Fine-grained access control references

The reference information that follows complements conceptual information about Roles.

Fine-grained access fixed roles

Fixed rolesPermissionsDescriptions
fixed:roles:readerroles:read
roles:list
teams.roles:list
users.roles:list
users.permissions:list
roles.builtin:list
Read all access control roles, roles and permissions assigned to users, teams and built-in role assignments.
fixed:roles:writerAll permissions from fixed:roles:reader and
roles:write
roles:delete
teams.roles:add
teams.roles:remove
users.roles:add
users.roles:remove
roles.builtin:add
roles.builtin:remove
Create, read, update, or delete all roles, assign or unassign roles to users, teams and built-in role assignments.
fixed:reports:readerreports:read
reports:send
reports.settings:read
Read all reports and shared report settings.
fixed:reports:writerAll permissions from fixed:reports:reader and
reports.admin:write
reports:delete
reports.settings:write
Create, read, update, or delete all reports and shared report settings.
fixed:users:readerusers:read
users.quotas:list
users.authtoken:list
users.teams:read
Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writerAll permissions from fixed:users:reader and
users:write
users:create
users:delete
users:enable
users:disable
users.password:update
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.
fixed:org.users:readerorg.users:readRead users within a single organization.
fixed:org.users:writerAll permissions from fixed:org.users:reader and
org.users:add
org.users:remove
org.users.role:update
Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:ldap:readerldap.user:read
ldap.status:read
Read the LDAP configuration and LDAP status information.
fixed:ldap:writerAll permissions from fixed:ldap:reader and
ldap.user:sync
ldap.config:reload
Read and update the LDAP configuration, and read LDAP status information.
fixed:stats:readerserver.stats:readRead Grafana instance statistics.
fixed:settings:readersettings:readRead Grafana instance settings.
fixed:settings:writerAll permissions from fixed:settings:reader and
settings:write
Read and update Grafana instance settings.
fixed:datasources:explorerdatasources:exploreEnable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:readerdatasources:read
datasources:query
Read and query data sources.
fixed:datasources:writerAll permissions from fixed:datasources:reader and
datasources:create
datasources:write
datasources:delete
Read, query, create, delete, or update a data source.
fixed:datasources:id:readerdatasources.id:readRead the ID of a data source based on its name.
fixed:datasources.permissions:readerdatasources.permissions:readRead data source permissions.
fixed:datasources.permissions:writerAll permissions from fixed:datasources.permissions:reader and
datasources.permissions:write
Create, read, or delete permissions of a data source.
fixed:licensing:readerlicensing:read
licensing.reports:read
Read licensing information and licensing reports.
fixed:licensing:writerAll permissions from fixed:licensing:viewer and
licensing:update
licensing:delete
Read licensing information and licensing reports, update and delete the license token.
fixed:provisioning:writerprovisioning:reloadReload provisioning.
fixed:organization:readerorgs:read
orgs.quotas:read
Read an organization and its quotas.
fixed:organization:writerAll permissions from fixed:organization:reader and
orgs:write
orgs.preferences:read
orgs.preferences:write
Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:organization:maintainerAll permissions from fixed:organization:reader and
orgs:write
orgs:create
orgs:delete
orgs.quotas:write
Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:teams:creatorteams:create
org.users:read
Create a team and list organization users (required to manage the created team).
fixed:teams:writerteams:create
teams:delete
teams:read
teams:write
teams.permissions:read
teams.permissions:write
Create, read, update and delete teams and manage team memberships.
fixed:dashboards:creatordashboards:create
folders:read
Create dashboards.
fixed:dashboards:readerdashboards:readRead all dashboards.
fixed:dashboards:writerAll permissions from fixed:dashboards:reader and
dashboards:write
dashboards:edit
dashboards:delete
dashboards:create
dashboards.permissions:read
dashboards.permissions:write
Read, create, update, and delete all dashboards.
fixed:dashboards.permissions:readerdashboards.permissions:readRead all dashboard permissions.
fixed:dashboards.permissions:writerAll permissions from fixed:dashboards.permissions:reader and
dashboards.permissions:write
Read and update all dashboard permissions.
fixed:folders:creatorfolders:createCreate folders.
fixed:folders:readerfolders:read
dashboards:read
Read all folders and dashboards.
fixed:folders:writerAll permissions from fixed:dashboards:writer and
folders:read
folders:write
folders:create
folders:delete
folders.permissions:read
folders.permissions:write
Read, create, update, and delete all folders and dashboards.
fixed:folders.permissions:readerfolders.permissions:readRead all folder permissions.
fixed:folders.permissions:writerAll permissions from fixed:folders.permissions:reader and
folders.permissions:write
Read and update all folder permissions.
fixed:annotations:readerannotations:readRead all annotations and annotation tags.
fixed:annotations.dashboard:writerannotations:write
annotations.create
annotations:delete for scope annotations:type:dashboard
Create, update and delete dashboard annotations and annotation tags.
fixed:annotations:writerannotations:write
annotations.create
annotations:delete for scope annotations:type:*
Create, update and delete all annotations and annotation tags.

Alerting roles

If you enable Grafana Alerting, you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

  • Permission to read a folder, for example, the fixed role fixed:folders:reader or action folders:read in the scope of a folder folders:id:
  • Permission to manage alerts. The following table contains information about alerting fixed roles.
  • Permission to query all data sources that the rule uses, for example, the fixed role fixed:datasources:reader or action datasources:query in the scope of datasources:uid:.

For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.

Fixed rolesPermissionsDescriptions
fixed:alerting.rules:readeralert.rule:read for scope folders:
alert.rules.external:read for scope datasources:
Read all Grafana, Mimir, and Loki alert rules
fixed:alerting.rules:editorAll permissions from fixed:alerting.rules:reader and
alert.rule:create
alert.rule:update
alert.rule:delete for scope folders:
alert.rules.external:write for scope datasources:
Create, update, and delete all Grafana, Mimir, and Loki alert rules.
fixed:alerting.instances:readeralert.instances:read for organization scope
alert.instances.external:read for scope datasources:
Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.
fixed:alerting.instances:editorAll permissions from fixed:alerting.instances:reader and
alert.instances:create
alert.instances:update for organization scope
alert.instances.external:write for scope datasources:
Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.
fixed:alerting.notifications:readeralert.notifications:read for organization scope
alert.notifications.external:read for scope datasources:
Read all Grafana and Alertmanager contact points, templates, and notification policies.
fixed:alerting.notifications:editorAll permissions from fixed:alerting.notifications:reader and
alert.notifications:write for organization scope
alert.notifications.external:read for scope datasources:
Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.
fixed:alerting:readerAll permissions from fixed:alerting.rules:reader
fixed:alerting.instances:reader
fixed:alerting.notifications:reader
Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules, alerts, contact points, and notification policies.
fixed:alerting:editorAll permissions from fixed:alerting.rules:editor
fixed:alerting.instances:editor
fixed:alerting.notifications:editor
Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules, silences, contact points, templates, mute timings, and notification policies.

Default built-in role assignments

Built-in roleAssociated roleDescription
Grafana Adminfixed:roles:reader
fixed:roles:writer
fixed:users:reader
fixed:users:writer
fixed:org.users:reader
fixed:org.users:writer
fixed:ldap:reader
fixed:ldap:writer
fixed:stats:reader
fixed:settings:reader
fixed:settings:writer
fixed:provisioning:writer
fixed:organization:reader
fixed:organization:maintainer
fixed:licensing:reader
fixed:licensing:writer
Default Grafana server administrator assignments.
Adminfixed:reports:reader
fixed:reports:writer
fixed:datasources:reader
fixed:datasources:writer
fixed:organization:writer
fixed:datasources.permissions:reader
fixed:datasources.permissions:writer
fixed:teams:writer
fixed:dashboards:reader
fixed:dashboards:writer
fixed:dashboards.permissions:reader
fixed:dashboards.permissions:writer
fixed:folders:reader
fixes:folders:writer
fixed:folders.permissions:reader
fixed:folders.permissions:writer
fixed:alerting:editor
Default Grafana organization administrator assignments.
Editorfixed:datasources:explorer
fixed:dashboards:creator
fixed:folders:creator
fixed:annotations:writer
fixed:teams:creator if the editors_can_admin configuration flag is enabled
fixed:alerting:editor
Default Editor assignments.
Viewerfixed:datasources:id:reader
fixed:organization:reader
fixed:annotations:reader
fixed:annotations.dashboard:writer
fixed:alerting:reader
Default Viewer assignments.