state: 'absent'
- action: 'org.users:add'
scope: 'users:*'
state: 'absent'
```
### Create custom roles using the HTTP API
The following examples show you how to create a custom role using the Grafana HTTP API. For more information about the HTTP API, refer to [Create a new custom role]({{< relref "../../../../enterprise/developers/http_api/access_control/#create-a-new-custom-role" >}}).
> **Note:** You cannot create a custom role with permissions that you do not have. For example, if you only have `users:create` permissions, then you cannot create a role that includes other permissions.
The following example creates a `custom:users:admin` role and assigns the `users:create` action to it.
**Example request**
```
curl --location --request POST '<grafana_url>/api/access-control/roles/' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
"version": 1,
"uid": "jZrmlLCkGksdka",
"name": "custom:users:admin",
"displayName": "custom users admin",
"description": "My custom role which gives users permissions to create users",
"global": true,
"permissions": [
{
"action": "users:create"
}
]
}'
```
**Example response**
```
{
"version": 1,
"uid": "jZrmlLCkGksdka",
"name": "custom:users:admin",
"displayName": "custom users admin",
"description": "My custom role which gives users permissions to create users",
"global": true,
"permissions": [
{
"action": "users:create"
"updated": "2021-05-17T22:07:31.569936+02:00",
"created": "2021-05-17T22:07:31.569935+02:00"
}
],
"updated": "2021-05-17T22:07:31.564403+02:00",
"created": "2021-05-17T22:07:31.564403+02:00"
}
```
Refer to the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#create-a-new-custom-role" >}}) for more details.
## Update basic role permissions
If the default basic role definitions do not meet your requirements, you can change their permissions.
**Before you begin:**
- Determine the permissions you want to add or remove from a basic role. For more information about the permissions associated with basic roles, refer to [RBAC role definitions]({{< relref "../../../../enterprise/access-control/manage-rbac-roles/rbac-fixed-basic-role-definitions/#basic-role-assignments" >}}).
**To change permissions from a basic role:**
1. Open the YAML configuration file and locate the `roles` section.
1. Refer to the following table to add attributes and values.
| Attribute | Description |
| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `name` | The name of the basic role you want to update. You can specify a `uid` instead of a role name. The role `name` or the `uid` are required. |
| `orgId` | Identifies the organization to which the role belongs. `global` can be used instead to specify it's a global role. |
| `version` | Identifies the version of the role, which prevents overwriting newer changes. |
| `from` | List of roles from which to copy permissions. |
| `permissions > state` | The state of the permission. You can set it to `absent` to ensure it exclusion from the copy list. |
1. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../../../enterprise/developers/http_api/admin/#reload-provisioning-configurations" >}}).
The following example modifies the `Grafana Admin` basic role permissions.
- Permissions to list, grant, and revoke roles to teams are removed.
- Permission to read and write Grafana folders is added.
```yaml
# config file version
apiVersion: 2
roles:
- name: 'basic:grafana_admin'
global: true
version: 3
from:
- name: 'basic:grafana_admin'
global: true
permissions:
# Permissions to remove
- action: 'teams.roles:read'
scope: 'teams:*'
state: 'absent'
- action: 'teams.roles:remove'
scope: 'permissions:type:delegate'
state: 'absent'
- action: 'teams.roles:add'
scope: 'permissions:type:delegate'
state: 'absent'
# Permissions to add
- action: 'folders:read'
scope: 'folder:*'
- action: 'folders:write'
scope: 'folder:*'
```
> **Note**: You can add multiple `fixed`, `basic` or `custom` roles to the `from` section. Their permissions will be copied and added to the basic role.
> <br/> **Note**: Make sure to **increment** the role version for the changes to be accounted for.
You can also change basic roles' permissions using the API. Refer to the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#update-a-role" >}}) for more details.
## Reset basic roles to their default
This section describes how to reset the basic roles to their default:
1. Open the YAML configuration file and locate the `roles` section.
1. Grant the `action: "roles:write", scope: "permissions:type:escalate` permission to `Grafana Admin`. Note that this permission has not been granted to any basic roles by default, because users could acquire more permissions than they previously had through the basic role permissions reset.
```yaml
apiVersion: 2
roles:
- name: 'basic:grafana_admin'
global: true
version: 3
from:
- name: 'basic:grafana_admin'
global: true
permissions:
# Permission allowing to reset basic roles
- action: 'roles:write'
scope: 'permissions:type:escalate'
```
1. As a `Grafana Admin`, call the API endpoint to reset the basic roles to their default. Refer to the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#reset-basic-roles-to-their-default" >}}) for more details.
## Delete a custom role using Grafana provisioning
Delete a custom role when you no longer need it. When you delete a custom role, the custom role is removed from users and teams to which it is assigned.
**Before you begin:**
- Identify the role or roles that you want to delete.
- Ensure that you have access to the YAML configuration file.
**To delete a custom role:**
1. Open the YAML configuration file and locate the `roles` section.
1. Refer to the following table to add attributes and values.
| Attribute | Description |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| `name` | The name of the custom role you want to delete. You can specify a `uid` instead of a role name. The role `name` or the `uid` are required. |
| `orgId` | Identifies the organization to which the role belongs. |
| `state` | The state of the role set to `absent` to trigger its removal. |
| `force` | When set to `true`, the roles are removed even if there are existing assignments. |
1. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../../../enterprise/developers/http_api/admin/#reload-provisioning-configurations" >}}).
The following example deletes a custom role:
```yaml
# config file version
apiVersion: 2
roles:
- name: 'custom:reports:editor'
orgId: 1
state: 'absent'
force: true
```
You can also delete a custom role using the API. Refer to the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#delete-a-custom-role" >}}) for more details.

241
docs/sources/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy.md Normal file
View File

@@ -0,0 +1,241 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/plan-rbac-rollout-strategy/
- /docs/grafana/latest/enterprise/access-control/usage-scenarios/
description: Plan your RBAC rollout strategy before you begin assigning roles to users
and teams.
menuTitle: Plan your RBAC rollout strategy
title: Plan your Grafana RBAC rollout strategy
weight: 20
---
# Plan your RBAC rollout strategy
An RBAC rollout strategy helps you determine _how_ you want to implement RBAC prior to assigning RBAC roles to users and teams.
Your rollout strategy should help you answer the following questions:
- Should I assign basic roles to users, or should I assign fixed roles or custom roles to users?
- When should I create custom roles?
- To which entities should I apply fixed and custom roles? Should I apply them to users, teams? Should I modify the basic roles permissions instead?
- How do I roll out permissions in a way that makes them easy to manage?
- Which approach should I use when assigning roles? Should I use the Grafana UI, provisioning, or the API?
## Review basic role and fixed role definitions
As a first step in determining your permissions rollout strategy, we recommend that you become familiar with basic role and fixed role definitions. In addition to assigning fixed roles to any user and team, you can also modify basic roles permissions, which changes what a Viewer, Editor, or Admin can do. This flexibility means that there are many combinations of role assignments for you to consider. If you have a large number of Grafana users and teams, we recommend that you make a list of which fixed roles you might want to use.
To learn more about basic roles and fixed roles, refer to the following documentation:
- [Basic role definitions]({{< relref "../../../../enterprise/access-control/plan-rbac-rollout-strategy/rbac-fixed-basic-role-definitions/#basic-role-assignments" >}})
- [Fixed role definitions]({{< relref "../../../../enterprise/access-control/plan-rbac-rollout-strategy/rbac-fixed-basic-role-definitions/#fixed-role-definitions" >}})
## User and team considerations
RBAC is a flexible and powerful feature with many possible permissions assignment combinations available. Consider the follow guidelines when assigning permissions to users and teams.
- **Assign roles to users** when you have a one-off scenario where a small number of users require access to a resource or when you want to assign temporary access. If you have a large number of users, this approach can be difficult to manage as you scale your use of Grafana. For example, a member of your IT department might need the `fixed:licensing:reader` and `fixed:licensing:writer` roles so that they can manage your Grafana Enterprise license.
- **Assign roles to teams** when you have a subset of users that align to your organizational structure, and you want all members of the team to have the same level of access. For example, all members of a particular engineering team might need the `fixed:reports:reader` and `fixed:reports:writer` roles to be able to manage reports.
When you assign additional users to a team, the system automatically assigns permissions to those users.
### Authentication provider considerations
You can take advantage of your current authentication provider to manage user and team permissions in Grafana. When you map users and teams to SAML and LDAP groups, you can synchronize those assignments with Grafana.
For example:
1. Map SAML, LDAP, or Oauth roles to Grafana basic roles (viewer, editor, or admin).
2. Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or Oauth provider to Grafana. For more information about team sync, refer to [Team sync]({{< relref "../../setup-grafana/configure-security/configure-team-sync/" >}}).
3. Within Grafana, assign RBAC permissions to users and teams.
## When to modify basic roles or create custom roles
Consider the following guidelines when you determine if you should modify basic roles or create custom roles.
- **Modify basic roles** when Grafana's definitions of what viewers, editors, and admins can do does not match your definition of these roles. You can add or remove permissions from any basic role.
> **Note:** Changes that you make to basic roles impact the role definition for all [organizations]({{< relref "../../../../enterprise/administration/manage-organizations/" >}}) in the Grafana instance. For example, when you add the `fixed:users:writer` role's permissions to the viewer basic role, all viewers in any org in the Grafana instance can create users within that org.
- **Create custom roles** when fixed role definitions don't meet you permissions requirements. For example, the `fixed:dashboards:writer` role allows users to delete dashboards. If you want some users or teams to be able to create and update but not delete dashboards, you can create a custom role with a name like `custom:dashboards:creator` that lacks the `dashboards:delete` permission.
## How to assign RBAC roles
Use any of the following methods to assign RBAC roles to users and teams.
- **Grafana UI:** Use the Grafana UI when you want to assign a limited number of RBAC roles to users and teams. The UI contains a role picker that you can use to select roles.
- **Grafana HTTP API:** Use the Grafana HTTP API if you would like to automate role assignment.
- **Terraform:** Use Terraform to assign and manage user and team role assignments if you use Terraform for provisioning.
- **Grafana provisioning:** Grafana provisioning provides a robust approach to assigning, removing, and deleting roles. Within a single YAML file you can include multiple role assignment and removal entries.
## Permissions scenarios
We've compiled the following permissions rollout scenarios based on current Grafana implementations.
> **Note:** If you have a use case that you'd like to share, feel free to contribute to this docs page. We'd love to hear from you!
### Provide internal viewer employees with the ability to use Explore, but prevent external viewer contractors from using Explore
1. In Grafana, create a team with the name `Internal employees`.
1. Assign the `fixed:datasources:querier` role to the `Internal employees` team.
1. Add internal employees to the `Internal employees` team, or map them from a SAML, LDAP, or Oauth team using [Team Sync]({{< relref "../../../../enterprise/setup-grafana/configure-security/configure-team-sync/" >}}).
1. Assign the viewer role to both internal employees and contractors.
### Limit viewer, editor, or admin permissions
1. Review the list of permissions associated with the basic role.
1. [Change the permissions of the basic role]({{< relref "../../../../enterprise/access-control/plan-rbac-rollout-strategy/manage-rbac-roles/#update-basic-role-permissions" >}}).
### Allow only members of one team to manage Alerts
1. Create an `Alert Managers` team, and assign that team all applicable Alerting fixed roles.
1. Add users to the `Alert Managers` team.
1. Remove all permissions with actions prefixed with `alert.` from the Viewer, Editor, and Admin basic roles.
### Provide dashboards to users in two or more geographies
1. Create a folder for each geography, for example, create a `US` folder and an `EU` folder.
1. Add dashboards to each folder.
1. Use folder permissions to add US-based users as Editors to the `US` folder and assign EU-based users as Editors to the `EU` folder.
### Create a custom role to access alerts in a specific folder
To see an alert rule in Grafana, the user must have read access to the folder that stores the alert rule, permission to read alerts in the folder, and permission to query all data sources that the rule uses.
The API command in this example is based on the following:
- A `Test-Folder` with ID `92`
- Two data sources: `DS1` with UID `_oAfGYUnk`, and `DS2` with UID `YYcBGYUnk`
- An alert rule that is stored in `Test-Folder` and queries the two data sources.
The following request creates a custom role that includes permissions to access the alert rule:
```
curl --location --request POST '<grafana_url>/api/access-control/roles/' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
"version": 1,
"name": "custom:alerts.reader.in.folder.123",
"displayName": "Read-only access to alerts in folder Test-Folder",
"description": "Let user query DS1 and DS2, and read alerts in folder Test-Folders",
"group":"Custom",
"global": true,
"permissions": [
{
"action": "folders:read",
"scope": "folders:uid:YEcBGYU22"
},
{
"action": "alert.rules:read",
"scope": "folders:uid:YEcBGYU22"
},
{
"action": "datasources:query",
"scope": "datasources:uid:_oAfGYUnk"
},
{
"action": "datasources:query",
"scope": "datasources:uid:YYcBGYUnk"
}
]
}'
```
### Enable an editor to create custom roles
By default, only a Grafana Server Admin can create and manage custom roles. If you want your `Editors` to do the same, [update the `Editor` basic role permissions]({{< ref "./manage-rbac-roles.md#update-basic-role-permissions" >}}). There are two ways to achieve this:
- Add the `fixed:roles:writer` role permissions to the `basic:editor` role using the `role > from` list of your provisioning file:
```yaml
apiVersion: 2
roles:
- name: 'basic:editor'
global: true
version: 3
from:
- name: 'basic:editor'
global: true
- name: 'fixed:roles:writer'
global: true
```
- Or add the following permissions to the `basic:editor` role, using provisioning or the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#update-a-role" >}}):
| action | scope |
| -------------- | --------------------------- |
| `roles:read` | `roles:*` |
| `roles:write` | `permissions:type:delegate` |
| `roles:delete` | `permissions:type:delegate` |
> **Note:** Any user or service account with the ability to modify roles can only create, update, or delete roles with permissions they have been granted. For example, a user with the `Editor` role would be able to create and manage roles only with the permissions they have or with a subset of them.
### Enable viewers to create reports
If you want your `Viewers` to create reports, [update the `Viewer` basic role permissions]({{< ref "./manage-rbac-roles.md#update-basic-role-permissions" >}}). There are two ways to achieve this:
- Add the `fixed:reports:writer` role permissions to the `basic:viewer` role using the `role > from` list of your provisioning file:
```yaml
apiVersion: 2
roles:
- name: 'basic:viewer'
global: true
version: 3
from:
- name: 'basic:viewer'
global: true
- name: 'fixed:reports:writer'
global: true
```
> **Note:** The `fixed:reports:writer` role assigns more permissions than just creating reports. For more information about fixed role permission assignments, refer to [Fixed role definitions]({{< relref "../../../../enterprise/access-control/plan-rbac-rollout-strategy/rbac-fixed-basic-role-definitions/#fixed-role-definitions" >}}).
- Add the following permissions to the `basic:viewer` role, using provisioning or the [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#update-a-role" >}}):
| Action | Scope |
| ---------------- | ------------------------------- |
| `reports:create` | n/a |
| `reports:write` | `reports:*` <br> `reports:id:*` |
| `reports:read` | `reports:*` |
| `reports:send` | `reports:*` |
### Prevent a Grafana Admin from creating and inviting users
To prevent a Grafana Admin from creating users and inviting them to join an organization, you must [update a basic role permissions]({{< ref "./manage-rbac-roles.md#update-basic-role-permissions" >}}).
The permissions to remove are:
| Action | Scope |
| --------------- | --------- |
| `users:create` | |
| `org.users:add` | `users:*` |
There are two ways to achieve this:
- Use the `role > from` list and `permission > state` option of your provisioning file:
```yaml
apiVersion: 2
roles:
- name: 'basic:editor'
global: true
version: 3
from:
- name: 'basic:editor'
global: true
permissions:
- action: 'users:create'
state: 'absent'
- action: 'org.users:add'
scope: 'users:*'
state: 'absent'
```
- Or use [RBAC HTTP API]({{< relref "../../../../enterprise/developers/http_api/access_control/#update-a-role" >}}).

93
docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md Normal file
View File

@@ -0,0 +1,93 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/fine-grained-access-control-references/
- /docs/grafana/latest/enterprise/access-control/rbac-fixed-basic-role-definitions/
description: This topic includes a table that lists permission associated with Grafana
fixed and basic roles.
menuTitle: RBAC role definitions
title: Grafana RBAC role definitions
weight: 70
---
# RBAC role definitions
The following tables list permissions associated with basic and fixed roles.
## Basic role assignments
| Basic role | Associated fixed roles | Description |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer` | Default [Grafana server administrator]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/about-users-and-permissions/#grafana-server-administrators" >}}) assignments. |
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:reader`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:reader`<br>`fixed:dashboards.permissions:writer`<br>`fixed:folders:reader`<br>`fixes:folders:writer`<br>`fixed:folders.permissions:reader`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:apikeys:reader`<br>`fixed:apikeys:writer`<br>`fixed:alerting.provisioning:writer` | Default [Grafana organization administrator]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
| Editor | `fixed:datasources:explorer`<br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled<br>`fixed:alerting:writer` | Default [Editor]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
| Viewer | `fixed:datasources:id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader` | Default [Viewer]({{< relref "../../../../enterprise/administration/manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}) assignments. |
## Fixed role definitions
| Fixed role | Permissions | Description |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:alerting.instances:writer` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*` | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles) |
| `fixed:alerting.instances:reader` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*` | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles) |
| `fixed:alerting.notifications:writer` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles) |
| `fixed:alerting.notifications:reader` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.rules:writer` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) |
| `fixed:alerting.rules:reader` | `alert.rule:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) |
| `fixed:alerting:writer` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer` | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting:reader` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader` | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.provisioning:writer` | `alert.provisioning:read` and `alert.provisioning:write` | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles) |
| `fixed:annotations.dashboard:writer` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard` | Create, update and delete dashboard annotations and annotation tags. |
| `fixed:annotations:reader` | `annotations:read` for scopes `annotations:type:*` | Read all annotations and annotation tags. |
| `fixed:annotations:writer` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*` | Read, create, update and delete all annotations and annotation tags. |
| `fixed:apikeys:reader` | `apikeys:read` for scope `apikeys:*` | Read all api keys. |
| `fixed:apikeys:writer` | All permissions from `fixed:apikeys:reader` and <br> `apikeys:create` <br> `apikeys:delete` for scope `apikeys:*` | Read, create, delete all api keys. |
| `fixed:dashboards.permissions:reader` | `dashboards.permissions:read` | Read all dashboard permissions. |
| `fixed:dashboards.permissions:writer` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write` | Read and update all dashboard permissions. |
| `fixed:dashboards:creator` | `dashboards:create`<br>`folders:read` | Create dashboards. |
| `fixed:dashboards:reader` | `dashboards:read` | Read all dashboards. |
| `fixed:dashboards:writer` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:edit`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write` | Read, create, update, and delete all dashboards. |
| `fixed:datasources.permissions:reader` | `datasources.permissions:read` | Read data source permissions. |
| `fixed:datasources.permissions:writer` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write` | Create, read, or delete permissions of a data source. |
| `fixed:datasources:explorer` | `datasources:explore` | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
| `fixed:datasources:id:reader` | `datasources.id:read` | Read the ID of a data source based on its name. |
| `fixed:datasources:reader` | `datasources:read`<br>`datasources:query` | Read and query data sources. |
| `fixed:datasources:writer` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Read, query, create, delete, or update a data source. |
| `fixed:folders.permissions:reader` | `folders.permissions:read` | Read all folder permissions. |
| `fixed:folders.permissions:writer` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write` | Read and update all folder permissions. |
| `fixed:folders:creator` | `folders:create` | Create folders. |
| `fixed:folders:reader` | `folders:read`<br>`dashboards:read` | Read all folders and dashboards. |
| `fixed:folders:writer` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write` | Read, create, update, and delete all folders and dashboards. |
| `fixed:ldap:reader` | `ldap.user:read`<br>`ldap.status:read` | Read the LDAP configuration and LDAP status information. |
| `fixed:ldap:writer` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Read and update the LDAP configuration, and read LDAP status information. |
| `fixed:licensing:reader` | `licensing:read`<br>`licensing.reports:read` | Read licensing information and licensing reports. |
| `fixed:licensing:writer` | All permissions from `fixed:licensing:viewer` and <br>`licensing:write`<br>`licensing:delete` | Read licensing information and licensing reports, update and delete the license token. |
| `fixed:org.users:reader` | `org.users:read` | Read users within a single organization. |
| `fixed:org.users:writer` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write` | Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
| `fixed:organization:maintainer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write` | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
| `fixed:organization:reader` | `orgs:read`<br>`orgs.quotas:read` | Read an organization and its quotas. |
| `fixed:organization:writer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write` | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
| `fixed:provisioning:writer` | `provisioning:reload` | Reload provisioning. |
| `fixed:reports:reader` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Read all reports and shared report settings. |
| `fixed:reports:writer` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write` | Create, read, update, or delete all reports and shared report settings. |
| `fixed:roles:reader` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read` | Read all access control roles, roles and permissions assigned to users, teams. |
| `fixed:roles:writer` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove` | Create, read, update, or delete all roles, assign or unassign roles to users, teams. |
| `fixed:roles:resetter` | `roles:write` with scope `permissions:type:escalate` | Reset basic roles to their default. |
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read` | Create a team and list organization users (required to manage the created team). |
| `fixed:teams:writer` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write` | Create, read, update and delete teams and manage team memberships. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`<br>` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
| `fixed:users:writer` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write` | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users. |
### Alerting roles
If alerting is [enabled]({{< relref "../../../../enterprise/alerting/migrating-alerts/opt-out/" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Access to Grafana alert rules is an intersection of many permissions:
- Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
- Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "../../../../enterprise/access-control/rbac-fixed-basic-role-definitions/plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).

118
docs/sources/administration/roles-and-permissions/access-control/rbac-provisioning.md Normal file
View File

@@ -0,0 +1,118 @@
---
aliases:
- /docs/grafana/latest/enterprise/access-control/rbac-provisioning/
description: Learn about RBAC provisioning and view an example YAML provisioning file
that configures Grafana role assignments.
menuTitle: RBAC provisioning
title: Grafana RBAC provisioning
weight: 60
---
# Grafana RBAC provisioning
You can create, change or remove [Custom roles]({{< relref "../../../../enterprise/access-control/rbac-provisioning/manage-rbac-roles/#create-custom-roles-using-provisioning" >}}) and create or remove [basic role assignments]({{< relref "../../../../enterprise/access-control/rbac-provisioning/assign-rbac-roles/#assign-a-fixed-role-to-a-basic-role-using-provisioning" >}}), by adding one or more YAML configuration files in the `provisioning/access-control/` directory.
If you choose to use provisioning to assign and manage role, you must first enable it.
Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.
**Before you begin:**
- Ensure that you have access to files on the server where Grafana is running.
**To manage and assign RBAC roles using provisioning:**
1. Sign in to the Grafana server.
2. Locate the Grafana provisioning folder.
3. Create a new YAML in the following folder: **provisioning/access-control**. For example, `provisioning/access-control/custom-roles.yml`
4. Add RBAC provisioning details to the configuration file. See [manage RBAC roles]({{< relref "../../../../enterprise/access-control/rbac-provisioning/manage-rbac-roles/" >}}) and [assign RBAC roles]({{< relref "../../../../enterprise/access-control/rbac-provisioning/assign-rbac-roles/" >}}) for instructions, and see this [example role provisioning file]({{< relref "../../../../enterprise/access-control/rbac-provisioning/rbac-provisioning/#example" >}}) for a complete example of a provisioning file.
5. Reload the provisioning configuration file.
For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../../../enterprise/developers/http_api/admin/#reload-provisioning-configurations" >}}).
## Example role configuration file using Grafana provisioning
The following example shows a complete YAML configuration file that:
- Create custom roles
- Delete custom roles
- Update basic roles permissions
- Assign roles to teams
- Revoke assignments of roles to teams
## Example
```yaml
---
# config file version
apiVersion: 2
# <list> list of roles to insert/update/delete
roles:
# <string, required> name of the role you want to create or update. Required.
- name: 'custom:users:writer'
# <string> uid of the role. Has to be unique for all orgs.
uid: customuserswriter1
# <string> description of the role, informative purpose only.
description: 'Create, read, write users'
# <int> version of the role, Grafana will update the role when increased.
version: 2
# <int> org id. Defaults to Grafana's default if not specified.
orgId: 1
# <list> list of the permissions granted by this role.
permissions:
# <string, required> action allowed.
- action: 'users:read'
#<string> scope it applies to.
scope: 'users:*'
- action: 'users:write'
scope: 'users:*'
- action: 'users:create'
- name: 'custom:global:users:reader'
# <bool> overwrite org id and creates a global role.
global: true
# <string> state of the role. Defaults to 'present'. If 'absent', role will be deleted.
state: 'absent'
# <bool> force deletion revoking all grants of the role.
force: true
- uid: 'basic_editor'
version: 2
global: true
# <list> list of roles to copy permissions from.
from:
- uid: 'basic_editor'
global: true
- name: 'fixed:users:writer'
global: true
# <list> list of the permissions to add/remove on top of the copied ones.
permissions:
- action: 'users:read'
scope: 'users:*'
- action: 'users:write'
scope: 'users:*'
# <string> state of the permission. Defaults to 'present'. If 'absent', the permission will be removed.
state: absent
# <list> list role assignments to teams to create or remove.
teams:
# <string, required> name of the team you want to assign roles to. Required.
- name: 'Users writers'
# <int> org id. Will default to Grafana's default if not specified.
orgId: 1
# <list> list of roles to assign to the team
roles:
# <string> uid of the role you want to assign to the team.
- uid: 'customuserswriter1'
# <int> org id. Will default to Grafana's default if not specified.
orgId: 1
# <string> name of the role you want to assign to the team.
- name: 'fixed:users:writer'
# <bool> overwrite org id to specify the role is global.
global: true
# <string> state of the assignment. Defaults to 'present'. If 'absent', the assignment will be revoked.
state: absent
```

126
docs/sources/administration/service-accounts/_index.md
View File

@@ -1,17 +1,137 @@
---
aliases:
- /docs/grafana/latest/administration/service-accounts/
- /docs/grafana/latest/administration/service-accounts/about-service-accounts/
- /docs/grafana/latest/administration/service-accounts/add-service-account-token/
- /docs/grafana/latest/administration/service-accounts/create-service-account/
- /docs/grafana/latest/administration/service-accounts/enable-service-accounts/
description: This page contains information about service accounts in Grafana
keywords:
- API keys
- Service accounts
menuTitle: Service accounts
title: Service accounts in Grafana
weight: 300
title: Service accounts
weight: 800
---
# Service accounts in Grafana
# Service accounts
You can use service accounts to run automated or compute workloads.
{{< section >}}
## About service accounts
A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications like Terraform with the Grafana API.
> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature. To enable service accounts, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana.
A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:
- Schedule reports for specific dashboards to be delivered on a daily/weekly/monthly basis
- Define alerts in your system to be used in Grafana
- Set up an external SAML authentication provider
- Interact with Grafana without signing in as a user
In [Grafana Enterprise]({{< relref "../../enterprise/" >}}), you can also use service accounts in combination with [role-based access control]({{< relref "../../enterprise/access-control/about-rbac/" >}}) to grant very specific permissions to applications that interact with Grafana.
> **Note:** Service accounts can only act in the organization they are created for. If you have the same task that is needed for multiple organizations, we recommend creating service accounts in each organization.
## Service account tokens
A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana's HTTP API.
When you create a service account, you can associate one or more access tokens with it. You can use service access tokens the same way as API Keys, for example to access Grafana HTTP API programmatically.
You can create multiple tokens for the same service account. You might want to do this if:
- multiple applications use the same permissions, but you would like to audit or manage their actions separately.
- you need to rotate or replace a compromised token.
Service account access tokens inherit permissions from the service account.
## Service account benefits
The added benefits of service accounts to API keys include:
- Service accounts resemble Grafana users and can be enabled/disabled, granted specific permissions, and remain active until they are deleted or disabled. API keys are only valid until their expiry date.
- Service accounts can be associated with multiple tokens.
- Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted.
- You can grant granular permissions to service accounts by leveraging [fine-grained access control]({{< relref "../../enterprise/access-control/" >}}). For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
## Enable service accounts in Grafana
Service accounts are available behind the `serviceAccounts` feature toggle, available in Grafana 8.5+.
You can enable service accounts by:
- modifying the Grafana configuration file, or
- configuring an environment variable
### Enable service accounts in the Grafana configuration file
This topic shows you how to enable service accounts by modifying the Grafana configuration file.
1. Sign in to the Grafana server and locate the configuration file. For more information about finding the configuration file, refer to LINK.
2. Open the configuration file and locate the [feature toggles section]({{< relref "../../setup-grafana/configure-grafana/#feature_toggles" >}}). Add `serviceAccounts` as a [feature_toggle]({{< relref "../../setup-grafana/configure-grafana/#feature_toggle" >}}).
```
[feature_toggles]
# enable features, separated by spaces
enable = serviceAccounts
```
1. Save your changes, Grafana should recognize your changes; in case of any issues we recommend restarting the Grafana server.
### Enable service accounts with an environment variable
This topic shows you how to enable service accounts by setting environment variables before starting Grafana.
Follow the instructions to [override configuration with environment variables]({{< relref "../../setup-grafana/configure-grafana/#override-configuration-with-environment-variables" >}}). Set the following environment variable: `GF_FEATURE_TOGGLES_ENABLE = serviceAccounts`.
> **Note:** Environment variables override configuration file settings.
## Create a service account in Grafana
A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. For more information about how you can use service accounts, refer to [About service accounts]({{< relref "about-service-accounts/#" >}}).
For more information about creating service accounts via the API, refer to [Create a service account in the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account" >}}).
### Before you begin
- Ensure you have added the feature toggle for service accounts `serviceAccounts`. For more information about adding the feature toggle, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}).
- Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
### To create a service account
1. Sign in to Grafana and hover your cursor over the Configuration (cog) icon in the sidebar.
1. Click **Service accounts**.
1. Click **New service account**.
1. Enter a **Display name**.
1. The display name must be unique as it determines the ID associated with the service account.
- We recommend that you use a consistent naming convention when you name service accounts. A consistent naming convention can help you scale and maintain service accounts in the future.
- You can change the display name at any time.
1. Click **Create service account**.
## Add a token to a service account in Grafana
A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafanas HTTP API. For more information about service accounts, refer to [About service accounts in Grafana]({{< relref "about-service-accounts/" >}}).
You can create a service account token using the Grafana UI or via the API. For more information about creating a service account token via the API, refer to [Create service account tokens using the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account-tokens" >}}).
### Before you begin
- Ensure you have added the `serviceAccounts` feature toggle to Grafana. For more information about adding the feature toggle, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}).
- Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
### To add a token to a service account
1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar.
1. Click **Service accounts**.
1. Click the service account to which you want to add a token.
1. Click **Add token**.
1. Enter a name for the token.
1. (recommended) Enter an expiry date and expiry date for the token or leave it on no expiry date option.
- The expiry date specifies how long you want the key to be valid.
- If you are unsure of an expiration date, we recommend that you set the token to expire after a short time, such as a few hours or less. This limits the risk associated with a token that is valid for a long time.
1. Click **Generate service account token**.

49
docs/sources/administration/service-accounts/about-service-accounts.md
View File

@@ -1,49 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/service-accounts/about-service-accounts/
description: This page contains detailed information about service accounts in Grafana
menuTitle: About service accounts
title: About service accounts
weight: 30
---
# About service accounts in Grafana
A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications like Terraform with the Grafana API.
> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature. To enable service accounts, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana.
A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:
- Schedule reports for specific dashboards to be delivered on a daily/weekly/monthly basis
- Define alerts in your system to be used in Grafana
- Set up an external SAML authentication provider
- Interact with Grafana without signing in as a user
In [Grafana Enterprise]({{< relref "../../enterprise/" >}}), you can also use service accounts in combination with [role-based access control]({{< relref "../../enterprise/access-control/about-rbac/" >}}) to grant very specific permissions to applications that interact with Grafana.
> **Note:** Service accounts can only act in the organization they are created for. If you have the same task that is needed for multiple organizations, we recommend creating service accounts in each organization.
---
## Service account tokens
A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana's HTTP API.
When you create a service account, you can associate one or more access tokens with it. You can use service access tokens the same way as API Keys, for example to access Grafana HTTP API programmatically.
You can create multiple tokens for the same service account. You might want to do this if:
- multiple applications use the same permissions, but you would like to audit or manage their actions separately.
- you need to rotate or replace a compromised token.
Service account access tokens inherit permissions from the service account.
### Service accounts benefits
The added benefits of service accounts to API keys include:
- Service accounts resemble Grafana users and can be enabled/disabled, granted specific permissions, and remain active until they are deleted or disabled. API keys are only valid until their expiry date.
- Service accounts can be associated with multiple tokens.
- Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted.
- You can grant granular permissions to service accounts by leveraging [fine-grained access control]({{< relref "../../enterprise/access-control/" >}}). For more information about permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#" >}}).

31
docs/sources/administration/service-accounts/add-service-account-token.md
View File

@@ -1,31 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/service-accounts/add-service-account-token/
description: This topic shows you how to add a token to a service account
menuTitle: Add a token to a service account
title: Add a token to a service account in Grafana
weight: 60
---
# Add a token to a service account in Grafana
A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafanas HTTP API. For more information about service accounts, refer to [About service accounts in Grafana]({{< relref "about-service-accounts/" >}}).
You can create a service account token using the Grafana UI or via the API. For more information about creating a service account token via the API, refer to [Create service account tokens using the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account-tokens" >}}).
## Before you begin
- Ensure you have added the `serviceAccounts` feature toggle to Grafana. For more information about adding the feature toggle, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}).
- Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#" >}}).
## To add a token to a service account
1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar.
1. Click **Service accounts**.
1. Click the service account to which you want to add a token.
1. Click **Add token**.
1. Enter a name for the token.
1. (recommended) Enter an expiry date and expiry date for the token or leave it on no expiry date option.
- The expiry date specifies how long you want the key to be valid.
- If you are unsure of an expiration date, we recommend that you set the token to expire after a short time, such as a few hours or less. This limits the risk associated with a token that is valid for a long time.
1. Click **Generate service account token**.

32
docs/sources/administration/service-accounts/create-service-account.md
View File

@@ -1,32 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/service-accounts/create-service-account/
description: How to create a service account in Grafana
keywords:
- Service accounts
menuTitle: Create a service account
title: Create a service account in Grafana
weight: 50
---
# Create a service account in Grafana
A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. For more information about how you can use service accounts, refer to [About service accounts]({{< relref "about-service-accounts/#" >}}).
For more information about creating service accounts via the API, refer to [Create a service account in the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account" >}}).
## Before you begin
- Ensure you have added the feature toggle for service accounts `serviceAccounts`. For more information about adding the feature toggle, refer to [Enable service accounts]({{< relref "enable-service-accounts/#" >}}).
- Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#" >}}).
## To create a service account
1. Sign in to Grafana and hover your cursor over the Configuration (cog) icon in the sidebar.
1. Click **Service accounts**.
1. Click **New service account**.
1. Enter a **Display name**.
1. The display name must be unique as it determines the ID associated with the service account.
- We recommend that you use a consistent naming convention when you name service accounts. A consistent naming convention can help you scale and maintain service accounts in the future.
- You can change the display name at any time.
1. Click **Create service account**.

44
docs/sources/administration/service-accounts/enable-service-accounts.md
View File

@@ -1,44 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/service-accounts/enable-service-accounts/
description: This topic shows you how to to enable the service accounts feature in
Grafana
keywords:
- Feature toggle
- Service accounts
menuTitle: Enable service accounts
title: Enable service accounts in Grafana
weight: 40
---
# Enable service accounts in Grafana
Service accounts are available behind the `serviceAccounts` feature toggle, available in Grafana 8.5+.
You can enable service accounts by:
- modifying the Grafana configuration file, or
- configuring an environment variable
## Enable service accounts in the Grafana configuration file
This topic shows you how to enable service accounts by modifying the Grafana configuration file.
1. Sign in to the Grafana server and locate the configuration file. For more information about finding the configuration file, refer to LINK.
2. Open the configuration file and locate the [feature toggles section]({{< relref "../../setup-grafana/configure-grafana/#feature_toggles" >}}). Add `serviceAccounts` as a [feature_toggle]({{< relref "../../setup-grafana/configure-grafana/#feature_toggle" >}}).
```
[feature_toggles]
# enable features, separated by spaces
enable = serviceAccounts
```
1. Save your changes, Grafana should recognize your changes; in case of any issues we recommend restarting the Grafana server.
## Enable service accounts with an environment variable
This topic shows you how to enable service accounts by setting environment variables before starting Grafana.
Follow the instructions to [override configuration with environment variables]({{< relref "../../setup-grafana/configure-grafana/#override-configuration-with-environment-variables" >}}). Set the following environment variable: `GF_FEATURE_TOGGLES_ENABLE = serviceAccounts`.
> **Note:** Environment variables override configuration file settings.

82
docs/sources/administration/stats-and-license/_index.md Normal file
View File

@@ -0,0 +1,82 @@
---
aliases:
- /docs/grafana/latest/administration/view-server/
- /docs/grafana/latest/admin/view-server-settings/
- /docs/grafana/latest/administration/view-server/view-server-settings/
- /docs/grafana/latest/admin/view-server-stats/
- /docs/grafana/latest/administration/view-server/view-server-stats/
description: How to view server settings in the Grafana UI
keywords:
- grafana
- configuration
- server
- settings
title: Stats and license
weight: 400
---
# View server statistics and license
This setting contains information about tools that Grafana Server Admins can use to learn more about their Grafana servers.
## View Grafana server settings
> Refer to [Role-based access control]({{< relref "../enterprise/access-control/" >}}) in Grafana Enterprise to understand how you can control access with RBAC permissions.
If you are a Grafana server administrator, use the Settings tab to view the settings that are applied to your Grafana server via the [Configuration]({{< relref "../setup-grafana/configure-grafana/#config-file-locations" >}}) file and any environmental variables.
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../server-administration/manage-users-and-permissions/about-users-and-permissions/" >}}).
### View server settings
1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
1. Hover your cursor over the **Server Admin** (shield) icon in the side menu and then click the **Settings** tab.
### Available settings
For a full list of server settings, refer to [Configuration]({{< relref "../setup-grafana/configure-grafana/" >}}).
## View Grafana server stats
> Refer to [Role-based access control]({{< relref "../enterprise/access-control/" >}}) in Grafana Enterprise to understand how you can control access with RBAC permissions.
If you are a Grafana server admin, then you can view useful statistics about your Grafana server in the Stats & Licensing tab.
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../server-administration/manage-users-and-permissions/about-users-and-permissions/" >}}).
### View server stats
1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
1. Hover your cursor over the **Server Admin** (shield) icon in the side menu and then click the **Stats & Licensing** tab.
### Available stats
The following statistics are displayed in the Stats tab:
- Total users
**Note:** Total users = Total admins + Total editors + Total viewers
- Total admins
- Total editors
- Total viewers
- Active users (seen last 30 days)
**Note:** Active users = Active admins + Active editors + Active viewers
- Active admins (seen last 30 days)
- Active editors (seen last 30 days)
- Active viewers (seen last 30 days)
- Active sessions
- Total dashboards
- Total orgs
- Total playlists
- Total snapshots
- Total dashboard tags
- Total starred dashboards
- Total alerts
### Counting users
If a user belongs to several organizations, then that user is counted once as a user in the highest organization role they are assigned, regardless of how many organizations the user belongs to.
For example, if Sofia is a Viewer in two organizations, an Editor in two organizations, and Admin in three organizations, then she would be reflected in the stats as:
- Total users 1
- Total admins 1

8
docs/sources/administration/manage-users-and-permissions/manage-teams/_index.md → docs/sources/administration/team-management/_index.md
View File

@@ -4,17 +4,17 @@ aliases:
- /docs/grafana/latest/manage-users/add-or-remove-user-from-team/
- /docs/grafana/latest/manage-users/create-or-remove-team/
- /docs/grafana/latest/manage-users/manage-teams/
title: Manage teams
weight: 600
title: Team management
weight: 400
---
# Manage teams
# Team management
A team is a group of users within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user can belong to multiple teams.
A user can be a Member or an Administrator for a given team. Members of a team inherit permissions from the team, but they cannot edit the team itself. Team Administrators can add members to a team and update its settings, such as the team name, team member's team roles, UI preferences, and home dashboard.
For more information about teams, refer to [Teams and permissions]({{< relref "../about-users-and-permissions/#teams-and-permissions" >}}).
For more information about teams, refer to [Teams and permissions]({{< relref "../roles-and-permissions/#teams-and-permissions" >}}).
## Create a team

4
docs/sources/administration/manage-users-and-permissions/_index.md → docs/sources/administration/user-management/_index.md
View File

@@ -1,11 +1,11 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/
title: Manage users and permissions
title: User management
weight: 200
---
# Manage users and permissions
# User management
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.

8
docs/sources/administration/manage-users-and-permissions/manage-dashboard-permissions/_index.md → docs/sources/administration/user-management/manage-dashboard-permissions/_index.md
View File

@@ -10,7 +10,7 @@ weight: 500
Dashboard and dasboard folder permissions enable you to grant a viewer the ability to edit and save dashboard changes, or limit an editor's permission to modify a dashboard.
For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions" >}}).
For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../../roles-and-permissions/#dashboard-permissions" >}}).
## Grant dashboard folder permissions
@@ -19,7 +19,7 @@ When you grant user permissions for folders, that setting applies to all dashboa
### Before you begin
- Ensure you have organization administrator privileges
- Identify the dashboard folder permissions you want to modify and the users or teams to which you want to grant access. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions" >}}).
- Identify the dashboard folder permissions you want to modify and the users or teams to which you want to grant access. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../../roles-and-permissions/#dashboard-permissions" >}}).
**To grant dashboard folder permissions**:
@@ -84,7 +84,7 @@ This modification is useful for public Grafana installations where you want anon
## Edit dashboard permissions
Edit dashboard permissions when you are want to enhance or restrict a user's access to a dashboard. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../about-users-and-permissions/#dashboard-permissions" >}}).
Edit dashboard permissions when you are want to enhance or restrict a user's access to a dashboard. For more information about dashboard permissions, refer to [Dashboard permissions]({{< relref "../../roles-and-permissions/#dashboard-permissions" >}}).
### Before you begin
@@ -144,4 +144,4 @@ Dashboard permissions settings:
Result: You receive an error message that cannot override a higher permission with a lower permission in the same dashboard. User1 has administrator permissions.
> Refer to [Role-based access Control]({{< relref "../../../enterprise/access-control/" >}}) in Grafana Enterprise to understand how to use RBAC permissions to restrict access to dashboards, folders, administrative functions, and other resources.
> Refer to [Role-based access Control]({{< relref "../../roles-and-permissions/access-control/" >}}) in Grafana Enterprise to understand how to use RBAC permissions to restrict access to dashboards, folders, administrative functions, and other resources.

146
docs/sources/administration/user-management/manage-org-users/_index.md Normal file
View File

@@ -0,0 +1,146 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/
- /docs/grafana/latest/manage-users/org-admin/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/view-list-org-users/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/change-user-org-permissions/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/invite-user-join-org/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/manage-pending-invites/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-org-users/remove-user-from-org/
title: Manage users in an organization
weight: 400
---
# Manage users in an organization
Organization administrators can invite users to join their organization. Organization users have access to organization resources based on their role, which is **Admin**, **Editor**, or **Viewer**. Permissions associated with each role determine the tasks a user can perform in the system.
For more information about organization user permissions, refer to [Organization users and permissions]({{< relref "../../roles-and-permissions/#organization-users-and-permissions" >}}).
{{< section >}}
## View a list of organization users
You can see a list of users with accounts in your Grafana organization. If necessary, you can use the search field to filter the list.
### Before you begin
- Ensure you have organization administrator privileges
**To view a list of organization users**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
![Org Admin user list](/static/img/docs/manage-users/org-user-list-7-3.png)
> **Note:** If you have [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [view a global list of users]({{< relref "../../manage-users-and-permissions/manage-server-users/view-list-users/" >}}) in the Server Admin section of Grafana.
## Change a user's organization permissions
Update user permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../../roles-and-permissions/#organization-roles" >}}).
### Before you begin
- Ensure you have organization administrator privileges
**To change the organization role of a user**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Find the user account for which you want to change the role.
If necessary, use the search field to filter the list.
1. Locate the user on the list and in the **Role** column, click the user role.
1. Select the role that you want to assign.
1. Click **Update**.
> **Note:** If you have [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [change a user's organization permissions]({{< relref "../server-user-management/change-user-org-permissions/" >}}) in the Server Admin section.
## Invite a user to join an organization
When you invite users to join an organization, you assign the **Admin**, **Editor**, or **Viewer** role which controls user access to the dashboards and data sources owned by the organization. Users receive an email that prompts them to accept the invitation.
- If you know that the user already has access Grafana and you know their user name, then you issue an invitation by entering their user name.
- If the user is new to Grafana, then use their email address to issue an invitation. The system automatically creates the user account on first sign in.
> **Note:** If you have [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can also manually [add a user to an organization]({{< relref "../server-user-management/add-remove-user-to-org/" >}}).
### Before you begin
- Ensure you have organization administrator privileges.
- If the user already has access to Grafana, obtain their user name.
- Determine the permissions you want to assign to the user. For more information about organization permissions, refer to [Organization roles]({{< relref "../../roles-and-permissions/#organization-roles" >}}).
**To invite or add an existing user account to your organization**:
1. Sign in to Grafana as an organization administrator.
1. To switch to the organization to which you want to invite a user, hover your mouse over your profile and click **Switch organization** and select an organization.
> **Note**: It might be that you are currently in the proper organization and don't need to switch organizations.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Click **Invite**.
1. Enter the following information:
| Field | Description |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Email or username | Either the email or username that the user will use to sign in to Grafana. |
| Name | The user's name. |
| Role | Click the organization role to assign this user. For more information about organization roles, refer to [Organization roles]({{< relref "../../roles-and-permissions/#organization-roles" >}}).. |
| Send invite email | Switch to on if your organization has configured. The system sends an email to the user inviting them to sign in to Grafana and join the organization. Switch to off if you are not using email. The user can sign in to Grafana with the email or username you entered. |
1. Click **Submit**.
If the invitee is not already a user, the system adds them.
![Invite User](/static/img/docs/manage-users/org-invite-user-7-3.png).
## Manage a pending invitation
Periodically review invitations you have sent so that you can see a list of users that have not yet accepted the invitation or cancel a pending invitation.
> **Note:** The **Pending Invites** button is only visible if there are unanswered invitations.
### Before you begin
- Ensure you have organization administrator privileges
**To manage a pending invitation**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Click **Pending Invites**.
The **Pending Invites** button appears only when there are unaccepted invitations.
![Pending Invites button](/static/img/docs/manage-users/pending-invites-button-7-3.png)
To cancel an invitation, click the red **X** next to the invitation.
To copy an invitation link and send it directly to a user, click Copy Invite. You can then paste the invite link into a message.
![Pending Invites list](/static/img/docs/manage-users/pending-invites-list-7-3.png)
## Remove a user from an organization
You can remove a user from an organization when they no longer require access to the dashboard or data sources owned by the organization. No longer requiring access to an organization might occur when the user has left your company or has internally moved to another organization.
This action does not remove the user account from the Grafana server.
### Before you begin
- Ensure you have organization administrator privileges
**To remove a user from an organization**:
1. Sign in to Grafana as an organization administrator.
1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Users**.
1. Find the user account that you want to remove from the organization.
Use the search field to filter the list, if necessary.
1. Click the red **X** to remove the user from the organization.
> **Note:** If you have [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can also [remove a user from an organization]({{< relref "../server-user-management/add-remove-user-to-org/#remove-a-user-from-an-organization" >}}) on the Users page of the Server Admin section.

147
docs/sources/administration/user-management/server-user-management/_index.md Normal file
View File

@@ -0,0 +1,147 @@
---
aliases:
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/
- /docs/grafana/latest/manage-users/server-admin/
- /docs/grafana/latest/manage-users/server-admin/server-admin-manage-users/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-list-users/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-edit-user-account/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/view-user-account-details/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/add-user/
- /docs/grafana/latest/administration/manage-users-and-permissions/manage-server-users/force-user-logout/
title: Server user management
weight: 100
---
# Server user management
A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system.
If you have [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions in Grafana, you can manage all users for a Grafana instance in the Server Admin section:
{{< section >}}
If you have [organization administrator]({{< relref "../../roles-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, refer to [Manage users in a organization]({{< relref "../manage-org-users/" >}}).
For more information about users and permissions, refer to [About users and permissions]({{< relref "../../roles-and-permissions/" >}}). For more information about managing users in general, see [User management]({{< relref "../" >}}).
## View a list of users
You can see a list of users with accounts on your Grafana server. This action might be useful when you want to know which role you assigned to each user.
### Before you begin
- Ensure you have Grafana server administrator privileges
**To view a list of users**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
![Server Admin user list](/static/img/docs/manage-users/server-user-list-7-3.png)
> **Note:** If you have [organization administrator]({{< relref "../../roles-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [view of list of users in a given organization]({{< relref "../../manage-users-and-permissions/manage-org-users/view-list-org-users/" >}}).
## View user details
View user details when you want to see login, and organizations and permissions settings associated with a user.
### Before you begin:
- Ensure you have Grafana server administrator privileges
**To view user details**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click a user.
A user account contains the following sections.
#### User information
This section contains basic user information, which users can update.
![Server Admin user information section](/static/img/docs/manage-users/server-admin-user-information-7-3.png)
#### Permissions
This indicates whether the user account has the Grafana administrator flag applied. If the flag is set to **Yes**, then the user is a Grafana server administrator.
![Server Admin Permissions section](/static/img/docs/manage-users/server-admin-permissions-7-3.png)
#### Organisations
This section lists the organizations the user belongs to and their assigned role.
![Server Admin Organizations section](/static/img/docs/manage-users/server-admin-organisations-7-3.png)
#### Sessions
This section includes recent user sessions and information about the time the user logged in and they system they used. You can force logouts, if necessary.
![Server Admin Sessions section](/static/img/docs/manage-users/server-admin-sessions-7-3.png)
## Edit a user account
Edit a user account when you want to modify user login credentials, or delete, disable, or enable a user.
### Before you begin
- Ensure you have Grafana server administrator privileges
**To edit a user account**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click a user.
1. Complete any of the following actions, as necessary.
| Action | Description |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Update name, email, or username | **Is the user notified of these changes?**. Click **Save** after you make a change. |
| Change the user's password | The new password must be at least four characters long. Click **Save** after you make a change. |
| Delete a user | This action permanently removes the user from the Grafana server. The user can no longer sign in after you make this change. |
| Disable user account | This action prevents a user from signing in with this account, but does not delete the account. You might disable an account if a colleague goes on sabbatical. |
| Enable a user account | This action enables a user account. |
## Add a user
Add users when you want to manually provide individuals with access to Grafana.
When you create a user using this method, you must create their password. The user does not receive a notification by email. To invite a user to Grafana and allow them to create their own password, [invite a user to join an organization]({{< relref "../../manage-users-and-permissions/manage-org-users/invite-user-join-org/" >}}).
When you configure advanced authentication using Oauth, SAML, LDAP, or the Auth proxy, users are created automatically.
### Before you begin
- Ensure that you have Grafana server administrator privileges
**To add a user**:
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click **New user**.
1. Complete the fields and click **Create user**.
When you create a user, the system assigns the user viewer permissions in a default organization, which you can change. You can now [add a user to a second organization]({{< relref "add-remove-user-to-org/" >}}).
> **Note:** If you have [organization administrator]({{< relref "../../roles-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../../roles-and-permissions/#grafana-server-administrators" >}}) permissions, you can still add users by [inviting a user to join an organization]({{< relref "../../manage-users-and-permissions/manage-org-users/invite-user-join-org/" >}}).
## Force a user to log out of Grafana
If you suspect a user account is compromised or is no longer authorized to access the Grafana server, then you can force the user to log out of Grafana.
The force logout action can apply to one device that is logged in to Grafana, or all devices logged in to Grafana.
### Before you begin
- Ensure you have Grafana server administrator privileges
1. Sign in to Grafana as a server administrator.
1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears, and click **Users**.
1. Click a user.
1. Scroll down to the **Sessions** section.
1. Perform one of the following actions:
- Click **Force logout** next to the session entry that you want logged out of Grafana.
- Click **Force logout from all devices**.
1. Confirm the logout.

10
docs/sources/administration/manage-users-and-permissions/manage-server-users/add-remove-user-to-org.md → docs/sources/administration/user-management/server-user-management/add-remove-user-to-org.md
View File

@@ -14,8 +14,8 @@ You are required to specify an Admin role for each organization. The first user
## Before you begin
- [Create an organization]({{< relref "../../manage-organizations/" >}})
- [Add a user]({{< relref "add-user/" >}}) to Grafana
- [Create an organization]({{< relref "../../../manage-users-and-permissions/manage-organizations/" >}})
- [Add a user]({{< relref "../../../manage-users-and-permissions/manage-server-users/add-remove-user-to-org/add-user/" >}}) to Grafana
- Ensure you have Grafana server administrator privileges
**To add a user to an organization**:
@@ -26,13 +26,13 @@ You are required to specify an Admin role for each organization. The first user
1. In the **Organizations** section, click **Add user to organization**.
1. Select an organization and a role.
For more information about user permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles" >}}).
For more information about user permissions, refer to [Organization roles]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#organization-roles" >}}).
1. Click **Add to organization**.
The next time the user signs in, they will be able to navigate to their new organization using the Switch Organizations option in the user profile menu.
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [invite a user to join an organization]({{< relref "../manage-org-users/invite-user-join-org/" >}}).
> **Note:** If you have [organization administrator]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [invite a user to join an organization]({{< relref "../../../manage-users-and-permissions/manage-server-users/manage-org-users/invite-user-join-org/" >}}).
# Remove a user from an organization
@@ -50,4 +50,4 @@ Remove a user from an organization when they no longer require access to the das
1. In the **Organization** section, click **Remove from organization** next to the organization from which you want to remove the user.
1. Click **Confirm removal**.
> **Note:** If you have [organization administrator]({{< relref "../about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [remove a user from an organization]({{< relref "../manage-org-users/remove-user-from-org/" >}}) in the Users section of organization configuration.
> **Note:** If you have [organization administrator]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#organization-roles" >}}) permissions and _not_ [server administrator]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#grafana-server-administrators" >}}) permissions, you can still [remove a user from an organization]({{< relref "../../../manage-users-and-permissions/manage-server-users/manage-org-users/remove-user-from-org/" >}}) in the Users section of organization configuration.

4
docs/sources/administration/manage-users-and-permissions/manage-server-users/assign-remove-server-admin-privileges.md → docs/sources/administration/user-management/server-user-management/assign-remove-server-admin-privileges.md
View File

@@ -7,13 +7,13 @@ weight: 20
# Assign or remove Grafana server administrator privileges
Grafana server administrators are responsible for creating users, organizations, and managing permissions. For more information about the server administration role, refer to [Grafana server administrators]({{< relref "../about-users-and-permissions/#grafana-server-administrators" >}}).
Grafana server administrators are responsible for creating users, organizations, and managing permissions. For more information about the server administration role, refer to [Grafana server administrators]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#grafana-server-administrators" >}}).
> **Note:** Server administrators are "super-admins" with full permissions to create, read, update, and delete all resources and users in all organizations, as well as update global settings such as licenses. Only grant this permission to trusted users.
## Before you begin
- [Add a user]({{< relref "add-user/" >}})
- [Add a user]({{< relref "../../../manage-users-and-permissions/manage-server-users/assign-remove-server-admin-privileges/add-user/" >}})
- Ensure you have Grafana server administrator privileges
**To assign or remove Grafana administrator privileges**:

4
docs/sources/administration/manage-users-and-permissions/manage-server-users/change-user-org-permissions.md → docs/sources/administration/user-management/server-user-management/change-user-org-permissions.md
View File

@@ -7,11 +7,11 @@ weight: 50
# Change a user's organization permissions
Update organization permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../about-users-and-permissions/#organization-roles" >}}).
Update organization permissions when you want to enhance or restrict a user's access to organization resources. For more information about organization permissions, refer to [Organization roles]({{< relref "../../../manage-users-and-permissions/manage-server-users/about-users-and-permissions/#organization-roles" >}}).
## Before you begin
- [Add a user to an organization]({{< relref "add-remove-user-to-org/" >}})
- [Add a user to an organization]({{< relref "../../../manage-users-and-permissions/manage-server-users/change-user-org-permissions/add-remove-user-to-org/" >}})
- Ensure you have Grafana server administrator privileges
**To change a user's organization permissions**:

0
docs/sources/administration/manage-users-and-permissions/manage-server-users/force-user-logout.md → docs/sources/administration/user-management/server-user-management/force-user-logout.md
View File

4
docs/sources/administration/manage-users-and-permissions/manage-server-users/grant-editor-admin-permissions.md → docs/sources/administration/user-management/server-user-management/grant-editor-admin-permissions.md
View File

@@ -13,8 +13,8 @@ This setting can be used to enable self-organizing teams to administer their own
When `editors_can_admin` is enabled:
- Users with the Editor role in an organization are Administrators for new dashboards and folders they create, meaning they can edit dashboard permissions. To learn more about dashboard permissions, refer to [Manage dashboard permissions]({{< relref "../manage-dashboard-permissions/" >}}).
- Users with the Editor role in an organization can create teams, and they are Administrators of the teams they create. To learn more about team permissions, refer to [Manage teams]({{< relref "../manage-teams/" >}})
- Users with the Editor role in an organization are Administrators for new dashboards and folders they create, meaning they can edit dashboard permissions. To learn more about dashboard permissions, refer to [Manage dashboard permissions]({{< relref "../../../manage-users-and-permissions/manage-server-users/manage-dashboard-permissions/" >}}).
- Users with the Editor role in an organization can create teams, and they are Administrators of the teams they create. To learn more about team permissions, refer to [Manage teams]({{< relref "../../../manage-users-and-permissions/manage-server-users/manage-teams/" >}})
> **Note**: If you use Grafana Enterprise and customize users' permissions using RBAC, the RBAC permissions override the functionality enabled by the `editors_can_admin` flag.

6
docs/sources/administration/manage-user-preferences/_index.md → docs/sources/administration/user-management/user-preferences/_index.md
View File

@@ -22,7 +22,7 @@ You can also view important information about your account, such as the organiza
You can change your Grafana password at any time.
> **Note**: If your Grafana instance uses an <!--[external authentication provider]({{< relref "../../setup-grafana/configure-security/configure-authentication/" >}})--> external authentication provider, then you might not be able to change your password in Grafana. Contact your Grafana administrator for more information.
> **Note**: If your Grafana instance uses an <!--[external authentication provider]({{< relref "../../../setup-grafana/configure-security/configure-authentication/" >}})--> external authentication provider, then you might not be able to change your password in Grafana. Contact your Grafana administrator for more information.
**To change your password**:
@@ -47,7 +47,7 @@ Your profile includes your name, user name, and email address, which you can upd
## Edit your preferences
You can choose the way you would like data to appear in Grafana, including the UI theme, home dashboard, timezone, and first day of the week. You can set these preferences for your own account, for a team, for an organization, or Grafana-wide using configuration settings. Your user preferences take precedence over team, organization, and Grafana default preferences. For more information, see [Grafana preferences]({{< relref "../preferences/" >}}).
You can choose the way you would like data to appear in Grafana, including the UI theme, home dashboard, timezone, and first day of the week. You can set these preferences for your own account, for a team, for an organization, or Grafana-wide using configuration settings. Your user preferences take precedence over team, organization, and Grafana default preferences. For more information, see [Grafana preferences]({{< relref "../../organization-preferences/" >}}).
- **UI theme** determines whether Grafana appears in light mode or dark mode. By default, UI theme is set to dark mode.
- **Home dashboard** refers to the dashboard you see when you sign in to Grafana. By default, this is set to the Home dashboard.
@@ -81,7 +81,7 @@ Every user is a member of at least one organization. You can have different role
1. Hover your cursor over the user icon in the lower-left corner of the page and click **Preferences**.
1. Scroll down to the **Organizations** section and review the following information:
- **Name**: The name of the organizations of which you are a member.
- **Role**: The role to which you are assigned in the organization. For more information about roles and permissions, refer to [Organization users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/#organization-users-and-permissions" >}}).
- **Role**: The role to which you are assigned in the organization. For more information about roles and permissions, refer to [Organization users and permissions]({{< relref "../../roles-and-permissions/#organization-users-and-permissions" >}}).
- **Current**: Grafana indicates the organization that you are currently signed into as _Current_. If you are a member of multiple organizations, you can click **Select** to switch to that organization.
## View your Grafana sessions

10
docs/sources/administration/view-server/_index.md
View File

@@ -1,10 +0,0 @@
---
aliases:
- /docs/grafana/latest/administration/view-server/
title: View server
weight: 100
---
# View server information
This setting contains information about tools that Grafana Server Admins can use to learn more about their Grafana servers.

30
docs/sources/administration/view-server/view-server-settings.md
View File

@@ -1,30 +0,0 @@
---
aliases:
- /docs/grafana/latest/admin/view-server-settings/
- /docs/grafana/latest/administration/view-server/view-server-settings/
description: How to view server settings in the Grafana UI
keywords:
- grafana
- configuration
- server
- settings
title: View server settings
weight: 300
---
# View Grafana server settings
> Refer to [Role-based access control]({{< relref "../../enterprise/access-control/" >}}) in Grafana Enterprise to understand how you can control access with RBAC permissions.
If you are a Grafana server administrator, use the Settings tab to view the settings that are applied to your Grafana server via the [Configuration]({{< relref "../../setup-grafana/configure-grafana/#config-file-locations" >}}) file and any environmental variables.
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/" >}}).
## View server settings
1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
1. Hover your cursor over the **Server Admin** (shield) icon in the side menu and then click the **Settings** tab.
## Available settings
For a full list of server settings, refer to [Configuration]({{< relref "../../setup-grafana/configure-grafana/" >}}).

56
docs/sources/administration/view-server/view-server-stats.md
View File

@@ -1,56 +0,0 @@
---
aliases:
- /docs/grafana/latest/admin/view-server-stats/
- /docs/grafana/latest/administration/view-server/view-server-stats/
keywords:
- grafana
- server
- statistics
title: View server stats
weight: 400
---
# View Grafana server stats
> Refer to [Role-based access control]({{< relref "../../enterprise/access-control/" >}}) in Grafana Enterprise to understand how you can control access with RBAC permissions.
If you are a Grafana server admin, then you can view useful statistics about your Grafana server in the Stats & Licensing tab.
> **Note:** Only Grafana server administrators can access the **Server Admin** menu. For more information about about administrative permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions/" >}}).
## View server stats
1. Log in to your Grafana server with an account that has the Grafana Admin flag set.
1. Hover your cursor over the **Server Admin** (shield) icon in the side menu and then click the **Stats & Licensing** tab.
## Available stats
The following statistics are displayed in the Stats tab:
- Total users
**Note:** Total users = Total admins + Total editors + Total viewers
- Total admins
- Total editors
- Total viewers
- Active users (seen last 30 days)
**Note:** Active users = Active admins + Active editors + Active viewers
- Active admins (seen last 30 days)
- Active editors (seen last 30 days)
- Active viewers (seen last 30 days)
- Active sessions
- Total dashboards
- Total orgs
- Total playlists
- Total snapshots
- Total dashboard tags
- Total starred dashboards
- Total alerts
## Counting users
If a user belongs to several organizations, then that user is counted once as a user in the highest organization role they are assigned, regardless of how many organizations the user belongs to.
For example, if Sofia is a Viewer in two organizations, an Editor in two organizations, and Admin in three organizations, then she would be reflected in the stats as:
- Total users 1
- Total admins 1