Menu
Grafana Cloud
← Back to What's new
Generally AvailableAuthentication and authorizationPlugins
Release date: 2024-10-21

RBAC for Plugins

We’re excited to announce that plugins can now leverage Grafana’s role based access control to define their own roles and permissions in order to control access to their routes.

To define roles and their default assignments, plugin developers need to add a roles section to their plugin.json file. Grafana will automatically register these roles and assign them to the corresponding basic roles: Viewer, Editor, Admin, and Grafana Admin.

Following is an example of defining two RBAC plugin roles and assigning them to Admins and Viewers (and thus Editors and Admins) by default:

json
"roles": [
  {
    "role": {
      "name": "Patents Reader",
      "description": "Read patents",
      "permissions": [
        {"action": "grafana-appwithrbac-app.patents:read"}
      ]
    },
    "grants": ["Admin"]
  },
  {
    "role": {
      "name": "Research papers Reader",
      "description": "Read research papers",
      "permissions": [
        {"action": "grafana-appwithrbac-app.papers:read"}
      ]
    },
    "grants": ["Viewer"]
  }
]

Protecting includes and routes is also straight forward, and can be done through the new action and reqAction field of these sections of the plugin.json file.

Plugin example

If you’d like to test this and explore RBAC for plugins further, refer to this plugin example for guidance.

Known limitation

Plugins permissions are currently restricted to actions without scopes.