IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-26 02:40:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Alerting docs: adds silence RBAC 11.1 (#89176)

Browse Source 
* Alerting docs: adds silence RBAC 11.1

* ran prettier

* Improve docs with new rule-specific silence RBAC information

* Apply suggestions from code review

Co-authored-by: Jack Baldry <jack.baldry@grafana.com>

* Apply suggestions from code review

Co-authored-by: Jack Baldry <jack.baldry@grafana.com>

* prettier

---------

Co-authored-by: Matt Jacobson <matthew.jacobson@grafana.com>
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
This commit is contained in:
brendamuir 2024-06-27 10:10:34 +02:00 committed by Ryan McKinley
parent 1aeceb9d9a
commit e09c1c7515
5 changed files with 45 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md
View File

@ -47,7 +47,7 @@ The following list contains role-based access control actions.
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.silences:create` | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read general and rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
| `alert.silences:write` | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |

9
docs/sources/alerting/configure-notifications/create-silence.md
View File

@ -93,6 +93,15 @@ To remove a silence, complete the following steps.
> **Note:** You cannot remove a silence manually. Silences that have ended are retained and listed for five days.
## Rule-specific silences
Rule-specific silences are silences that apply only to a specific alert rule.
They're created when you silence an alert rule directly using the **Silence notifications** action in the UI.
{{< admonition type="note" >}}
As opposed to general silences, rule-specific silence access is tied directly to the alert rule they act on. They can be created manually by including the specific label matcher: `__alert_rule_uid__=<alert rule UID>`.
{{< /admonition >}}
## Useful links
[Aggregation operators](https://prometheus.io/docs/prometheus/latest/querying/operators/#aggregation-operators)

2
docs/sources/alerting/set-up/configure-rbac/_index.md
View File

@ -45,7 +45,7 @@ Grafana Alerting has the following permissions.
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.silences:create` | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read general and rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
| `alert.silences:write` | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |

37
docs/sources/alerting/set-up/configure-rbac/access-folders/index.md
View File

@ -18,22 +18,37 @@ weight: 200
## Manage access using folders or data sources
You can further customize access for alert rules by assigning permissions to individual folders or data sources, regardless of role assigned.
You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders or data sources.
{{< admonition type="note" >}}
Data source query permissions are required to create or modify an alert rule using that data source.
{{< /admonition >}}
This allows different users, teams, or service accounts to have customized access to modify or silence alert rules in specific folders or using specific data sources.
Details on the additional access provided by folder permissions are below.
| Folder permission | Additional Access |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| View | Read access to all general silences. Read access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| Edit | View access and write access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| Admin | Same additional access as Edit. |
Some example combinations:
| Role | Folder permission | Access |
| ------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| No Basic Role | - | None. No access to alert rules or rule-specific silences in the folder. |
| No Basic Role | View | Read access to all general silences. Read access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| No Basic Role | Edit | Above access and write access to alert rules (given necessary data source query permissions) and their rule-specific silences _only_ in the given folder and subfolders. |
| Viewer | - | Read access to alert rules and silences in all folders. |
| Viewer | Edit | Read access to alert rules and silences in all folders. Write access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| Editor | View | Read and write access to alert rules and silences in all folders. Access can only be extended. |
{{< admonition type="note" >}}
You can't use folders to customize access to notification resources.
{{< /admonition >}}
Details of how role access can combine with folder permissions for Grafana Alerting are below.
| Role | Folder | Access |
| ------ | ------ | ---------------------------------------------------------------------------------------- |
| Admin | - | Write access to alert rules in all folders. |
| Editor | - | Write access to alert rules in all folders. |
| Viewer | Admin | Write access to alert rules **only** in the folders where the Admin permission is added. |
| Viewer | Edit | Write access to alert rules **only** in the folders where the Edit permission is added. |
| Viewer | View | Read access to alert rules in all folders. |
## Folder permissions
To manage folder permissions, complete the following steps.

18
docs/sources/alerting/set-up/configure-roles/index.md
View File

@ -42,19 +42,17 @@ To assign roles, admins need to complete the following steps.
## Manage access using folder permissions
You can further customize access for alert rules by assigning permissions to individual folders.
You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders.
This prevents every user from having access to modify all alert rules and gives them access to the folders with the alert rules they're working on.
This allows different users, teams, or service accounts to have customized access to modify or silence alert rules in specific folders.
Details on the adding folder permissions as well as roles and the access that provides for Grafana Alerting is below.
Refer to the following table for details on the additional access provided by folder permissions:
| Role | Folder permission | Access |
| ------ | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| Admin | - | Write access to alert rules in all folders. |
| Editor | - | Write access to alert rules in all folders. |
| Viewer | Admin | Read access to alert rules in all folders. Write access to alert rules **only** in the folders where the Admin permission is added. |
| Viewer | Editor | Read access to alert rules in all folders. Write access to alert rules **only** in the folders where the Editor permission is added. |
| Viewer | Viewer | Read access to alert rules in all folders. |
| Folder permission | Additional Access |
| ----------------- | ------------------------------------------------------------------------------------------------------- |
| View | No additional access: all permissions already contained in Viewer role. |
| Edit | Write access to alert rules and their rule-specific silences _only_ in the given folder and subfolders. |
| Admin | Same additional access as Edit. |
{{< admonition type="note" >}}
You can't use folders to customize access to notification resources.