Fine-grained access control references
- Fine-grained access fixed roles
- Default built-in role assignments

Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed roles	Permissions	Descriptions
`fixed:roles:reader`	`roles:read` `roles:list` `users.roles:list` `users.permissions:list` `roles.builtin:list`	Read all access control roles, roles and permissions assigned to users and built-in role assignments.
`fixed:roles:writer`	All permissions from `fixed:roles:reader` and `roles:write` `roles:delete` `users.roles:add` `users.roles:remove` `roles.builtin:add` `roles.builtin:remove`	Create, read, update, or delete all roles, assign or unassign roles to users and built-in role assignments.
`fixed:reports:reader`	`reports:read` `reports:send` `reports.settings:read`	Read all reports and shared report settings.
`fixed:reports:writer`	All permissions from `fixed:reports:reader` and `reports.admin:write` `reports:delete` `reports.settings:write`	Create, read, update, or delete all reports and shared report settings.
`fixed:users:reader`	`users:read` `users.quotas:list` `users.authtoken:list` `users.teams:read`	Read all users and their information, such as team memberships, authentication tokens, and quotas.
`fixed:users:writer`	All permissions from `fixed:users:reader` and `users:write` `users:create` `users:delete` `users:enable` `users:disable` `users.password:update` `users.permissions:update` `users:logout` `users.authtoken:update` `users.quotas:update`	Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
`fixed:org.users:reader`	`org.users:read`	Read users within a single organization.
`fixed:org.users:writer`	All permissions from `fixed:org.users:reader` and `org.users:add` `org.users:remove` `org.users.role:update`	Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
`fixed:ldap:reader`	`ldap.user:read` `ldap.status:read`	Read the LDAP configuration and LDAP status information.
`fixed:ldap:writer`	All permissions from `fixed:ldap:reader` and `ldap.user:sync` `ldap.config:reload`	Read and update the LDAP configuration, and read LDAP status information.
`fixed:stats:reader`	`server.stats:read`	Read Grafana instance statistics.
`fixed:settings:reader`	`settings:read`	Read Grafana instance settings.
`fixed:settings:writer`	All permissions from `fixed:settings:reader` and `settings:write`	Read and update Grafana instance settings.
`fixed:datasources:explorer`	`datasources:explore`	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
`fixed:datasources:reader`	`datasources:read` `datasources:query`	Read and query data sources.
`fixed:datasources:writer`	All permissions from `fixed:datasources:reader` and `datasources:create` `datasources:write` `datasources:delete`	Read, query, create, delete, or update a data source.
`fixed:datasources:id:reader`	`datasources.id:read`	Read the ID of a data source based on its name.
`fixed:datasources.permissions:reader`	`datasources.permissions:read`	Read data source permissions.
`fixed:datasources.permissions:writer`	All permissions from `fixed:datasources.permissions:reader` and `datasources.permissions:write`	Create, read, or delete permissions of a data source.
`fixed:licensing:reader`	`licensing:read` `licensing.reports:read`	Read licensing information and licensing reports.
`fixed:licensing:writer`	All permissions from `fixed:licensing:viewer` and `licensing:update` `licensing:delete`	Read licensing information and licensing reports, update and delete the license token.
`fixed:provisioning:writer`	`provisioning:reload`	Reload provisioning.
`fixed:organization:reader`	`orgs:read` `orgs.quotas:read`	Read an organization and its quotas.
`fixed:organization:writer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs.preferences:read` `orgs.preferences:write`	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
`fixed:organization:maintainer`	All permissions from `fixed:organization:reader` and `orgs:write` `orgs:create` `orgs:delete` `orgs.quotas:write`	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
`fixed:teams:creator` `	`teams:create` `org.users:read`	Create a team and list organization users (required to manage the created team).
`fixed:teams:writer`	`teams:create` `teams:delete` `teams:read` `teams:write` `teams.permissions:read` `teams.permissions:write`	Create, read, update and delete teams and manage team memberships.

Default built-in role assignments

Built-in role	Associated role	Description
Grafana Admin	`fixed:roles:reader` `fixed:roles:writer` `fixed:users:reader` `fixed:users:writer` `fixed:org.users:reader` `fixed:org.users:writer` `fixed:ldap:reader` `fixed:ldap:writer` `fixed:stats:reader` `fixed:settings:reader` `fixed:settings:writer` `fixed:provisioning:writer` `fixed:organization:reader` `fixed:organization:maintainer` `fixed:licensing:reader` `fixed:licensing:writer`	Default Grafana server administrator assignments.
Admin	`fixed:reports:reader` `fixed:reports:writer` `fixed:datasources:reader` `fixed:datasources:writer` `fixed:organization:writer` `fixed:datasources.permissions:reader` `fixed:datasources.permissions:writer` `fixed:teams:writer`	Default Grafana organization administrator assignments.
Editor	`fixed:datasources:explorer` and `fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled	Default Editor assignments.
Viewer	`fixed:datasources:id:reader` `fixed:organization:reader`	Default Viewer assignments.