Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed rolesPermissionsDescriptions
fixed:permissions:admin:readroles:read
roles:list
roles.builtin:list
Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:editAll permissions from fixed:permissions:admin:read and
roles:write
roles:delete
roles.builtin:add
roles.builtin:remove
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:reporting:admin:readreports:read
reports:send
reports.settings:read
Allows to read reports and report settings.
fixed:reporting:admin:editAll permissions from fixed:reporting:admin:read and
reports.admin:write
reports:delete
reports.settings:write
Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:readusers.authtoken:list
users.quotas:list
users:read
users.teams:read
Allows to list and get users and related information.
fixed:users:admin:editAll permissions from fixed:users:admin:read and
users.password:update
users:write
users:create
users:delete
users:enable
users:disable
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Allows every read action for users and in addition allows to administer users.
fixed:users:org:readorg.users:readAllows to get user organizations.
fixed:users:org:editAll permissions from fixed:users:org:read and
org.users:add
org.users:remove
org.users.role:update
Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:readldap.user:read
ldap.status:read
Allows to read LDAP information and status.
fixed:ldap:admin:editAll permissions from fixed:ldap:admin:read and
ldap.user:sync
ldap.config:reload
Allows every read action for LDAP and in addition allows to administer LDAP.
fixed:server:admin:readserver.stats:readRead server stats
fixed:settings:admin:readsettings:readRead settings
fixed:settings:admin:editAll permissions from fixed:settings:admin:read and
settings:write
Update settings
fixed:datasource:editor:readdatasources:exploreExplore datasources

Default built-in role assignments

Built-in rolesAssociated rolesDescriptions
Grafana Adminfixed:permissions:admin:edit
fixed:permissions:admin:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:users:admin:edit
fixed:users:admin:read
fixed:users:org:edit
fixed:users:org:read
fixed:ldap:admin:edit
fixed:ldap:admin:read
fixed:server:admin:read
fixed:settings:admin:read
fixed:settings:admin:edit
Allows access to resources which Grafana Server Admin has permissions by default.
Adminfixed:users:org:edit
fixed:users:org:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
Allows access to resource which Admin has permissions by default.
Editorfixed:datasource:editor:read