grafana/docs/sources/enterprise/access-control/rbac-fixed-basic-role-definitions.md

title, menuTitle, description, aliases, weight

title	menuTitle	description	aliases	weight
RBAC role definitions	RBAC role definitions	This topic includes a table that lists permission associated with Grafana fixed and basic roles.	/docs/grafana/latest/enterprise/access-control/fine-grained-access-control-references/	70

RBAC role definitions

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role	Associated fixed roles	Description
Grafana Admin	fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer	Default [Grafana server administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) assignments.
Admin	fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer fixed:teams:writer fixed:dashboards:reader fixed:dashboards:writer fixed:dashboards.permissions:reader fixed:dashboards.permissions:writer fixed:folders:reader fixes:folders:writer fixed:folders.permissions:reader fixed:folders.permissions:writer fixed:alerting:editor fixed:apikeys:reader fixed:apikeys:writer	Default [Grafana organization administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.
Editor	fixed:datasources:explorer fixed:dashboards:creator fixed:folders:creator fixed:annotations:writer fixed:teams:creator if the editors_can_admin configuration flag is enabled fixed:alerting:editor	Default [Editor]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.
Viewer	fixed:datasources:id:reader fixed:organization:reader fixed:annotations:reader fixed:annotations.dashboard:writer fixed:alerting:reader	Default [Viewer]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments.

Fixed role definitions

Fixed role	Permissions	Description
fixed:alerting.instances:editor	All permissions from fixed:alerting.instances:reader and alert.instances:create alert.instances:update for organization scope alert.instances.external:write for scope datasources:*	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.instances:reader	alert.instances:read for organization scope alert.instances.external:read for scope datasources:*	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.notifications:editor	All permissions from fixed:alerting.notifications:reader and alert.notifications:create alert.notifications:update alert.notifications:delete for organization scope alert.notifications.external:read for scope datasources:*	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.notifications:reader	alert.notifications:read for organization scope alert.notifications.external:read for scope datasources:*	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.rules:editor	All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:update alert.rule:delete for scope folders:* alert.rules.external:write for scope datasources:*	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting.rules:reader	alert.rule:read for scope folders:* alert.rules.external:read for scope datasources:*	Read all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting:editor	All permissions from fixed:alerting.rules:editor fixed:alerting.instances:editor fixed:alerting.notifications:editor	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting:reader	All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader fixed:alerting.notifications:reader	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:annotations.dashboard:writer	annotations:write annotations.create annotations:delete for scope annotations:type:dashboard	Create, update and delete dashboard annotations and annotation tags.
fixed:annotations:reader	annotations:read for scopes annotations:type:*	Read all annotations and annotation tags.
fixed:annotations:writer	All permissions from fixed:annotations:reader annotations:write annotations.create annotations:delete for scope annotations:type:*	Read, create, update and delete all annotations and annotation tags.
fixed:apikeys:reader	apikeys:read for scope apikeys:*	Read all api keys.
fixed:apikeys:writer	All permissions from fixed:apikeys:reader and apikeys:create apikeys:delete for scope apikeys:*	Read, create, delete all api keys.
fixed:dashboards.permissions:reader	dashboards.permissions:read	Read all dashboard permissions.
fixed:dashboards.permissions:writer	All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write	Read and update all dashboard permissions.
fixed:dashboards:creator	dashboards:create folders:read	Create dashboards.
fixed:dashboards:reader	dashboards:read	Read all dashboards.
fixed:dashboards:writer	All permissions from fixed:dashboards:reader and dashboards:write dashboards:edit dashboards:delete dashboards:create dashboards.permissions:read dashboards.permissions:write	Read, create, update, and delete all dashboards.
fixed:datasources.permissions:reader	datasources.permissions:read	Read data source permissions.
fixed:datasources.permissions:writer	All permissions from fixed:datasources.permissions:reader and datasources.permissions:write	Create, read, or delete permissions of a data source.
fixed:datasources:explorer	datasources:explore	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:id:reader	datasources.id:read	Read the ID of a data source based on its name.
fixed:datasources:reader	datasources:read datasources:query	Read and query data sources.
fixed:datasources:writer	All permissions from fixed:datasources:reader and datasources:create datasources:write datasources:delete	Read, query, create, delete, or update a data source.
fixed:folders.permissions:reader	folders.permissions:read	Read all folder permissions.
fixed:folders.permissions:writer	All permissions from fixed:folders.permissions:reader and folders.permissions:write	Read and update all folder permissions.
fixed:folders:creator	folders:create	Create folders.
fixed:folders:reader	folders:read dashboards:read	Read all folders and dashboards.
fixed:folders:writer	All permissions from fixed:dashboards:writer and folders:read folders:write folders:create folders:delete folders.permissions:read folders.permissions:write	Read, create, update, and delete all folders and dashboards.
fixed:ldap:reader	ldap.user:read ldap.status:read	Read the LDAP configuration and LDAP status information.
fixed:ldap:writer	All permissions from fixed:ldap:reader and ldap.user:sync ldap.config:reload	Read and update the LDAP configuration, and read LDAP status information.
fixed:licensing:reader	licensing:read licensing.reports:read	Read licensing information and licensing reports.
fixed:licensing:writer	All permissions from fixed:licensing:viewer and licensing:update licensing:delete	Read licensing information and licensing reports, update and delete the license token.
fixed:org.users:reader	org.users:read	Read users within a single organization.
fixed:org.users:writer	All permissions from fixed:org.users:reader and org.users:add org.users:remove org.users.role:update	Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainer	All permissions from fixed:organization:reader and orgs:write orgs:create orgs:delete orgs.quotas:write	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:reader	orgs:read orgs.quotas:read	Read an organization and its quotas.
fixed:organization:writer	All permissions from fixed:organization:reader and orgs:write orgs.preferences:read orgs.preferences:write	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:provisioning:writer	provisioning:reload	Reload provisioning.
fixed:reports:reader	reports:read reports:send reports.settings:read	Read all reports and shared report settings.
fixed:reports:writer	All permissions from fixed:reports:reader and reports.admin:write reports:delete reports.settings:write	Create, read, update, or delete all reports and shared report settings.
fixed:roles:reader	roles:read roles:list teams.roles:list users.roles:list users.permissions:list roles.builtin:list	Read all access control roles, roles and permissions assigned to users, teams and built-in role assignments.
fixed:roles:writer	All permissions from fixed:roles:reader and roles:write roles:delete teams.roles:add teams.roles:remove users.roles:add users.roles:remove roles.builtin:add roles.builtin:remove	Create, read, update, or delete all roles, assign or unassign roles to users, teams and built-in role assignments.
fixed:settings:reader	settings:read	Read Grafana instance settings.
fixed:settings:writer	All permissions from fixed:settings:reader and settings:write	Read and update Grafana instance settings.
fixed:stats:reader	server.stats:read	Read Grafana instance statistics.
fixed:teams:creator	teams:create org.users:read	Create a team and list organization users (required to manage the created team).
fixed:teams:writer	teams:create teams:delete teams:read teams:write teams.permissions:read teams.permissions:write	Create, read, update and delete teams and manage team memberships.
fixed:users:reader	users:read users.quotas:list users.authtoken:list users.teams:read	Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer	All permissions from fixed:users:reader and users:write users:create users:delete users:enable users:disable users.password:update users.permissions:update users:logout users.authtoken:update users.quotas:update	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

If alerting is [enabled]({{< relref "../../alerting/opt-in.md" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

• Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
• Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy#create-a-custom-role-to-access-alerts-in-a-folder" >}}).