mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
46360ca0c3
* initial refactor * initial draft for teams * restructed topics, added front matter * modified aliases * removes old files * removed files * initial refactor * initial draft for teams * restructed topics, added front matter * modified aliases * removes old files * removed files * final xrefs updates * xref adjustment * copy updates * copy and content updates to about, add to org, add user, admin * copy updates to remove user from org * update org vs server admin section names, cross-link * cross-link add and invite users to org * add remaining cross-links between org and server admin * add dashboard permissions table * add permissions information to teams * add copy invite instructions to invite management * tweaks and link updates * incorporated PM feedback * fixed xrefs * yarn prettier * fix codespell * combined teams and dashboard permissions content Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com>
21 KiB
21 KiB
+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++
Fine-grained access control references
The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).
Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
|---|---|---|
fixed:roles:reader |
roles:readroles:listteams.roles:listusers.roles:listusers.permissions:listroles.builtin:list |
Read all access control roles, roles and permissions assigned to users, teams and built-in role assignments. |
fixed:roles:writer |
All permissions from fixed:roles:reader and roles:writeroles:deleteteams.roles:addteams.roles:removeusers.roles:addusers.roles:removeroles.builtin:addroles.builtin:remove |
Create, read, update, or delete all roles, assign or unassign roles to users, teams and built-in role assignments. |
fixed:reports:reader |
reports:readreports:sendreports.settings:read |
Read all reports and shared report settings. |
fixed:reports:writer |
All permissions from fixed:reports:reader and reports.admin:writereports:deletereports.settings:write |
Create, read, update, or delete all reports and shared report settings. |
fixed:users:reader |
users:readusers.quotas:listusers.authtoken:listusers.teams:read |
Read all users and their information, such as team memberships, authentication tokens, and quotas. |
fixed:users:writer |
All permissions from fixed:users:reader and users:writeusers:createusers:deleteusers:enableusers:disableusers.password:updateusers.permissions:updateusers:logoutusers.authtoken:updateusers.quotas:update |
Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
fixed:org.users:reader |
org.users:read |
Read users within a single organization. |
fixed:org.users:writer |
All permissions from fixed:org.users:reader and org.users:addorg.users:removeorg.users.role:update |
Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
fixed:ldap:reader |
ldap.user:readldap.status:read |
Read the LDAP configuration and LDAP status information. |
fixed:ldap:writer |
All permissions from fixed:ldap:reader and ldap.user:syncldap.config:reload |
Read and update the LDAP configuration, and read LDAP status information. |
fixed:stats:reader |
server.stats:read |
Read Grafana instance statistics. |
fixed:settings:reader |
settings:read |
Read Grafana instance settings. |
fixed:settings:writer |
All permissions from fixed:settings:reader andsettings:write |
Read and update Grafana instance settings. |
fixed:datasources:explorer |
datasources:explore |
Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
fixed:datasources:reader |
datasources:readdatasources:query |
Read and query data sources. |
fixed:datasources:writer |
All permissions from fixed:datasources:reader and datasources:createdatasources:writedatasources:delete |
Read, query, create, delete, or update a data source. |
fixed:datasources:id:reader |
datasources.id:read |
Read the ID of a data source based on its name. |
fixed:datasources.permissions:reader |
datasources.permissions:read |
Read data source permissions. |
fixed:datasources.permissions:writer |
All permissions from fixed:datasources.permissions:reader and datasources.permissions:write |
Create, read, or delete permissions of a data source. |
fixed:licensing:reader |
licensing:readlicensing.reports:read |
Read licensing information and licensing reports. |
fixed:licensing:writer |
All permissions from fixed:licensing:viewer and licensing:updatelicensing:delete |
Read licensing information and licensing reports, update and delete the license token. |
fixed:provisioning:writer |
provisioning:reload |
Reload provisioning. |
fixed:organization:reader |
orgs:readorgs.quotas:read |
Read an organization and its quotas. |
fixed:organization:writer |
All permissions from fixed:organization:reader and orgs:writeorgs.preferences:readorgs.preferences:write |
Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
fixed:organization:maintainer |
All permissions from fixed:organization:reader and orgs:writeorgs:createorgs:deleteorgs.quotas:write |
Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
fixed:teams:creator ` |
teams:createorg.users:read |
Create a team and list organization users (required to manage the created team). |
fixed:teams:writer |
teams:createteams:deleteteams:readteams:writeteams.permissions:readteams.permissions:write |
Create, read, update and delete teams and manage team memberships. |
Default built-in role assignments
| Built-in role | Associated role | Description |
|---|---|---|
| Grafana Admin | fixed:roles:readerfixed:roles:writerfixed:users:readerfixed:users:writerfixed:org.users:readerfixed:org.users:writerfixed:ldap:readerfixed:ldap:writerfixed:stats:readerfixed:settings:readerfixed:settings:writerfixed:provisioning:writerfixed:organization:readerfixed:organization:maintainerfixed:licensing:readerfixed:licensing:writer |
Default [Grafana server administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#grafana-server-administrators" >}}) assignments. |
| Admin | fixed:reports:readerfixed:reports:writerfixed:datasources:readerfixed:datasources:writerfixed:organization:writerfixed:datasources.permissions:readerfixed:datasources.permissions:writerfixed:teams:writer |
Default [Grafana organization administrator]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |
| Editor | fixed:datasources:explorer and fixed:teams:creator if the editors_can_admin configuration flag is enabled |
Default [Editor]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |
| Viewer | fixed:datasources:id:readerfixed:organization:reader |
Default [Viewer]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#organization-users-and-permissions" >}}) assignments. |