Menu
Grafana Cloud

RBAC permissions, actions, and scopes

Note

Available in Grafana Enterprise and Grafana Cloud.

A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resources on which they can perform those actions.

To learn more about the Grafana resources to which you can apply RBAC, refer to Resources with RBAC permissions.

  • Action: An action describes what tasks a user can perform on a resource.
  • Scope: A scope describes where an action can be performed, such as reading a specific user profile. In this example, a permission is associated with the scope users:<userId> to the relevant role.

Action definitions

The following list contains role-based access control actions.

ActionApplicable scopesDescription
alert.instances.external:read
  • datasources:*
  • datasources:uid:*
Read alerts and silences in data sources that support alerting.
alert.instances.external:write
  • datasources:*
  • datasources:uid:*
Manage alerts and silences in data sources that support alerting.
alert.instances:createNoneCreate silences in the current organization.
alert.instances:readNoneRead alerts and silences in the current organization.
alert.instances:writeNoneUpdate and expire silences in the current organization.
alert.notifications.external:read
  • datasources:*
  • datasources:uid:*
Read templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications.external:write
  • datasources:*
  • datasources:uid:*
Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.
alert.notifications:writeNoneManage templates, contact points, notification policies, and mute timings in the current organization.
alert.notifications:readNoneRead all templates, contact points, notification policies, and mute timings in the current organization.
alert.rules.external:read
  • datasources:*
  • datasources:uid:*
Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)
alert.rules.external:write
  • datasources:*
  • datasources:uid:*
Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).
alert.rules:create
  • folders:*
  • folders:uid:*
Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:delete
  • folders:*
  • folders:uid:*
Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:read
  • folders:*
  • folders:uid:*
Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.rules:write
  • folders:*
  • folders:uid:*
Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query.
alert.silences:create
  • folders:*
  • folders:uid:*
Create rule-specific silences in a folder and its subfolders.
alert.silences:read
  • folders:*
  • folders:uid:*
Read all general silences and rule-specific silences in a folder and its subfolders.
alert.silences:write
  • folders:*
  • folders:uid:*
Update and expire rule-specific silences in a folder and its subfolders.
alert.provisioning:readNoneRead all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
alert.provisioning.secrets:readNoneSame as alert.provisioning:read plus ability to export resources with decrypted secrets.
alert.provisioning:writeNoneUpdate all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required.
alert.provisioning.provenance:writeNoneSet provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources
annotations:create
  • annotations:*
  • annotations:type:*
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Create annotations.
annotations:delete
  • annotations:*
  • annotations:type:*
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Delete annotations.
annotations:read
  • annotations:*
  • annotations:type:*
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Read annotations and annotation tags.
annotations:write
  • annotations:*
  • annotations:type:*
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Update annotations.
apikeys:read
  • apikeys:*
  • apikeys:id:*
Read API keys.
apikeys:delete
  • apikeys:*
  • apikeys:id:*
Delete API keys.
banners:writeNoneCreate announcement banners.
dashboards:create
  • folders:*
  • folders:uid:*
Create dashboards in one or more folders and their subfolders.
dashboards:delete
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Delete one or more dashboards.
dashboards.insights:readNoneRead dashboard insights data and see presence indicators.
dashboards.permissions:read
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Read permissions for one or more dashboards.
dashboards.permissions:write
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Update permissions for one or more dashboards.
dashboards:read
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Read one or more dashboards.
dashboards:write
  • dashboards:*
  • dashboards:uid:*
  • folders:*
  • folders:uid:*
Update one or more dashboards.
dashboards.public:write
  • dashboards:*
  • dashboards:uid:*
Write shared dashboard configuration.
datasources.caching:read
  • datasources:*
  • datasources:uid:*
Read data source query caching settings.
datasources.caching:write
  • datasources:*
  • datasources:uid:*
Update data source query caching settings.
datasources:createNoneCreate data sources.
datasources:delete
  • datasources:*
  • datasources:uid:*
Delete data sources.
datasources:exploreNoneEnable access to the Explore tab.
datasources.id:read
  • datasources:*
  • datasources:uid:*
Read data source IDs.
datasources.insights:readNoneRead data sources insights data.
datasources.permissions:read
  • datasources:*
  • datasources:uid:*
List data source permissions.
datasources.permissions:write
  • datasources:*
  • datasources:uid:*
Update data source permissions.
datasources:query
  • datasources:*
  • datasources:uid:*
Query data sources.
datasources:read
  • datasources:*
  • datasources:uid:*
List data sources.
datasources:write
  • datasources:*
  • datasources:uid:*
Update data sources.
featuremgmt.readNoneRead feature toggles.
featuremgmt.writeNoneWrite feature toggles.
folders.permissions:read
  • folders:*
  • folders:uid:*
Read permissions for one or more folders and their subfolders.
folders.permissions:write
  • folders:*
  • folders:uid:*
Update permissions for one or more folders and their subfolders.
folders:create
  • folders:*
  • folders:uid:*
  • folders:uid:general
Create folders or subfolders. If granted with scope folders:uid:general, it allows to create root level folders. Otherwise, it allows creating subfolders under the specified folders.
folders:delete
  • folders:*
  • folders:uid:*
Delete one or more folders and their subfolders.
folders:read
  • folders:*
  • folders:uid:*
Read one or more folders and their subfolders.
folders:write
  • folders:*
  • folders:uid:*
Update one or more folders and their subfolders.
groupsync.mappings:readNoneList group attribute sync mappings. To use this permission, enable the groupAttributeSync feature toggle.
groupsync.mappings:writeNoneList, create, update, and delete group attribute sync mappings. To use this permission, enable the groupAttributeSync feature toggle.
ldap.config:reloadNoneReload the LDAP configuration.
ldap.status:readNoneVerify the availability of the LDAP server or servers.
ldap.user:readNoneRead users via LDAP.
ldap.user:syncNoneSync users via LDAP.
library.panels:create
  • folders:*
  • folders:uid:*
Create a library panel in one or more folders and their subfolders.
library.panels:read
  • folders:*
  • folders:uid:*
  • library.panels:*
  • library.panels:uid:*
Read one or more library panels.
library.panels:write
  • folders:*
  • folders:uid:*
  • library.panels:*
  • library.panels:uid:*
Update one or more library panels.
library.panels:delete
  • folders:*
  • folders:uid:*
  • library.panels:*
  • library.panels:uid:*
Delete one or more library panels.
licensing.reports:readNoneGet custom permission reports.
licensing:deleteNoneDelete the license token.
licensing:readNoneRead licensing information.
licensing:writeNoneUpdate the license token.
org.users:write
  • users:*
  • users:id:*
Update the organization role (None, Viewer, Editor, or Admin) of a user.
org.users:add
  • users:*
  • users:id:*
Add a user to an organization or invite a new user to an organization.
org.users:read
  • users:*
  • users:id:*
Get user profiles within an organization.
org.users:remove
  • users:*
  • users:id:*
Remove a user from an organization.
orgs.preferences:readNoneRead organization preferences.
orgs.preferences:writeNoneUpdate organization preferences.
orgs.quotas:readNoneRead organization quotas.
orgs.quotas:writeNoneUpdate organization quotas.
orgs:createNoneCreate an organization.
orgs:deleteNoneDelete one or more organizations.
orgs:readNoneRead one or more organizations.
orgs:writeNoneUpdate one or more organizations.
plugins.app:access
  • plugins:*
  • plugins:id:*
Access one or more application plugins (still enforcing the organization role)
plugins:installNoneInstall and uninstall plugins.
plugins:write
  • plugins:*
  • plugins:id:*
Edit settings for one or more plugins.
provisioning:reloadprovisioners:*Reload provisioning files. To find the exact scope for specific provisioner, refer to Scope definitions.
reports:createNoneCreate reports.
reports:write
  • reports:*
  • reports:id:*
Update reports.
reports.settings:readNoneRead report settings.
reports.settings:writeNoneUpdate report settings.
reports:delete
  • reports:*
  • reports:id:*
Delete reports.
reports:read
  • reports:*
  • reports:id:*
List all available reports or get a specific report.
reports:send
  • reports:*
  • reports:id:*
Send a report email.
roles:delete
  • permissions:type:delegate
    Delete a custom role.
    roles:read
    • roles:*
    • roles:uid:*
    List roles and read a specific role with its permissions.
    roles:write
    • permissions:type:delegate
      Create or update a custom role.
      roles:write
      • permissions:type:escalate
        Reset basic roles to their default permissions.
        server.stats:readNoneRead Grafana instance statistics.
        server.usagestats.report:readNoneView usage statistics report.
        serviceaccounts:write
        • serviceaccounts:*
          Create Grafana service accounts.
          serviceaccounts:createNoneUpdate Grafana service accounts.
          serviceaccounts:delete
          • serviceaccounts:*
          • serviceaccounts:id:*
          Delete Grafana service accounts.
          serviceaccounts:read
          • serviceaccounts:*
          • serviceaccounts:id:*
          Read Grafana service accounts.
          serviceaccounts.permissions:write
          • serviceaccounts:*
          • serviceaccounts:id:*
          Update Grafana service account permissions to control who can do what with the service account.
          serviceaccounts.permissions:read
          • serviceaccounts:*
          • serviceaccounts:id:*
          Read Grafana service account permissions to see who can do what with the service account.
          settings:read
          • settings:*
          • settings:auth.saml:*
          • settings:auth.saml:enabled
          (property level)
          Read the Grafana configuration settings
          settings:write
          • settings:*
          • settings:auth.saml:*
          • settings:auth.saml:enabled
          (property level)
          Update any Grafana configuration settings that can be updated at runtime.
          support.bundles:createNoneCreate support bundles.
          support.bundles:deleteNoneDelete support bundles.
          support.bundles:readNoneList and download support bundles.
          status:accesscontrol
          • services:accesscontrol
            Get access-control enabled status.
            teams.permissions:read
            • teams:*
            • teams:id:*
            Read members and Team Sync setup for teams.
            teams.permissions:write
            • teams:*
            • teams:id:*
            Add, remove and update members and manage Team Sync setup for teams.
            teams.roles:add
            • permissions:type:delegate
              Assign a role to a team.
              teams.roles:read
              • teams:*
              • teams:id:*
              List roles assigned directly to a team.
              teams.roles:remove
              • permissions:type:delegate
                Unassign a role from a team.
                teams:createNoneCreate teams.
                teams:delete
                • teams:*
                • teams:id:*
                Delete one or more teams.
                teams:read
                • teams:*
                • teams:id:*
                Read one or more teams and team preferences. To list teams through the UI one of the following permissions is required in addition to teams:read: teams:write, teams.permissions:read or teams.permissions:write.
                teams:write
                • teams:*
                • teams:id:*
                Update one or more teams and team preferences.
                users.authtoken:read
                • global.users:*
                • global.users:id:*
                List authentication tokens that are assigned to a user.
                users.authtoken:write
                • global.users:*
                • global.users:id:*
                Update authentication tokens that are assigned to a user.
                users.password:write
                • global.users:*
                • global.users:id:*
                Update a user’s password.
                users.permissions:read
                • users:*
                  List permissions of a user.
                  users.permissions:write
                  • global.users:*
                  • global.users:id:*
                  Update a user’s organization-level permissions.
                  users.quotas:read
                  • global.users:*
                  • global.users:id:*
                  List a user’s quotas.
                  users.quotas:write
                  • global.users:*
                  • global.users:id:*
                  Update a user’s quotas.
                  users.roles:add
                  • permissions:type:delegate
                    Assign a role to a user or a service account.
                    users.roles:read
                    • users:*
                      List roles assigned directly to a user or a service account.
                      users.roles:remove
                      • permissions:type:delegate
                        Unassign a role from a user or a service account.
                        users:createNoneCreate a user.
                        users:delete
                        • global.users:*
                        • global.users:id:*
                        Delete a user.
                        users:disable
                        • global.users:*
                        • global.users:id:*
                        Disable a user.
                        users:enable
                        • global.users:*
                        • global.users:id:*
                        Enable a user.
                        users:logout
                        • global.users:*
                        • global.users:id:*
                        Sign out a user.
                        users:read
                        • global.users:*
                          Read or search user profiles.
                          users:write
                          • global.users:*
                          • global.users:id:*
                          Update a user’s profile.

                          Grafana Adaptive Metrics action definitions

                          The following list contains role-based access control actions used by Grafana Adaptive Metrics.

                          ActionApplicable scopesDescription
                          grafana-adaptive-metrics-app.plugin:accessNoneAccess the Adaptive Metrics plugin in Grafana Cloud.
                          grafana-adaptive-metrics-app.config:readNoneRead the Adaptive Metrics app configuration.
                          grafana-adaptive-metrics-app.config:writeNoneUpdate the Adaptive Metrics app configuration.
                          grafana-adaptive-metrics-app.recommendations:readNoneRead aggregation recommendations.
                          grafana-adaptive-metrics-app.recommendations:applyNoneApply aggregation recommendations.
                          grafana-adaptive-metrics-app.rules:readNoneRead aggregation rules.
                          grafana-adaptive-metrics-app.rules:writeNoneCreate aggregation rules.
                          grafana-adaptive-metrics-app.rules:deleteNoneDelete aggregation rules.
                          grafana-adaptive-metrics-app.exemptions:readNoneRead recommendation exemptions.
                          grafana-adaptive-metrics-app.exemptions:writeNoneCreate, update, and delete recommendation exemptions.

                          Grafana Alerting Notification action definitions

                          To use these permissions, enable the alertingApiServer feature toggle.

                          ActionApplicable scopesDescription
                          alert.notifications.receivers:readreceivers:*
                          receivers:uid:*
                          Read contact points.
                          alert.notifications.receivers.secrets:readreceivers:*
                          receivers:uid:*
                          Export contact points with decrypted secrets.
                          alert.notifications.receivers:createNoneCreate a new contact points. The creator is automatically granted full access to the created contact point.
                          alert.notifications.receivers:writereceivers:*
                          receivers:uid:*
                          Update existing contact points.
                          alert.notifications.receivers:deletereceivers:*
                          receivers:uid:*
                          Update and delete existing contact points.
                          receivers.permissions:readreceivers:*
                          receivers:uid:*
                          Read permissions for contact points.
                          receivers.permissions:writereceivers:*
                          receivers:uid:*
                          Manage permissions for contact points.
                          alert.notifications.time-intervals:readNoneRead mute time intervals.
                          alert.notifications.time-intervals:writeNoneCreate new or update existing mute time intervals.
                          alert.notifications.time-intervals:deleteNoneDelete existing time intervals.
                          alert.notifications.templates:readNoneRead templates.
                          alert.notifications.templates:writeNoneCreate new or update existing templates.
                          alert.notifications.templates:deleteNoneDelete existing templates.
                          alert.notifications.routes:readNoneRead notification policies.
                          alert.notifications.routes:writeNoneCreate new, update or delete notification policies

                          Scope definitions

                          The following list contains role-based access control scopes.

                          ScopesDescriptions
                          • annotations:*
                          • annotations:type:*
                          Restrict an action to a set of annotations. For example, annotations:* matches any annotation, annotations:type:dashboard matches annotations associated with dashboards and annotations:type:organization matches organization annotations.
                          • apikeys:*
                          • apikeys:id:*
                          Restrict an action to a set of API keys. For example, apikeys:* matches any API key, apikey:id:1 matches the API key whose id is 1.
                          • dashboards:*
                          • dashboards:uid:*
                          Restrict an action to a set of dashboards. For example, dashboards:* matches any dashboard, and dashboards:uid:1 matches the dashboard whose UID is 1.
                          • datasources:*
                          • datasources:uid:*
                          Restrict an action to a set of data sources. For example, datasources:* matches any data source, and datasources:uid:1 matches the data source whose UID is 1.
                          • folders:*
                          • folders:uid:*
                          Restrict an action to a set of folders. For example, folders:* matches any folder, and folders:uid:1 matches the folder whose UID is 1. Note that permissions granted to a folder cascade down to subfolders located under it.
                          • global.users:*
                          • global.users:id:*
                          Restrict an action to a set of global users. For example, global.users:* matches any user and global.users:id:1 matches the user whose ID is 1.
                          • library.panels:*
                          • library.panels:uid:*
                          Restrict an action to a set of library panels. For example, library.panels:* matches any library panel, and library.panel:uid:1 matches the library panel whose UID is 1.
                          • orgs:*
                          • orgs:id:*
                          Restrict an action to a set of organizations. For example, orgs:* matches any organization and orgs:id:1 matches the organization whose ID is 1.
                          • permissions:type:delegate
                            The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.
                            • permissions:type:escalate
                              The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.
                              • plugins:*
                              • plugins:id:*
                              Restrict an action to a set of plugins. For example, plugins:id:grafana-oncall-app matches Grafana OnCall plugin, and plugins:* matches all plugins.
                              • provisioners:*
                                Restrict an action to a set of provisioners. For example, provisioners:* matches any provisioner, and provisioners:accesscontrol matches the role-based access control provisioner.
                                • reports:*
                                • reports:id:*
                                Restrict an action to a set of reports. For example, reports:* matches any report and reports:id:1 matches the report whose ID is 1.
                                • roles:*
                                • roles:uid:*
                                Restrict an action to a set of roles. For example, roles:* matches any role and roles:uid:randomuid matches only the role whose UID is randomuid.
                                • services:accesscontrol
                                  Restrict an action to target only the role-based access control service. You can use this in conjunction with the status:accesscontrol actions.
                                  • serviceaccounts:*
                                  • serviceaccounts:id:*
                                  Restrict an action to a set of service account from an organization. For example, serviceaccounts:* matches any service account and serviceaccount:id:1 matches the service account whose ID is 1.
                                  • settings:*
                                    Restrict an action to a subset of settings. For example, settings:* matches all settings, settings:auth.saml:* matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings.
                                    • teams:*
                                    • teams:id:*
                                    Restrict an action to a set of teams from an organization. For example, teams:* matches any team and teams:id:1 matches the team whose ID is 1.
                                    • users:*
                                    • users:id:*
                                    Restrict an action to a set of users from an organization. For example, users:* matches any user and users:id:1 matches the user whose ID is 1.
                                    • None
                                      If an action has “None” specified for the scope, then the action doesn’t require a scope. For example, the teams:create action doesn’t require a scope and allows users to create teams.