Permissions

A permission is an action and a scope. When creating a fine-grained access control, consider what specific action a user should be allowed to perform, and on what resources (its scope).

To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.

To learn more about which permissions are used for which resources, refer to Resources with fine-grained permissions.

action

The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.

scope

The scope describes where an action can be performed, such as reading a specific user profile. In such case, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains fine-grained access control actions.

ActionsApplicable scopesDescriptions
roles:listroles:List available roles without permissions.
roles:readroles:Read a specific role with it’s permissions.
roles:writepermissions:delegateCreate or update a custom role.
roles:deletepermissions:delegateDelete a custom role.
roles.builtin:listroles:List built-in role assignments.
roles.builtin:addpermissions:delegateCreate a built-in role assignment.
roles.builtin:removepermissions:delegateDelete a built-in role assignment.
reports.admin:createreports:Create reports.
reports.admin:writereports:Update reports.
reports:deletereports:Delete reports.
reports:readreports:List all available reports or get a specific report.
reports:sendreports:Send a report email.
reports.settings:writen/aUpdate report settings.
reports.settings:readn/aRead report settings.
provisioning:reloadservices:accesscontrolReload provisioning files.
users:readglobal:users:Read or search user profiles.
users:writeglobal:users:Update a user’s profile.
users.teams:readglobal:users:Read a user’s teams.
users.authtoken:listglobal:users:List authentication tokens that are assigned to a user.
users.authtoken:updateglobal:users:Update authentication tokens that are assigned to a user.
users.password:updateglobal:users:Update a user’s password.
users:deleteglobal:users:Delete a user.
users:createn/aCreate a user.
users:enableglobal:users:Enable a user.
users:disableglobal:users:Disable a user.
users.permissions:updateglobal:users:Update a user’s organization-level permissions.
users:logoutglobal:users:Log out a user.
users.quotas:listglobal:users:List a user’s quotas.
users.quotas:updateglobal:users:Update a user’s quotas.
org.users.readusers:Get user profiles within an organization.
org.users.addusers:Add a user to an organization.
org.users.removeusers:Remove a user from an organization.
org.users.role:updateusers:Update the organization role (Viewer, Editor, Admin) for an organization.
ldap.user:readn/aGet a user via LDAP.
ldap.user:syncn/aSync a user via LDAP.
ldap.status:readn/aVerify the LDAP servers’ availability.
ldap.config:reloadn/aReload the LDAP configuration.
status:accesscontrolservices:accesscontrolGet access-control enabled status.
settings:readsettings:**
settings:auth.saml:
settings:auth.saml:enabled (property level)
Read settings
settings:writesettings:*
settings:auth.saml:

settings:auth.saml:enabled (property level)
Update settings
server.stats:readn/aRead server stats
datasources:exploren/aEnable explore

Scope definitions

The following list contains fine-grained access control scopes.

ScopesDescriptions
roles:Restrict an action to a set of roles. For example, roles: matches any role, roles:randomuid matches only the role with UID randomuid and roles:custom:reports:{editor,viewer} matches both custom:reports:editor and custom:reports:viewer roles.
permissions:delegateThe scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
reports:Restrict an action to a set of reports. For example, reports: matches any report and reports:1 matches the report with id 1.
services:accesscontrolRestrict an action to target only the fine-grained access control service. For example, you can use this in conjunction with the provisioning:reload or the status:accesscontrol actions.
global:users:Restrict an action to a set of global users.
users:Restrict an action to a set of users from an organization.
settings:Restrict an action to a subset of settings. For example, settings: matches all settings, settings:auth.saml:* matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.