Fine-grained access control API

Fine-grained access control API is only available in Grafana Enterprise. Read more about Grafana Enterprise.

The API can be used to create, update, get and list roles, and create or remove built-in role assignments. To use the API, you would need to enable fine-grained access control.

The API does not currently work with an API Token. So in order to use these API endpoints you will have to use Basic auth.

Get status

GET /api/access-control/status

Returns an indicator to check if fine-grained access control is enabled or not.

Required permissions

ActionScope
status:accesscontrolservices:accesscontrol

Example request

  1. GET /api/access-control/status
  2. Accept: application/json
  3. Content-Type: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.   "enabled": true
  6. }

Status codes

CodeDescription
200Returned a flag indicating if the fine-grained access control is enabled or no.
403Access denied
404Not found, an indication that fine-grained access control is not available at all.
500Unexpected error. Refer to body and/or server logs for more details.

Create and manage custom roles

Get all roles

GET /api/access-control/roles

Gets all existing roles. The response contains all global and organization local roles, for the organization which user is signed in.

Refer to the Role scopes for more information.

Required permissions

ActionScope
roles:listroles:*

Example request

  1. GET /api/access-control/roles
  2. Accept: application/json
  3. Content-Type: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. [
  5.     {
  6.         "version": 3,
  7.         "uid": "XvHQJq57z",
  8.         "name": "fixed:reports:reader",
  9.         "displayName": "Report reader",
  10.         "description": "Read all reports and shared report settings.",
  11.         "group": "Reports",
  12.         "updated": "2021-11-19T10:48:00+01:00",
  13.         "created": "2021-11-19T10:48:00+01:00",
  14.         "global": false
  15.     },
  16.     {
  17.         "version": 5,
  18.         "uid": "vi9mlLjGz",
  19.         "name": "fixed:datasources.permissions:writer",
  20.         "description: "Create, read or delete data source permissions.",
  21.         "global": true,
  22.         "updated": "2021-05-13T22:41:49+02:00",
  23.         "created": "2021-05-13T16:24:26+02:00"
  24.     }
  25. ]

Status codes

CodeDescription
200Global and organization local roles are returned.
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Get a role

GET /api/access-control/roles/:uid

Get a role for the given UID.

Required permissions

ActionScope
roles:readroles:*

Example request

  1. GET /api/access-control/roles/PYnDO3rMk
  2. Accept: application/json
  3. Content-Type: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "version": 4,
  6.     "uid": "6dNwJq57z",
  7.     "name": "fixed:reports:writer",
  8.     "displayName": "Report writer",
  9.     "description": "Create, read, update, or delete all reports and shared report settings.",
  10.     "group": "Reports",
  11.     "permissions": [
  12.         {
  13.             "action": "reports:delete",
  14.             "scope": "reports:*",
  15.             "updated": "2021-11-19T10:48:00+01:00",
  16.             "created": "2021-11-19T10:48:00+01:00"
  17.         },
  18.         {
  19.             "action": "reports:read",
  20.             "scope": "reports:*",
  21.             "updated": "2021-11-19T10:48:00+01:00",
  22.             "created": "2021-11-19T10:48:00+01:00"
  23.         },
  24.         {
  25.             "action": "reports:send",
  26.             "scope": "reports:*",
  27.             "updated": "2021-11-19T10:48:00+01:00",
  28.             "created": "2021-11-19T10:48:00+01:00"
  29.         },
  30.         {
  31.             "action": "reports.admin:create",
  32.             "scope": "",
  33.             "updated": "2021-11-19T10:48:00+01:00",
  34.             "created": "2021-11-19T10:48:00+01:00"
  35.         },
  36.         {
  37.             "action": "reports.admin:write",
  38.             "scope": "reports:*",
  39.             "updated": "2021-11-19T10:48:00+01:00",
  40.             "created": "2021-11-19T10:48:00+01:00"
  41.         },
  42.         {
  43.             "action": "reports.settings:read",
  44.             "scope": "",
  45.             "updated": "2021-11-19T10:48:00+01:00",
  46.             "created": "2021-11-19T10:48:00+01:00"
  47.         },
  48.         {
  49.             "action": "reports.settings:write",
  50.             "scope": "",
  51.             "updated": "2021-11-19T10:48:00+01:00",
  52.             "created": "2021-11-19T10:48:00+01:00"
  53.         }
  54.     ],
  55.     "updated": "2021-11-19T10:48:00+01:00",
  56.     "created": "2021-11-19T10:48:00+01:00",
  57.     "global": false
  58. }

Status codes

CodeDescription
200Role is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Create a new custom role

POST /api/access-control/roles

Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles can’t be created.

Required permissions

permission:delegate scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.

ActionScope
roles:writepermissions:delegate

Example request

  1. POST /api/access-control/roles
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.     "version": 1,
  7.     "uid": "jZrmlLCGka",
  8.     "name": "custom:delete:roles",
  9.     "displayName": "custom delete roles",
  10.     "description": "My custom role which gives users permissions to delete roles",
  11.     "group":"My Group",
  12.     "displayName": "My Custom Role",
  13.     "global": false,
  14.     "permissions": [
  15.         {
  16.             "action": "roles:delete",
  17.             "scope": "permissions:delegate"
  18.         }
  19.     ]
  20. }

JSON body schema

Field NameDate TypeRequiredDescription
uidstringNoUID of the role. If not present, the UID will be automatically created for you and returned in response. Refer to the Custom roles for more information.
globalbooleanNoA flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the Role scopes for more information.
versionnumberNoVersion of the role. If not present, version 0 will be assigned to the role and returned in the response. Refer to the Custom roles for more information.
namestringYesName of the role. Refer to Custom roles for more information.
descriptionstringNoDescription of the role.
displayNamestringNoDisplay name of the role, visible in the UI.
groupstringNoThe group name the role belongs to.
permissionsPermissionNoIf not present, the role will be created without any permissions.

Permission

Field NameData TypeRequiredDescription
actionstringYesRefer to Permissions for full list of available actions.
scopestringNoIf not present, no scope will be mapped to the permission. Refer to Permissions for full list of available scopes.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "version": 2,
  6.     "uid": "jZrmlLCGka",
  7.     "name": "custom:delete:create:roles",
  8.     "displayName": "custom delete create roles",
  9.     "description": "My custom role which gives users permissions to delete and create roles",
  10.     "group":"My Group",
  11.     "displayName": "My Custom Role",
  12.     "global": false,
  13.     "permissions": [
  14.         {
  15.             "action": "roles:delete",
  16.             "scope": "permissions:delegate",
  17.             "updated": "2021-05-13T23:19:46+02:00",
  18.             "created": "2021-05-13T23:19:46+02:00"
  19.         }
  20.     ],
  21.     "updated": "2021-05-13T23:20:51.416518+02:00",
  22.     "created": "2021-05-13T23:19:46+02:00"
  23. }

Status codes

CodeDescription
200Role is updated.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Update a custom role

PUT /api/access-control/roles/:uid

Update the role with the given UID, and it’s permissions with the given UID. The operation is idempotent and all permissions of the role will be replaced with what is in the request. You would need to increment the version of the role with each update, otherwise the request will fail.

Required permissions

permission:delegate scope ensures that users can only update custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to update a custom role which allows to do that. This is done to prevent escalation of privileges.

ActionScope
roles:writepermissions:delegate

Example request

  1. PUT /api/access-control/roles/jZrmlLCGka
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.     "version": 3,
  7.     "name": "custom:delete:write:roles",
  8.     "displayName": "custom delete write roles",
  9.     "description": "My custom role which gives users permissions to delete and write roles",
  10.     "group":"My Group",
  11.     "displayName": "My Custom Role",
  12.     "global": false,
  13.     "permissions": [
  14.         {
  15.             "action": "roles:delete",
  16.             "scope": "permissions:delegate"
  17.         },
  18.         {
  19.             "action": "roles:write",
  20.             "scope": "permissions:delegate"
  21.         }
  22.     ]
  23. }

JSON body schema

Field NameData TypeRequiredDescription
versionnumberYesVersion of the role. Must be incremented for update to work.
namestringYesName of the role.
descriptionstringNoDescription of the role.
displayNamestringNoDisplay name of the role, visible in the UI.
groupstringNoThe group name the role belongs to.
permissionsList of PermissionsNoThe full list of permissions the role should have after the update.

Permission

Field NameData TypeRequiredDescription
actionstringYesRefer to Permissions for full list of available actions.
scopestringNoIf not present, no scope will be mapped to the permission. Refer to Permissions for full list of available scopes.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "version":3,
  6.     "uid":"jZrmlLCGka",
  7.     "name":"custom:delete:write:roles",
  8.     "displayName":"custom delete write roles",
  9.     "description":"My custom role which gives users permissions to delete and write roles",
  10.     "group":"My Group",
  11.     "displayName": "My Custom Role",
  12.     "permissions":[
  13.         {
  14.             "action":"roles:delete",
  15.             "scope":"permissions:delegate",
  16.             "updated":"2021-08-06T18:27:40+02:00",
  17.             "created":"2021-08-06T18:27:40+02:00"
  18.         },
  19.         {
  20.             "action":"roles:write",
  21.             "scope":"permissions:delegate",
  22.             "updated":"2021-08-06T18:27:41+02:00",
  23.             "created":"2021-08-06T18:27:41+02:00"
  24.         }
  25.     ],
  26.     "updated":"2021-08-06T18:27:41+02:00",
  27.     "created":"2021-08-06T18:27:40+02:00",
  28.     "global":false
  29. }

Status codes

CodeDescription
200Role is updated.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
404Role was not found to update.
500Unexpected error. Refer to body and/or server logs for more details.

Delete a custom role

DELETE /api/access-control/roles/:uid?force=false

Delete a role with the given UID, and it’s permissions. If the role is assigned to a built-in role, the deletion operation will fail, unless force query param is set to true, and in that case all assignments will also be deleted.

Required permissions

permission:delegate scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to delete a custom role which allows to do that.

ActionScope
roles:deletepermissions:delegate

Example request

  1. DELETE /api/access-control/roles/jZrmlLCGka?force=true&global=false
  2. Accept: application/json

Query parameters

ParamTypeRequiredDescription
forcebooleanNoWhen set to true, the role will be deleted with all it’s assignments.
globalbooleanNoA flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the Role scopes for more information.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "Role deleted"
  6. }

Status codes

CodeDescription
200Role is deleted.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Create and remove user role assignments

List roles assigned to a user

GET /api/access-control/users/:userId/roles

Lists the roles that have been directly assigned to a given user. The list does not include built-in roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team.

Required permissions

ActionScope
users.roles:listusers:id:<user ID>

Example request

  1. GET /api/access-control/users/1/roles
  2. Accept: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. [
  5.     {
  6.         "version": 4,
  7.         "uid": "6dNwJq57z",
  8.         "name": "fixed:reports:writer",
  9.         "displayName": "Report writer",
  10.         "description": "Create, read, update, or delete all reports and shared report settings.",
  11.         "group": "Reports",
  12.         "updated": "2021-11-19T10:48:00+01:00",
  13.         "created": "2021-11-19T10:48:00+01:00",
  14.         "global": false
  15.     }
  16. ]

Status codes

CodeDescription
200Set of assigned roles is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

List permissions assigned to a user

GET /api/access-control/users/:userId/permissions

Lists the permissions that a given user has.

Required permissions

ActionScope
users.permissions:listusers:id:<user ID>

Example request

  1. GET /api/access-control/users/1/permissions
  2. Accept: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. [
  5.     {
  6.         "action": "ldap.status:read",
  7.         "scope": ""
  8.     },
  9.     {
  10.         "action": "ldap.user:read",
  11.         "scope": ""
  12.     }
  13. ]

Status codes

CodeDescription
200Set of assigned permissions is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Add a user role assignment

POST /api/access-control/users/:userId/roles

Assign a role to a specific user.

For bulk updates consider Set user role assignments.

Required permissions

permission:delegate scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:delegate

Example request

  1. POST /api/access-control/users/1/roles
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.     "global": false,
  7.     "roleUid": "XvHQJq57z"
  8. }

JSON body schema

Field NameData TypeRequiredDescription
roleUidstringYesUID of the role.
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to create organization local assignment.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "Role added to the user."
  6. }

Status codes

CodeDescription
200Role is assigned to a user.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Remove a user role assignment

DELETE /api/access-control/users/:userId/roles/:roleUID

Revoke a role from a user.

For bulk updates consider Set user role assignments.

Required permissions

permission:delegate scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:removepermissions:delegate

Query parameters

ParamTypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to remove assignment.

Example request

  1. DELETE /api/access-control/users/1/roles/AFUXBHKnk
  2. Accept: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "Role removed from user."
  6. }

Status codes

CodeDescription
200Role is unassigned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Set user role assignments

PUT /api/access-control/users/:userId/roles

Update the user’s role assignments to match the provided set of UIDs. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user.

If you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.

Required permissions

permission:delegate scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:delegate
users.roles:removepermissions:delegate

Example request

  1. PUT /api/access-control/users/1/roles
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.     "global": false,
  7.     "roleUids": [
  8.         "ZiHQJq5nk",
  9.         "GzNQ1357k"
  10.     ]
  11. }

JSON body schema

Field NameDate TypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request.
roleUidslistYesList of role UIDs.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "User roles have been updated."
  6. }

Status codes

CodeDescription
200Roles have been assigned.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Create and remove built-in role assignments

API set allows to create or remove built-in role assignments and list current assignments.

Get all built-in role assignments

GET /api/access-control/builtin-roles

Gets all built-in role assignments.

Required permissions

ActionScope
roles.builtin:listroles:*

Example request

  1. GET /api/access-control/builtin-roles
  2. Accept: application/json
  3. Content-Type: application/json

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "Admin": [
  6.         {
  7.             "version": 1,
  8.             "uid": "qQui_LCMk",
  9.             "name": "fixed:users:writer",
  10.             "name": "User writer",
  11.             "description": "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users",
  12.             "global": true,
  13.             "updated": "2021-05-13T16:24:26+02:00",
  14.             "created": "2021-05-13T16:24:26+02:00"
  15.         },
  16.         {
  17.             "version": 1,
  18.             "uid": "PeXmlYjMk",
  19.             "name": "fixed:users:reader",
  20.             "displayName": "User reader",
  21.             "description": "Allows every read action for user organizations and in addition allows to administer user organizations",
  22.             "global": true,
  23.             "updated": "2021-05-13T16:24:26+02:00",
  24.             "created": "2021-05-13T16:24:26+02:00"
  25.         }
  26.     ],
  27.     "Grafana Admin": [
  28.         {
  29.             "version": 1,
  30.             "uid": "qQui_LCMk",
  31.             "name": "fixed:users:writer",
  32.             "displayName": "User writer",
  33.             "description": "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users",
  34.             "global": true,
  35.             "updated": "2021-05-13T16:24:26+02:00",
  36.             "created": "2021-05-13T16:24:26+02:00"
  37.         }
  38.     ]
  39. }

Status codes

CodeDescription
200Built-in role assignments are returned.
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Create a built-in role assignment

POST /api/access-control/builtin-roles

Creates a new built-in role assignment.

Required permissions

permission:delegate scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
roles.builtin:addpermissions:delegate

Example request

  1. POST /api/access-control/builtin-roles
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.     "roleUid": "LPMGN99Mk",
  7.     "builtinRole": "Grafana Admin",
  8.     "global": false
  9. }

JSON body schema

Field NameDate TypeRequiredDescription
roleUidstringYesUID of the role.
builtinRolebooleanYesCan be one of Viewer, Editor, Admin or Grafana Admin.
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to create organization local assignment. Refer to the Built-in role assignments for more information.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "Built-in role grant added"
  6. }

Status codes

CodeDescription
200Role was assigned to built-in role.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
404Role not found
500Unexpected error. Refer to body and/or server logs for more details.

Remove a built-in role assignment

DELETE /api/access-control/builtin-roles/:builtinRole/roles/:roleUID

Deletes a built-in role assignment (for one of Viewer, Editor, Admin, or Grafana Admin) to the role with the provided UID.

Required permissions

permission:delegate scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to remove a built-in role assignment which allows to do that.

ActionScope
roles.builtin:removepermissions:delegate

Example request

  1. DELETE /api/access-control/builtin-roles/Grafana%20Admin/roles/LPMGN99Mk?global=false
  2. Accept: application/json

Query parameters

ParamTypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to remove assignment. Refer to the Built-in role assignments for more information.

Example response

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=UTF-8
  4. {
  5.     "message": "Built-in role grant removed"
  6. }

Status codes

CodeDescription
200Role was unassigned from built-in role.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.