grafana/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md

aliases	description	menuTitle	title	weight
/docs/grafana/latest/enterprise/access-control/fine-grained-access-control-references/ /docs/grafana/latest/enterprise/access-control/rbac-fixed-basic-role-definitions/	This topic includes a table that lists permission associated with Grafana fixed and basic roles.	RBAC role definitions	Grafana RBAC role definitions	70

RBAC role definitions

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role	Associated fixed roles	Description
Grafana Admin	fixed:roles:reader fixed:roles:writer fixed:users:reader fixed:users:writer fixed:org.users:reader fixed:org.users:writer fixed:ldap:reader fixed:ldap:writer fixed:stats:reader fixed:settings:reader fixed:settings:writer fixed:provisioning:writer fixed:organization:reader fixed:organization:maintainer fixed:licensing:reader fixed:licensing:writer	Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments.
Admin	fixed:reports:reader fixed:reports:writer fixed:datasources:reader fixed:datasources:writer fixed:organization:writer fixed:datasources.permissions:reader fixed:datasources.permissions:writer fixed:teams:writer fixed:dashboards:reader fixed:dashboards:writer fixed:dashboards.permissions:reader fixed:dashboards.permissions:writer fixed:folders:reader fixes:folders:writer fixed:folders.permissions:reader fixed:folders.permissions:writer fixed:alerting:writer fixed:apikeys:reader fixed:apikeys:writer fixed:alerting.provisioning:writer	Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Editor	fixed:datasources:explorer fixed:dashboards:creator fixed:folders:creator fixed:annotations:writer fixed:teams:creator if the editors_can_admin configuration flag is enabled fixed:alerting:writer	Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments.
Viewer	fixed:datasources:id:reader fixed:organization:reader fixed:annotations:reader fixed:annotations.dashboard:writer fixed:alerting:reader fixed:plugins.app:reader	Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments.

Fixed role definitions

Fixed role	Permissions	Description
fixed:alerting.instances:writer	All permissions from fixed:alerting.instances:reader and alert.instances:create alert.instances:write for organization scope alert.instances.external:write for scope datasources:*	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.instances:reader	alert.instances:read for organization scope alert.instances.external:read for scope datasources:*	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.notifications:writer	All permissions from fixed:alerting.notifications:reader and alert.notifications:writefor organization scope alert.notifications.external:read for scope datasources:*	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.notifications:reader	alert.notifications:read for organization scope alert.notifications.external:read for scope datasources:*	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.rules:writer	All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:write alert.rule:delete for scope folders:* alert.rules.external:write for scope datasources:*	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting.rules:reader	alert.rule:read for scope folders:* alert.rules.external:read for scope datasources:*	Read all* Grafana, Mimir, and Loki alert rules.*
fixed:alerting:writer	All permissions from fixed:alerting.rules:writer fixed:alerting.instances:writer fixed:alerting.notifications:writer	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting:reader	All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader fixed:alerting.notifications:reader	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:alerting.provisioning:writer	alert.provisioning:read and alert.provisioning:write	Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
fixed:annotations.dashboard:writer	annotations:write annotations.create annotations:delete for scope annotations:type:dashboard	Create, update and delete dashboard annotations and annotation tags.
fixed:annotations:reader	annotations:read for scopes annotations:type:*	Read all annotations and annotation tags.
fixed:annotations:writer	All permissions from fixed:annotations:reader annotations:write annotations.create annotations:delete for scope annotations:type:*	Read, create, update and delete all annotations and annotation tags.
fixed:apikeys:reader	apikeys:read for scope apikeys:*	Read all api keys.
fixed:apikeys:writer	All permissions from fixed:apikeys:reader and apikeys:create apikeys:delete for scope apikeys:*	Read, create, delete all api keys.
fixed:dashboards.permissions:reader	dashboards.permissions:read	Read all dashboard permissions.
fixed:dashboards.permissions:writer	All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write	Read and update all dashboard permissions.
fixed:dashboards:creator	dashboards:create folders:read	Create dashboards.
fixed:dashboards:reader	dashboards:read	Read all dashboards.
fixed:dashboards:writer	All permissions from fixed:dashboards:reader and dashboards:write dashboards:edit dashboards:delete dashboards:create dashboards.permissions:read dashboards.permissions:write	Read, create, update, and delete all dashboards.
fixed:datasources.permissions:reader	datasources.permissions:read	Read data source permissions.
fixed:datasources.permissions:writer	All permissions from fixed:datasources.permissions:reader and datasources.permissions:write	Create, read, or delete permissions of a data source.
fixed:datasources:explorer	datasources:explore	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:id:reader	datasources.id:read	Read the ID of a data source based on its name.
fixed:datasources:reader	datasources:read datasources:query	Read and query data sources.
fixed:datasources:writer	All permissions from fixed:datasources:reader and datasources:create datasources:write datasources:delete	Read, query, create, delete, or update a data source.
fixed:folders.permissions:reader	folders.permissions:read	Read all folder permissions.
fixed:folders.permissions:writer	All permissions from fixed:folders.permissions:reader and folders.permissions:write	Read and update all folder permissions.
fixed:folders:creator	folders:create	Create folders.
fixed:folders:reader	folders:read dashboards:read	Read all folders and dashboards.
fixed:folders:writer	All permissions from fixed:dashboards:writer and folders:read folders:write folders:create folders:delete folders.permissions:read folders.permissions:write	Read, create, update, and delete all folders and dashboards.
fixed:ldap:reader	ldap.user:read ldap.status:read	Read the LDAP configuration and LDAP status information.
fixed:ldap:writer	All permissions from fixed:ldap:reader and ldap.user:sync ldap.config:reload	Read and update the LDAP configuration, and read LDAP status information.
fixed:licensing:reader	licensing:read licensing.reports:read	Read licensing information and licensing reports.
fixed:licensing:writer	All permissions from fixed:licensing:viewer and licensing:write licensing:delete	Read licensing information and licensing reports, update and delete the license token.
fixed:org.users:reader	org.users:read	Read users within a single organization.
fixed:org.users:writer	All permissions from fixed:org.users:reader and org.users:add org.users:remove org.users:write	Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainer	All permissions from fixed:organization:reader and orgs:write orgs:create orgs:delete orgs.quotas:write	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:reader	orgs:read orgs.quotas:read	Read an organization and its quotas.
fixed:organization:writer	All permissions from fixed:organization:reader and orgs:write orgs.preferences:read orgs.preferences:write	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:plugins.app:reader	plugins.app:access	Access application plugins (still enforcing the organization role).
fixed:provisioning:writer	provisioning:reload	Reload provisioning.
fixed:reports:reader	reports:read reports:send reports.settings:read	Read all reports and shared report settings.
fixed:reports:writer	All permissions from fixed:reports:reader and reports:create reports:write reports:delete reports.settings:write	Create, read, update, or delete all reports and shared report settings.
fixed:roles:reader	roles:read teams.roles:read users.roles:read users.permissions:read	Read all access control roles, roles and permissions assigned to users, teams.
fixed:roles:writer	All permissions from fixed:roles:reader and roles:write roles:delete teams.roles:add teams.roles:remove users.roles:add users.roles:remove	Create, read, update, or delete all roles, assign or unassign roles to users, teams.
fixed:roles:resetter	roles:write with scope permissions:type:escalate	Reset basic roles to their default.
fixed:serviceaccounts:reader	serviceaccounts:read	Read Grafana service accounts.
fixed:serviceaccounts:creator	serviceaccounts:create	Create Grafana service accounts.
fixed:serviceaccounts:writer	serviceaccounts:read serviceaccounts:create serviceaccounts:write serviceaccounts:delete serviceaccounts.permissions:read serviceaccounts.permissions:write	Create, update, read and delete all Grafana service accounts and manage service account permissions.
fixed:settings:reader	settings:read	Read Grafana instance settings.
fixed:settings:writer	All permissions from fixed:settings:reader and settings:write	Read and update Grafana instance settings.
fixed:stats:reader	server.stats:read	Read Grafana instance statistics.
fixed:teams:creator	teams:create org.users:read	Create a team and list organization users (required to manage the created team).
fixed:teams:writer	teams:create teams:delete teams:read teams:write teams.permissions:read teams.permissions:write	Create, read, update and delete teams and manage team memberships.
fixed:users:reader	users:read users.quotas:read users.authtoken:read `	Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writer	All permissions from fixed:users:reader and users:write users:create users:delete users:enable users:disable users.password:write users.permissions:write users:logout users.authtoken:write users.quotas:write	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

If alerting is [enabled]({{< relref "../../../alerting/migrating-alerts/opt-out/" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

• Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
• Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).