grafana/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md

aliases	description	labels	menuTitle	title	weight
../../../enterprise/access-control/custom-role-actions-scopes/ ../../../enterprise/access-control/permissions/	Learn about Grafana RBAC permissions, actions, and scopes.	products cloud enterprise	RBAC permissions, actions, and scopes	Grafana RBAC permissions, actions, and scopes	80

RBAC permissions, actions, and scopes

{{% admonition type="note" %}} Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and Grafana Cloud. {{% /admonition %}}

A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.

To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions]({{< relref "../#fixed-roles" >}}).

• Action: An action describes what tasks a user can perform on a resource.
• Scope: A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains role-based access control actions.

Action	Applicable scope	Description
alert.instances.external:read	datasources:* datasources:uid:*	Read alerts and silences in data sources that support alerting.
alert.instances.external:write	datasources:* datasources:uid:*	Manage alerts and silences in data sources that support alerting.
alert.instances:create	n/a	Create silences in the current organization.
alert.instances:read	n/a	Read alerts and silences in the current organization.
alert.instances:write	n/a	Update and expire silences in the current organization.
alert.notifications.external:read	datasources:* datasources:uid:*	Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:write	datasources:* datasources:uid:*	Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications:write	n/a	Manage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:read	n/a	Read all templates, contact points, notification policies, and mute timings in the current organization.
alert.rules.external:read	datasources:* datasources:uid:*	Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:write	datasources:* datasources:uid:*	Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.rules:create	folders:* folders:uid:*	Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:delete	folders:* folders:uid:*	Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:read	folders:* folders:uid:*	Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:write	folders:* folders:uid:*	Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.silences:create	folders:* folders:uid:*	Create rule-specific silences in a folder and its subfolders.
alert.silences:read	folders:* folders:uid:*	Read general and rule-specific silences in a folder and its subfolders.
alert.silences:write	folders:* folders:uid:*	Update and expire rule-specific silences in a folder and its subfolders.
alert.provisioning:read	n/a	Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
alert.provisioning.secrets:read	n/a	Same as alert.provisioning:read plus ability to export resources with decrypted secrets.
alert.provisioning:write	n/a	Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
alert.provisioning.provenance:write	n/a	Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources
annotations:create	annotations:* annotations:type:*	Create annotations.
annotations:delete	annotations:* annotations:type:*	Delete annotations.
annotations:read	annotations:* annotations:type:*	Read annotations and annotation tags.
annotations:write	annotations:* annotations:type:*	Update annotations.
apikeys:create	n/a	Create API keys.
apikeys:read	apikeys:* apikeys:id:*	Read API keys.
apikeys:delete	apikeys:* apikeys:id:*	Delete API keys.
dashboards:create	folders:* folders:uid:*	Create dashboards in one or more folders and their subfolders.
dashboards:delete	dashboards:* dashboards:uid:* folders:* folders:uid:*	Delete one or more dashboards.
dashboards.insights:read	n/a	Read dashboard insights data and see presence indicators.
dashboards.permissions:read	dashboards:* dashboards:uid:* folders:* folders:uid:*	Read permissions for one or more dashboards.
dashboards.permissions:write	dashboards:* dashboards:uid:* folders:* folders:uid:*	Update permissions for one or more dashboards.
dashboards:read	dashboards:* dashboards:uid:* folders:* folders:uid:*	Read one or more dashboards.
dashboards:write	dashboards:* dashboards:uid:* folders:* folders:uid:*	Update one or more dashboards.
dashboards.public:write	dashboards:* dashboards:uid:*	Write public dashboard configuration.
datasources.caching:read	datasources:* datasources:uid:*	Read data source query caching settings.
datasources.caching:write	datasources:* datasources:uid:*	Update data source query caching settings.
datasources:create	n/a	Create data sources.
datasources:delete	datasources:* datasources:uid:*	Delete data sources.
datasources:explore	n/a	Enable access to the Explore tab.
datasources.id:read	datasources:* datasources:uid:*	Read data source IDs.
datasources.insights:read	n/a	Read data sources insights data.
datasources.permissions:read	datasources:* datasources:uid:*	List data source permissions.
datasources.permissions:write	datasources:* datasources:uid:*	Update data source permissions.
datasources:query	datasources:* datasources:uid:*	Query data sources.
datasources:read	datasources:* datasources:uid:*	List data sources.
datasources:write	datasources:* datasources:uid:*	Update data sources.
featuremgmt.read	n/a	Read feature toggles.
featuremgmt.write	n/a	Write feature toggles.
folders.permissions:read	folders:* folders:uid:*	Read permissions for one or more folders and their subfolders.
folders.permissions:write	folders:* folders:uid:*	Update permissions for one or more folders and their subfolders.
folders:create	n/a	Create folders in the root level. If granted together with folders:write, also allows creating subfolders under all folders that the user can update.
folders:delete	folders:* folders:uid:*	Delete one or more folders and their subfolders.
folders:read	folders:* folders:uid:*	Read one or more folders and their subfolders.
folders:write	folders:* folders:uid:*	Update one or more folders and their subfolders. If granted together with folders:create permission, also allows creating subfolders under these folders.
ldap.config:reload	n/a	Reload the LDAP configuration.
ldap.status:read	n/a	Verify the availability of the LDAP server or servers.
ldap.user:read	n/a	Read users via LDAP.
ldap.user:sync	n/a	Sync users via LDAP.
library.panels:create	folders:* folders:uid:*	Create a library panel in one or more folders and their subfolders.
library.panels:read	folders:* folders:uid:* library.panels:* library.panels:uid:*	Read one or more library panels.
library.panels:write	folders:* folders:uid:* library.panels:* library.panels:uid:*	Update one or more library panels.
library.panels:delete	folders:* folders:uid:* library.panels:* library.panels:uid:*	Delete one or more library panels.
licensing.reports:read	n/a	Get custom permission reports.
licensing:delete	n/a	Delete the license token.
licensing:read	n/a	Read licensing information.
licensing:write	n/a	Update the license token.
org.users:write	users:* users:id:*	Update the organization role (None, Viewer, Editor, or Admin) of a user.
org.users:add	users:* users:id:*	Add a user to an organization or invite a new user to an organization.
org.users:read	users:* users:id:*	Get user profiles within an organization.
org.users:remove	users:* users:id:*	Remove a user from an organization.
orgs.preferences:read	n/a	Read organization preferences.
orgs.preferences:write	n/a	Update organization preferences.
orgs.quotas:read	n/a	Read organization quotas.
orgs.quotas:write	n/a	Update organization quotas.
orgs:create	n/a	Create an organization.
orgs:delete	n/a	Delete one or more organizations.
orgs:read	n/a	Read one or more organizations.
orgs:write	n/a	Update one or more organizations.
plugins.app:access	plugins:* plugins:id:*	Access one or more application plugins (still enforcing the organization role)
plugins:install	n/a	Install and uninstall plugins.
plugins:write	plugins:* plugins:id:*	Edit settings for one or more plugins.
provisioning:reload	provisioners:*	Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}).
reports:create	n/a	Create reports.
reports:write	reports:* reports:id:*	Update reports.
reports.settings:read	n/a	Read report settings.
reports.settings:write	n/a	Update report settings.
reports:delete	reports:* reports:id:*	Delete reports.
reports:read	reports:* reports:id:*	List all available reports or get a specific report.
reports:send	reports:* reports:id:*	Send a report email.
roles:delete	permissions:type:delegate	Delete a custom role.
roles:read	roles:* roles:uid:*	List roles and read a specific role with its permissions.
roles:write	permissions:type:delegate	Create or update a custom role.
roles:write	permissions:type:escalate	Reset basic roles to their default permissions.
server.stats:read	n/a	Read Grafana instance statistics.
server.usagestats.report:read	n/a	View usage statistics report.
serviceaccounts:write	serviceaccounts:*	Create Grafana service accounts.
serviceaccounts:create	n/a	Update Grafana service accounts.
serviceaccounts:delete	serviceaccounts:* serviceaccounts:id:*	Delete Grafana service accounts.
serviceaccounts:read	serviceaccounts:* serviceaccounts:id:*	Read Grafana service accounts.
serviceaccounts.permissions:write	serviceaccounts:* serviceaccounts:id:*	Update Grafana service account permissions to control who can do what with the service account.
serviceaccounts.permissions:read	serviceaccounts:* serviceaccounts:id:*	Read Grafana service account permissions to see who can do what with the service account.
settings:read	settings:* settings:auth.saml:* settings:auth.saml:enabled (property level)	Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}})
settings:write	settings:* settings:auth.saml:* settings:auth.saml:enabled (property level)	Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}).
support.bundles:create	n/a	Create support bundles.
support.bundles:delete	n/a	Delete support bundles.
support.bundles:read	n/a	List and download support bundles.
status:accesscontrol	services:accesscontrol	Get access-control enabled status.
teams.permissions:read	teams:* teams:id:*	Read members and Team Sync setup for teams.
teams.permissions:write	teams:* teams:id:*	Add, remove and update members and manage Team Sync setup for teams.
teams.roles:add	permissions:type:delegate	Assign a role to a team.
teams.roles:read	teams:* teams:id:*	List roles assigned directly to a team.
teams.roles:remove	permissions:type:delegate	Unassign a role from a team.
teams:create	n/a	Create teams.
teams:delete	teams:* teams:id:*	Delete one or more teams.
teams:read	teams:* teams:id:*	Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to teams:read: teams:write, teams.permissions:read or teams.permissions:write.
teams:write	teams:* teams:id:*	Update one or more teams and team preferences.
users.authtoken:read	global.users:* global.users:id:*	List authentication tokens that are assigned to a user.
users.authtoken:write	global.users:* global.users:id:*	Update authentication tokens that are assigned to a user.
users.password:write	global.users:* global.users:id:*	Update a user’s password.
users.permissions:read	users:*	List permissions of a user.
users.permissions:write	global.users:* global.users:id:*	Update a user’s organization-level permissions.
users.quotas:read	global.users:* global.users:id:*	List a user’s quotas.
users.quotas:write	global.users:* global.users:id:*	Update a user’s quotas.
users.roles:add	permissions:type:delegate	Assign a role to a user or a service account.
users.roles:read	users:*	List roles assigned directly to a user or a service account.
users.roles:remove	permissions:type:delegate	Unassign a role from a user or a service account.
users:create	n/a	Create a user.
users:delete	global.users:* global.users:id:*	Delete a user.
users:disable	global.users:* global.users:id:*	Disable a user.
users:enable	global.users:* global.users:id:*	Enable a user.
users:logout	global.users:* global.users:id:*	Sign out a user.
users:read	global.users:*	Read or search user profiles.
users:write	global.users:* global.users:id:*	Update a user’s profile.

Grafana OnCall action definitions (beta)

Note: Available from Grafana 9.4 in early access.

Note: This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration [docs]({{< relref "../../../../setup-grafana/configure-grafana/#feature_toggles" >}}) for details.

The following list contains role-based access control actions used by Grafana OnCall application plugin.

Action	Applicable scope	Description
grafana-oncall-app.alert-groups:read	n/a	Read OnCall alert groups.
grafana-oncall-app.alert-groups:write	n/a	Create, edit and delete OnCall alert groups.
grafana-oncall-app.integrations:read	n/a	Read OnCall integrations.
grafana-oncall-app.integrations:write	n/a	Create, edit and delete OnCall integrations.
grafana-oncall-app.integrations:test	n/a	Test OnCall integrations.
grafana-oncall-app.escalation-chains:read	n/a	Read OnCall escalation chains.
grafana-oncall-app.escalation-chains:write	n/a	Create, edit and delete OnCall escalation chains.
grafana-oncall-app.schedules:read	n/a	Read OnCall schedules.
grafana-oncall-app.schedules:write	n/a	Create, edit and delete OnCall schedules.
grafana-oncall-app.schedules:export	n/a	Export OnCall schedules.
grafana-oncall-app.chatops:read	n/a	Read OnCall ChatOps.
grafana-oncall-app.chatops:write	n/a	Edit OnCall ChatOps.
grafana-oncall-app.chatops:update-settings	n/a	Edit OnCall ChatOps settings.
grafana-oncall-app.maintenance:read	n/a	Read OnCall maintenance.
grafana-oncall-app.maintenance:write	n/a	Edit OnCall maintenance.
grafana-oncall-app.api-keys:read	n/a	Read OnCall API keys.
grafana-oncall-app.api-keys:write	n/a	Create, edit and delete OnCall API keys.
grafana-oncall-app.notifications:read	n/a	Receive OnCall notifications.
grafana-oncall-app.notification-settings:read	n/a	Read OnCall notification settings.
grafana-oncall-app.notification-settings:write	n/a	Edit OnCall notification settings.
grafana-oncall-app.user-settings:read	n/a	Read user's own OnCall user settings.
grafana-oncall-app.user-settings:write	n/a	Edit user's own OnCall user settings.
grafana-oncall-app.user-settings:admin	n/a	Read and edit all users' OnCall user settings.
grafana-oncall-app.other-settings:read	n/a	Read OnCall settings.
grafana-oncall-app.other-settings:write	n/a	Edit OnCall settings.

Scope definitions

The following list contains role-based access control scopes.

Scopes	Descriptions
annotations:* annotations:type:*	Restrict an action to a set of annotations. For example, annotations:* matches any annotation, annotations:type:dashboard matches annotations associated with dashboards and annotations:type:organization matches organization annotations.
apikeys:* apikeys:id:*	Restrict an action to a set of API keys. For example, apikeys:* matches any API key, apikey:id:1 matches the API key whose id is 1.
dashboards:* dashboards:uid:*	Restrict an action to a set of dashboards. For example, dashboards:* matches any dashboard, and dashboards:uid:1 matches the dashboard whose UID is 1.
datasources:* datasources:uid:*	Restrict an action to a set of data sources. For example, datasources:* matches any data source, and datasources:uid:1 matches the data source whose UID is 1.
folders:* folders:uid:*	Restrict an action to a set of folders. For example, folders:* matches any folder, and folders:uid:1 matches the folder whose UID is 1. Note that permissions granted to a folder cascade down to subfolders located under it
global.users:* global.users:id:*	Restrict an action to a set of global users. For example, global.users:* matches any user and global.users:id:1 matches the user whose ID is 1.
library.panels:* library.panels:uid:*	Restrict an action to a set of library panels. For example, library.panels:* matches any library panel, and library.panel:uid:1 matches the library panel whose UID is 1.
orgs:* orgs:id:*	Restrict an action to a set of organizations. For example, orgs:* matches any organization and orgs:id:1 matches the organization whose ID is 1.
permissions:type:delegate	The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
permissions:type:escalate	The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.
plugins:* plugins:id:*	Restrict an action to a set of plugins. For example, plugins:id:grafana-oncall-app matches Grafana OnCall plugin, and plugins:* matches all plugins.
provisioners:*	Restrict an action to a set of provisioners. For example, provisioners:* matches any provisioner, and provisioners:accesscontrol matches the role-based access control [provisioner]({{< relref "./rbac-grafana-provisioning/" >}}).
reports:* reports:id:*	Restrict an action to a set of reports. For example, reports:* matches any report and reports:id:1 matches the report whose ID is 1.
roles:* roles:uid:*	Restrict an action to a set of roles. For example, roles:* matches any role and roles:uid:randomuid matches only the role whose UID is randomuid.
services:accesscontrol	Restrict an action to target only the role-based access control service. You can use this in conjunction with the status:accesscontrol actions.
serviceaccounts:* serviceaccounts:id:*	Restrict an action to a set of service account from an organization. For example, serviceaccounts:* matches any service account and serviceaccount:id:1 matches the service account whose ID is 1.
settings:*	Restrict an action to a subset of settings. For example, settings:* matches all settings, settings:auth.saml:* matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.
teams:* teams:id:*	Restrict an action to a set of teams from an organization. For example, teams:* matches any team and teams:id:1 matches the team whose ID is 1.
users:* users:id:*	Restrict an action to a set of users from an organization. For example, users:* matches any user and users:id:1 matches the user whose ID is 1.
n/a	n/a means not applicable. If an action has n/a specified for the scope, then the action does not require a scope. For example, the teams:create action does not require a scope and allows users to create teams.