Permissions

A permission is an action and a scope. When creating a fine-grained access control, consider what specific action a user should be allowed to perform, and on what resources (its scope).

To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.

To learn more about which permissions are used for which resources, refer to Resources with fine-grained permissions.

action

The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.

scope

The scope describes where an action can be performed, such as reading a specific user profile. In such case, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains fine-grained access control actions.

ActionApplicable scopeDescription
roles:listroles:List available roles without permissions.
roles:readroles:
roles:uid:
Read a specific role with its permissions.
roles:writepermissions:delegateCreate or update a custom role.
roles:deletepermissions:delegateDelete a custom role.
roles.builtin:listroles:List built-in role assignments.
roles.builtin:addpermissions:delegateCreate a built-in role assignment.
roles.builtin:removepermissions:delegateDelete a built-in role assignment.
reports.admin:createn/aCreate reports.
reports.admin:writereports:
reports:id:
Update reports.
reports:deletereports:
reports:id:
Delete reports.
reports:readreports:List all available reports or get a specific report.
reports:sendreports:Send a report email.
reports.settings:writen/aUpdate report settings.
reports.settings:readn/aRead report settings.
provisioning:reloadprovisioners:Reload provisioning files. To find the exact scope for specific provisioner, see Scope definitions.
teams.roles:listteams:List roles assigned directly to a team.
teams.roles:addpermissions:delegateAssign a role to a team.
teams.roles:removepermissions:delegateUnassign a role from a team.
users:readglobal.users:Read or search user profiles.
users:writeglobal.users:
global.users:id:
Update a user’s profile.
users.teams:readglobal.users:
global.users:id:
Read a user’s teams.
users.authtoken:listglobal.users:
global.users:id:
List authentication tokens that are assigned to a user.
users.authtoken:updateglobal.users:
global.users:id:
Update authentication tokens that are assigned to a user.
users.password:updateglobal.users:
global.users:id:
Update a user’s password.
users:deleteglobal.users:
global.users:id:
Delete a user.
users:createn/aCreate a user.
users:enablegloba.users:
global.users:id:
Enable a user.
users:disableglobal.users:
global.users:id:
Disable a user.
users.permissions:updateglobal.users:
global.users:id:
Update a user’s organization-level permissions.
users:logoutglobal.users:
global.users:id:
Sign out a user.
users.quotas:listglobal.users:
global.users:id:
List a user’s quotas.
users.quotas:updateglobal.users:
global.users:id:
Update a user’s quotas.
users.roles:listusers:List roles assigned directly to a user.
users.roles:addpermissions:delegateAssign a role to a user.
users.roles:removepermissions:delegateUnassign a role from a user.
users.permissions:listusers:List permissions of a user.
org.users:readusers:
users:id:
Get user profiles within an organization.
org.users:addusers:Add a user to an organization.
org.users:removeusers:
users:id:
Remove a user from an organization.
org.users.role:updateusers:
users:id:
Update the organization role (Viewer, Editor, or Admin) of an organization.
orgs:readorgs:
orgs:id:
Read one or more organizations.
orgs:writeorgs:
orgs:id:
Update one or more organizations.
org:createn/aCreate an organization.
orgs:deleteorgs:
orgs:id:
Delete one or more organizations.
orgs.quotas:readorgs:
orgs:id:
Read organization quotas.
orgs.quotas:writeorgs:
orgs:id:
Update organization quotas.
orgs.preferences:readorgs:
orgs:id:
Read organization preferences.
orgs.preferences:writeorgs:
orgs:id:
Update organization preferences.
ldap.user:readn/aRead users via LDAP.
ldap.user:syncn/aSync users via LDAP.
ldap.status:readn/aVerify the availability of the LDAP server or servers.
ldap.config:reloadn/aReload the LDAP configuration.
status:accesscontrolservices:accesscontrolGet access-control enabled status.
settings:readsettings:
settings:auth.saml:

settings:auth.saml:enabled (property level)
Read the Grafana configuration settings
settings:writesettings:
settings:auth.saml:

settings:auth.saml:enabled (property level)
Update any Grafana configuration settings that can be updated at runtime.
server.stats:readn/aRead Grafana instance statistics.
datasources:exploren/aEnable access to the Explore tab.
datasources:readn/a
datasources:
datasources:id:

datasources:uid:
datasources:name:
List data sources.
datasources:queryn/a
datasources:
datasources:id:
Query data sources.
datasources.id:readdatasources:
datasources:name:
Read data source IDs.
datasources:createn/aCreate data sources.
datasources:writedatasources:
datasources:id:
Update data sources.
datasources:deletedatasources:id:
datasources:uid:

datasources:name:
Delete data sources.
datasources.permissions:readdatasources:
datasources:id:
List data source permissions.
datasources.permissions:writedatasources:
datasources:id:
Update data source permissions.
licensing:readn/aRead licensing information.
licensing:updaten/aUpdate the license token.
licensing:deleten/aDelete the license token.
licensing.reports:readn/aGet custom permission reports.
teams:createn/aCreate teams.
teams:readteams:
teams:id:
Read one or more teams and team preferences.
teams:writeteams:
teams:id:
Update one or more teams and team preferences.
teams:deleteteams:
teams:id:
Delete one or more teams.
teams.permissions:readteams:
teams:id:
Read members and External Group Synchronization setup for teams.
teams.permissions:writeteams:
teams:id:
Add, remove and update members and manage External Group Synchronization setup for teams.
dashboards:readdashboards:
dashboards:id:
folders:

folders:id:
Read one or more dashboards.
dashboards:createfolders:
folders:id:
Create dashboards in one or more folders.
dashboards:writedashboards:
dashboards:id:
folders:

folders:id:
Update one or more dashboards.
dashboards:editdashboards:
dashboards:id:
folders:

folders:id:
Edit one or more dashboards (only in ui).
dashboards:deletedashboards:
dashboards:id:
folders:

folders:id:
Delete one or more dashboards.
dashboards.permissions:readdashboards:
dashboards:id:
folders:

folders:id:
Read permissions for one or more dashboards.
dashboards.permissions:writedashboards:
dashboards:id:
folders:

folders:id:
Update permissions for one or more dashboards.
folders:readfolders:
folders:id:
Read one or more folders.
folders:createn/aCreate folders.
folders:writefolders:
folders:id:
Update one or more folders.
folders:deletefolders:
folders:id:
Delete one or more folders.
folers.permissions:readfolders:
folders:id:
Read permissions for one or more folders.
folders.permissions:writefolders:
folders:id:
Update permissions for one or more folders.
annotations.readannotations:
annotations:type:
Read annotations and annotation tags.
annotations.createannotations:
annotations:type:
Create annotations.
annotations.writeannotations:
annotations:type:
Update annotations.
annotations.deleteannotations:
annotations:type:
Delete annotations.
alert.rules:readfolders:
folders:id:
Read Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:createfolders:
folders:id:
Create Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:updatefolders:
folders:id:
Update Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:deletefolders:
folders:id:
Delete Grafana alert rules in a folder. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules.external:readdatasources:
datasources:uid:
Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:writedatasources:
datasources:uid:
Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.instances:readn/aRead alerts and silences in the current organization.
alert.instances:createn/aCreate silences in the current organization.
alert.instances:updaten/aUpdate and expire silences in the current organization.
alert.instances.external:readdatasources:
datasources:uid:
Read alerts and silences in data sources that support alerting.
alert.instances.external:writedatasources:
datasources:uid:
Manage alerts and silences in data sources that support alerting.
alert.notifications:readn/aRead all templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:writen/aManage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications.external:readdatasources:
datasources:uid:
Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:writedatasources:
datasources:uid:*
Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.

Scope definitions

The following list contains fine-grained access control scopes.

ScopesDescriptions
permissions:delegateThe scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
roles:
roles:uid:
Restrict an action to a set of roles. For example, roles: matches any role and roles:uid:randomuid matches only the role whose UID is randomuid.
reports:
reports:id:
Restrict an action to a set of reports. For example, reports: matches any report and reports:id:1 matches the report whose ID is 1.
services:accesscontrolRestrict an action to target only the fine-grained access control service. You can use this in conjunction with the status:accesscontrol actions.
global.users:
global.users:id:
Restrict an action to a set of global users. For example, global.users: matches any user and global.users:id:1 matches the user whose ID is 1.
teams:
teams:id:
Restrict an action to a set of teams from an organization. For example, teams: matches any team and teams:id:1 matches the team whose ID is 1.
users:
users:id:
Restrict an action to a set of users from an organization. For example, users: matches any user and users:id:1 matches the user whose ID is 1.
orgs:
orgs:id:
Restrict an action to a set of organizations. For example, orgs: matches any organization and orgs:id:1 matches the organization whose ID is 1.
settings:Restrict an action to a subset of settings. For example, settings: matches all settings, settings:auth.saml: matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.
provisioners:Restrict an action to a set of provisioners. For example, provisioners: matches any provisioner, and provisioners:accesscontrol matches the fine-grained access control provisioner.
datasources:
datasources:id:
datasources:uid:

datasources:name:
Restrict an action to a set of data sources. For example, datasources: matches any data source, and datasources:name:postgres matches the data source named postgres.
folders:
folders:id:
Restrict an action to a set of folders. For example, folders: matches any folder, and folders:id:1 matches the folder whose ID is 1.
dashboards:
dashboards:id:
Restrict an action to a set of dashboards. For example, dashboards: matches any dashboard, and dashboards:id:1 matches the dashboard whose ID is 1.
annotations:
annotations:type:
Restrict an action to a set of annotations. For example, annotations:* matches any annotation, annotations:type:dashboard matches annotations associated with dashboards and annotations:type:organization matches organization annotations.