Users and teams
Grafana IRM relies on the teams and user permissions configured at the organization level of your Grafana instance. This section explains how user roles, permissions, and teams work within Grafana IRM.
Note
To view and manage a team in IRM, users (including administrators) must be members of that team. If an administrator needs to manage a team they are not part of, they must first add themselves as a team member, make the necessary changes, and can then remove themselves from the team.
User roles and permissions
User roles and permissions are assigned and managed at the Grafana organization or Cloud portal level. There are two ways to manage user roles and permissions for Grafana IRM.
Basic role authorization
By default, authorization within Grafana IRM relies on the basic user roles configured at the organization level. All users are assigned a basic role by the organization administrator. There are three available roles:
- Viewer: Read-only access to Grafana IRM
- Editor: Can edit most resources but has limited administrative capabilities
- Admin: Complete access to all Grafana IRM features and settings
Role-based access control (RBAC)
RBAC for Grafana plugins allows for fine-grained access control so you can define custom roles and actions for users in Grafana IRM. Use RBAC to grant specific permissions within the Grafana IRM plugin without changing the user’s basic role at the organization level.
For example, a user with the basic Viewer role at the organization level needs to edit on-call schedules. You can assign the Grafana IRM RBAC role of Schedules Editor to allow the user to view everything in Grafana IRM, as well as allow them to edit on-call schedules.
To learn more about RBAC for Grafana IRM, refer to the following documentation:
Available RBAC roles
Note
Granting any of the following roles will also grant the user the ability to access the IRM plugin. Additionally, these RBAC roles do not currently support scopes.
The following table lists the main roles available in Grafana IRM:
| Role | Description | Basic Roles Granted To |
|---|---|---|
| Admin | Read/write access to everything in IRM | Grafana Admin, Admin |
| Editor | Similar to Admin but with limited administrative capabilities | Editor |
| Reader | Read-only access to everything in IRM | Viewer |
| Notifications Receiver | Ability to receive IRM alert notifications | N/A |
| OnCaller | Read access to everything plus edit access to Alert Groups, Schedules and own settings | N/A |
Specialized RBAC roles
For more granular control, you can assign specialized roles focused on specific functionality:
- Alert Groups Reader: Read-only access to IRM Alert Groups
- Alert Groups Editor: Read access and ability to act on Alert Groups (ack, resolve, etc.)
- Alert Groups Direct Paging: Ability to manually create new Alert Groups
- Integrations Reader: Read-only access to IRM Integrations
- Integrations Editor: Read/write access to IRM Integrations
- Escalation Chains Reader: Read-only access to IRM Escalation Chains
- Escalation Chains Editor: Read/write access to IRM Escalation Chains
- Schedules Reader: Read-only access to IRM Schedules
- Schedules Editor: Read/write access to IRM Schedules
- ChatOps Reader/Editor: Access to manage chatbot integrations
- Outgoing Webhooks Reader/Editor: Access to manage webhook configurations
- Maintenance Reader/Editor: Access to manage maintenance windows
- API Keys Reader/Editor: Access to manage API key configurations
- Notification Settings Reader/Editor: Access to configure notification settings
- User Settings Reader/Editor/Admin: Access to manage user-specific settings
- Settings Reader/Editor: Access to general IRM settings
Manage teams in Grafana IRM
Teams in Grafana IRM enable the configuration of visibility and filtering of resources, such as alert groups, integrations, escalation chains, and schedules. IRM teams are automatically synced with Grafana teams created at the organization level.
Configure team settings
- To modify global team settings like team name or team members, navigate to Configuration > Teams in Grafana.
- For IRM-specific team settings, go to IRM > Settings > Team Access Management.
The Teams settings section displays a list of teams, allowing you to configure:
- Team visibility and access to team resources (all Grafana users or only admins and team members)
- Default team (user-specific setting that pre-selects a team when creating new resources)
Team visibility
Visibility of teams and their resources follows these rules:
- Administrators can view all teams and their resources
- Editors and Viewers can only see teams they are members of, or if the team setting “who can see the team name and access the team resources” is set to “all users of Grafana”
Warning
In the main Grafana teams section, users can set team-specific user permissions (Admin, Editor, or Viewer), but only for resources within that team. Currently, Grafana IRM is not compatible with this setting and uses global roles instead.
Using teams to organize resources
Teams help filter resources on their respective pages, improving organization:
- You can assign a resource to a team when creating it
- Alert groups created via the Integration API inherit the team from the integration
- Resources from different teams can be connected with one another
Cross-team resources
You can create integrations in one team and use resources from other teams:
- Set up multiple routes for an integration
- Utilize escalation chains from other teams
- Include users, schedules, and outgoing webhooks from other teams in escalation chains
If a user only has access to one team but not others, they will be unable to view resources from other teams, which will display as 🔒 Private resource. This feature enables the distribution of escalations across various teams.
Best practices
Consider these recommendations when configuring users and teams:
- Use RBAC for precise control: Rather than giving everyone Editor or Admin roles, use RBAC to grant specific permissions
- Create logical team divisions: Structure teams based on functional areas or incident response responsibilities
- Limit the Admin role: Reserve the Admin role for users who need to manage all aspects of the IRM system
- Review permissions regularly: Periodically audit user permissions to ensure they align with current responsibilities
Was this page helpful?
Related resources from Grafana Labs
