mirror of
https://github.com/grafana/grafana.git
synced 2024-12-01 21:19:28 -06:00
e1aad9c9bf
* Align docs to current permissions in code * Update permissions list * Add example responses, fix link * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update based on reviews --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
225 lines
55 KiB
Markdown
225 lines
55 KiB
Markdown
---
|
||
aliases:
|
||
- ../../../enterprise/access-control/custom-role-actions-scopes/
|
||
- ../../../enterprise/access-control/permissions/
|
||
description: Learn about Grafana RBAC permissions, actions, and scopes.
|
||
labels:
|
||
products:
|
||
- cloud
|
||
- enterprise
|
||
menuTitle: RBAC permissions, actions, and scopes
|
||
title: Grafana RBAC permissions, actions, and scopes
|
||
weight: 80
|
||
---
|
||
|
||
# RBAC permissions, actions, and scopes
|
||
|
||
{{% admonition type="note" %}}
|
||
Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud](/docs/grafana-cloud).
|
||
{{% /admonition %}}
|
||
|
||
A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.
|
||
|
||
To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions]({{< relref "../#fixed-roles" >}}).
|
||
|
||
- **Action:** An action describes what tasks a user can perform on a resource.
|
||
- **Scope:** A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope `users:<userId>` to the relevant role.
|
||
|
||
## Action definitions
|
||
|
||
The following list contains role-based access control actions.
|
||
|
||
| Action | Applicable scope | Description |
|
||
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
|
||
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
|
||
| `alert.instances:create` | n/a | Create silences in the current organization. |
|
||
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
|
||
| `alert.instances:write` | n/a | Update and expire silences in the current organization. |
|
||
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
||
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
|
||
| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
|
||
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
|
||
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
|
||
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
|
||
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
|
||
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
|
||
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
|
||
| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
|
||
| `annotations:create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
|
||
| `annotations:delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
|
||
| `annotations:read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
|
||
| `annotations:write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
|
||
| `apikeys:create` | n/a | Create API keys. |
|
||
| `apikeys:read` | `apikeys:*`<br>`apikeys:id:*` | Read API keys. |
|
||
| `apikeys:delete` | `apikeys:*`<br>`apikeys:id:*` | Delete API keys. |
|
||
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders and their subfolders. |
|
||
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
|
||
| `dashboards.insights:read` | n/a | Read dashboard insights data and see presence indicators. |
|
||
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
|
||
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
|
||
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
|
||
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
|
||
| `dashboards.public:write` | `dashboards:*`<br>`dashboards:uid:*` | Write public dashboard configuration. |
|
||
| `datasources.caching:read` | `datasources:*`<br>`datasources:uid:*` | Read data source query caching settings. |
|
||
| `datasources.caching:write` | `datasources:*`<br>`datasources:uid:*` | Update data source query caching settings. |
|
||
| `datasources:create` | n/a | Create data sources. |
|
||
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
|
||
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
|
||
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
|
||
| `datasources.insights:read` | n/a | Read data sources insights data. |
|
||
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
|
||
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
|
||
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
|
||
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
|
||
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
|
||
| `featuremgmt.read` | n/a | Read feature toggles. |
|
||
| `featuremgmt.write` | n/a | Write feature toggles. |
|
||
| `folders.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders and their subfolders. |
|
||
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders and their subfolders. |
|
||
| `folders:create` | n/a | Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update. |
|
||
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders and their subfolders. |
|
||
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders and their subfolders. |
|
||
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders and their subfolders. If granted together with `folders:create` permission, also allows creating subfolders under these folders. |
|
||
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
|
||
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
|
||
| `ldap.user:read` | n/a | Read users via LDAP. |
|
||
| `ldap.user:sync` | n/a | Sync users via LDAP. |
|
||
| `licensing.reports:read` | n/a | Get custom permission reports. |
|
||
| `licensing:delete` | n/a | Delete the license token. |
|
||
| `licensing:read` | n/a | Read licensing information. |
|
||
| `licensing:write` | n/a | Update the license token. |
|
||
| `org.users:write` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. |
|
||
| `org.users:add` | `users:*` <br> `users:id:*` | Add a user to an organization or invite a new user to an organization. |
|
||
| `org.users:read` | `users:*` <br> `users:id:*` | Get user profiles within an organization. |
|
||
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
|
||
| `orgs.preferences:read` | n/a | Read organization preferences. |
|
||
| `orgs.preferences:write` | n/a | Update organization preferences. |
|
||
| `orgs.quotas:read` | n/a | Read organization quotas. |
|
||
| `orgs.quotas:write` | n/a | Update organization quotas. |
|
||
| `orgs:create` | n/a | Create an organization. |
|
||
| `orgs:delete` | n/a | Delete one or more organizations. |
|
||
| `orgs:read` | n/a | Read one or more organizations. |
|
||
| `orgs:write` | n/a | Update one or more organizations. |
|
||
| `plugins.app:access` | `plugins:*` <br> `plugins:id:*` | Access one or more application plugins (still enforcing the organization role) |
|
||
| `plugins:install` | n/a | Install and uninstall plugins. |
|
||
| `plugins:write` | `plugins:*` <br> `plugins:id:*` | Edit settings for one or more plugins. |
|
||
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). |
|
||
| `reports:create` | n/a | Create reports. |
|
||
| `reports:write` | `reports:*` <br> `reports:id:*` | Update reports. |
|
||
| `reports.settings:read` | n/a | Read report settings. |
|
||
| `reports.settings:write` | n/a | Update report settings. |
|
||
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
|
||
| `reports:read` | `reports:*` <br> `reports:id:*` | List all available reports or get a specific report. |
|
||
| `reports:send` | `reports:*` <br> `reports:id:*` | Send a report email. |
|
||
| `roles:delete` | `permissions:type:delegate` | Delete a custom role. |
|
||
| `roles:read` | `roles:*` <br> `roles:uid:*` | List roles and read a specific with its permissions. |
|
||
| `roles:write` | `permissions:type:delegate` | Create or update a custom role. |
|
||
| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. |
|
||
| `server.stats:read` | n/a | Read Grafana instance statistics. |
|
||
| `server.usagestats.report:read` | n/a | View usage statistics report. |
|
||
| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. |
|
||
| `serviceaccounts:create` | n/a | Update Grafana service accounts. |
|
||
| `serviceaccounts:delete` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Delete Grafana service accounts. |
|
||
| `serviceaccounts:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service accounts. |
|
||
| `serviceaccounts.permissions:write` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Update Grafana service account permissions to control who can do what with the service account. |
|
||
| `serviceaccounts.permissions:read` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Read Grafana service account permissions to see who can do what with the service account. |
|
||
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) |
|
||
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). |
|
||
| `support.bundles:create` | n/a | Create support bundles. |
|
||
| `support.bundles:delete` | n/a | Delete support bundles. |
|
||
| `support.bundles:read` | n/a | List and download support bundles. |
|
||
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
|
||
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and Team Sync setup for teams. |
|
||
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage Team Sync setup for teams. |
|
||
| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. |
|
||
| `teams.roles:read` | `teams:*`<br>`teams:id:*` | List roles assigned directly to a team. |
|
||
| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. |
|
||
| `teams:create` | n/a | Create teams. |
|
||
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
|
||
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
|
||
| `teams:write` | `teams:*`<br>`teams:id:*` | Update one or more teams and team preferences. |
|
||
| `users.authtoken:read` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
|
||
| `users.authtoken:write` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
|
||
| `users.password:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s password. |
|
||
| `users.permissions:read` | `users:*` | List permissions of a user. |
|
||
| `users.permissions:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s organization-level permissions. |
|
||
| `users.quotas:read` | `global.users:*` <br> `global.users:id:*` | List a user’s quotas. |
|
||
| `users.quotas:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s quotas. |
|
||
| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. |
|
||
| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. |
|
||
| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. |
|
||
| `users:create` | n/a | Create a user. |
|
||
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
|
||
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
|
||
| `users:enable` | `global.users:*` <br> `global.users:id:*` | Enable a user. |
|
||
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
|
||
| `users:read` | `global.users:*` | Read or search user profiles. |
|
||
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a user’s profile. |
|
||
|
||
### Grafana OnCall action definitions (beta)
|
||
|
||
> **Note:** Available from Grafana 9.4 in early access.
|
||
|
||
> **Note:** This feature is behind the `accessControlOnCall` feature toggle.
|
||
> You can enable feature toggles through configuration file or environment variables. See configuration [docs]({{< relref "../../../../setup-grafana/configure-grafana/#feature_toggles" >}}) for details.
|
||
|
||
The following list contains role-based access control actions used by Grafana OnCall application plugin.
|
||
|
||
| Action | Applicable scope | Description |
|
||
| ------------------------------------------------ | ---------------- | ------------------------------------------------- |
|
||
| `grafana-oncall-app.alert-groups:read` | n/a | Read OnCall alert groups. |
|
||
| `grafana-oncall-app.alert-groups:write` | n/a | Create, edit and delete OnCall alert groups. |
|
||
| `grafana-oncall-app.integrations:read` | n/a | Read OnCall integrations. |
|
||
| `grafana-oncall-app.integrations:write` | n/a | Create, edit and delete OnCall integrations. |
|
||
| `grafana-oncall-app.integrations:test` | n/a | Test OnCall integrations. |
|
||
| `grafana-oncall-app.escalation-chains:read` | n/a | Read OnCall escalation chains. |
|
||
| `grafana-oncall-app.escalation-chains:write` | n/a | Create, edit and delete OnCall escalation chains. |
|
||
| `grafana-oncall-app.schedules:read` | n/a | Read OnCall schedules. |
|
||
| `grafana-oncall-app.schedules:write` | n/a | Create, edit and delete OnCall schedules. |
|
||
| `grafana-oncall-app.schedules:export` | n/a | Export OnCall schedules. |
|
||
| `grafana-oncall-app.chatops:read` | n/a | Read OnCall ChatOps. |
|
||
| `grafana-oncall-app.chatops:write` | n/a | Edit OnCall ChatOps. |
|
||
| `grafana-oncall-app.chatops:update-settings` | n/a | Edit OnCall ChatOps settings. |
|
||
| `grafana-oncall-app.maintenance:read` | n/a | Read OnCall maintenance. |
|
||
| `grafana-oncall-app.maintenance:write` | n/a | Edit OnCall maintenance. |
|
||
| `grafana-oncall-app.api-keys:read` | n/a | Read OnCall API keys. |
|
||
| `grafana-oncall-app.api-keys:write` | n/a | Create, edit and delete OnCall API keys. |
|
||
| `grafana-oncall-app.notifications:read` | n/a | Receive OnCall notifications. |
|
||
| `grafana-oncall-app.notification-settings:read` | n/a | Read OnCall notification settings. |
|
||
| `grafana-oncall-app.notification-settings:write` | n/a | Edit OnCall notification settings. |
|
||
| `grafana-oncall-app.user-settings:read` | n/a | Read user's own OnCall user settings. |
|
||
| `grafana-oncall-app.user-settings:write` | n/a | Edit user's own OnCall user settings. |
|
||
| `grafana-oncall-app.user-settings:admin` | n/a | Read and edit all users' OnCall user settings. |
|
||
| `grafana-oncall-app.other-settings:read` | n/a | Read OnCall settings. |
|
||
| `grafana-oncall-app.other-settings:write` | n/a | Edit OnCall settings. |
|
||
|
||
## Scope definitions
|
||
|
||
The following list contains role-based access control scopes.
|
||
|
||
| Scopes | Descriptions |
|
||
| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||
| `annotations:*`<br>`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
|
||
| `apikeys:*`<br>`apikeys:id:*` | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. |
|
||
| `dashboards:*`<br>`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. |
|
||
| `datasources:*`<br>`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. |
|
||
| `folders:*`<br>`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it |
|
||
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
|
||
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
|
||
| `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
|
||
| `permissions:type:escalate` | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. |
|
||
| `plugins:*` <br> `plugins:id:*` | Restrict an action to a set of plugins. For example, `plugins:id:grafana-oncall-app` matches Grafana OnCall plugin, and `plugins:*` matches all plugins. |
|
||
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./rbac-grafana-provisioning/" >}}). |
|
||
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
|
||
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
|
||
| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
|
||
| `serviceaccounts:*` <br> `serviceaccounts:id:*` | Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`. |
|
||
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
|
||
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
|
||
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
|
||
| `n/a` | `n/a` means not applicable. If an action has `n/a` specified for the scope, then the action does not require a scope. For example, the `teams:create` action does not require a scope and allows users to create teams. |
|