Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Grafana Cloud Enterprise

RBAC role definitions

Note

Available in Grafana Enterprise and Grafana Cloud.

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic roleUIDAssociated fixed rolesDescription
Grafana Adminbasic_grafana_adminfixed:roles:reader
fixed:roles:writer
fixed:users:reader
fixed:users:writer
fixed:org.users:reader
fixed:org.users:writer
fixed:ldap:reader
fixed:ldap:writer
fixed:stats:reader
fixed:settings:reader
fixed:settings:writer
fixed:provisioning:writer
fixed:organization:reader
fixed:organization:maintainer
fixed:licensing:reader
fixed:licensing:writer
fixed:datasources.caching:reader
fixed:datasources.caching:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:plugins:maintainer
fixed:authentication.config:writer
fixed:library.panels:creator
fixed:library.panels:reader
fixed:library.panels:general.reader
fixed:library.panels:writer
fixed:library.panels:general.writer
fixed:groupsync:writer
Default Grafana server administrator assignments.
Adminbasic_adminfixed:reports:reader
fixed:reports:writer
fixed:datasources:reader
fixed:datasources:writer
fixed:organization:writer
fixed:datasources.permissions:reader
fixed:datasources.permissions:writer
fixed:teams:writer
fixed:dashboards:reader
fixed:dashboards:writer
fixed:dashboards.permissions:reader
fixed:dashboards.permissions:writer
fixed:dashboards.public:writer
fixed:folders:reader
fixed:folders:writer
fixed:folders.permissions:reader
fixed:folders.permissions:writer
fixed:alerting:writer
fixed:apikeys:reader
fixed:apikeys:writer
fixed:alerting.provisioning.secrets:reader
fixed:alerting.provisioning:writer
fixed:datasources.caching:reader
fixed:datasources.caching:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:plugins:writer
fixed:library.panels:creator
fixed:library.panels:reader
fixed:library.panels:general.reader
fixed:library.panels:writer
fixed:library.panels:general.writer
fixed:alerting.provisioning.status:writer
fixed:groupsync:writer
Default Grafana organization administrator assignments.
Editorbasic_editorfixed:datasources:explorer
fixed:dashboards:creator
fixed:folders:creator
fixed:annotations:writer
fixed:teams:creator if the editors_can_admin configuration flag is enabled
fixed:alerting:writer
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:library.panels:creator
fixed:library.panels:general.reader
fixed:library.panels:general.writer
fixed:alerting.provisioning.status:writer
Default Editor assignments.
Viewerbasic_viewerfixed:datasources.id:reader
fixed:organization:reader
fixed:annotations:reader
fixed:annotations.dashboard:writer
fixed:alerting:reader
fixed:plugins.app:reader
fixed:dashboards.insights:reader
fixed:datasources.insights:reader
fixed:library.panels:general.reader
fixed:datasources:explorer if the viewers_can_edit configuration flag is enabled
Default Viewer assignments.
No Basic Rolen/aDefault No Basic Role

Fixed role definitions

The following table has the existing built-in fixed role definitions. Other fixed roles might be added by plugins installed in Grafana. The UUID presented here can be used as an identifier for Terraform provisioning.

Caution

These UUIDs won’t be available if your instance was created before Grafana v10.2.0.

To learn how to use the roles API to determine the role UUIDs, refer to Manage RBAC roles.

Fixed roleUUIDPermissionsDescription
fixed:alerting:readerfixed_O2oP1_uBFozI2i93klAkcvEWR30All permissions from fixed:alerting.rules:reader
fixed:alerting.instances:reader
fixed:alerting.notifications:reader
Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*
fixed:alerting:writerfixed_-PAZgSJsDlRD8NUg-PFSeH_BkJYAll permissions from fixed:alerting.rules:writer
fixed:alerting.instances:writer
fixed:alerting.notifications:writer
Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*
fixed:alerting.instances:readerfixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Yalert.instances:read for organization scope
alert.instances.external:read for scope datasources:*
Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
fixed:alerting.instances:writerfixed_pKOBJE346uyqMLdgWbk1NsQfEl0All permissions from fixed:alerting.instances:reader and
alert.instances:create
alert.instances:write for organization scope
alert.instances.external:write for scope datasources:*
Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
fixed:alerting.notifications:readerfixed_hmBn0lX5h1RZXB9Vaot420EEdA0alert.notifications:read for organization scope
alert.notifications.external:read for scope datasources:*
Read all Grafana and Alertmanager contact points, templates, and notification policies.*
fixed:alerting.notifications:writerfixed_XplK6HPNxf9AP5IGTdB5Iun4tJcAll permissions from fixed:alerting.notifications:reader and
alert.notifications:writefor organization scope
alert.notifications.external:read for scope datasources:*
Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
fixed:alerting.provisioning:writerfixed_y7pFjdEkxpx5ETdcxPvp0AgRuUoalert.provisioning:read and alert.provisioning:writeCreate, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
fixed:alerting.provisioning.secrets:readerfixed_9fmzXXZZG-Od0Amy2ofEG8Uk--calert.provisioning:read and alert.provisioning.secrets:readRead-only permissions for Provisioning API and let export resources with decrypted secrets *
fixed:alerting.provisioning.status:writerfixed_eAxlzfkTuobvKEgXHveFMBZrOj8alert.provisioning.provenance:writeSet provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. *
fixed:alerting.rules:readerfixed_fRGKL_vAqUsmUWq5EYKnOha9DcAalert.rule:read, alert.silences:read for scope folders:*
alert.rules.external:read for scope datasources:*
alert.notifications.time-intervals:read
alert.notifications.receivers:list
Read all* Grafana, Mimir, and Loki alert rules.* and read rule-specific silences
fixed:alerting.rules:writerfixed_YJJGwAalUwDZPrXSyFH8GfYBXAcAll permissions from fixed:alerting.rules:reader and
alert.rule:create
alert.rule:write
alert.rule:delete
alert.silences:create
alert.silences:write for scope folders:*
alert.rules.external:write for scope datasources:*
Create, update, and delete all* Grafana, Mimir, and Loki alert rules.* and manage rule-specific silences
fixed:annotations:readerfixed_hpZnoizrfAJsrceNcNQqWYV-xNUannotations:read for scopes annotations:type:*Read all annotations and annotation tags.
fixed:annotations:writerfixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWEAll permissions from fixed:annotations:reader
annotations:write
annotations.create
annotations:delete for scope annotations:type:*
Read, create, update and delete all annotations and annotation tags.
fixed:annotations.dashboard:writerfixed_8A775xenXeKaJk4Cr7bchP9yXOAannotations:write
annotations.create
annotations:delete for scope annotations:type:dashboard
Create, update and delete dashboard annotations and annotation tags.
fixed:apikeys:readerfixed_kYZ7UEkwEvGmCCjTrq07cFAVFwsapikeys:read for scope apikeys:*Read all api keys.
fixed:apikeys:writerfixed_anTrcpRkm21NBO1Q2CsX8y0fiCQAll permissions from fixed:apikeys:reader and
apikeys:create
apikeys:delete for scope apikeys:*
Read, create, delete all api keys.
fixed:authentication.config:writerfixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDwsettings:read for scope settings:auth.saml:*
settings:write for scope settings:auth.saml:*
Read and update authentication and SAML settings.
fixed:dashboards:creatorfixed_ZorKUcEPCM01A1fPakEzGBUyU64dashboards:create
folders:read
Create dashboards.
fixed:dashboards:readerfixed_Sgr67JTOhjQGFlzYRahOe45TdWMdashboards:readRead all dashboards.
fixed:dashboards:writerfixed_OK2YOQGIoI1G031hVzJB6rAJQAsAll permissions from fixed:dashboards:reader and
dashboards:write
dashboards:edit
dashboards:delete
dashboards:create
dashboards.permissions:read
dashboards.permissions:write
Read, create, update, and delete all dashboards.
fixed:dashboards.insights:readerfixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rsdashboards.insights:readRead dashboard insights data and see presence indicators.
fixed:dashboards.permissions:readerfixed_f17oxuXW_58LL8mYJsm4T_mCeIwdashboards.permissions:readRead all dashboard permissions.
fixed:dashboards.permissions:writerfixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9kAll permissions from fixed:dashboards.permissions:reader and
dashboards.permissions:write
Read and update all dashboard permissions.
fixed:dashboards.public:writerfixed_f_GHHRBciaqESXfGz2oCcooqHxsdashboards.public:writeCreate, update, delete or pause a shared dashboard.
fixed:datasources:creatorfixed_XX8jHREgUt-wo1A-rPXIiFlX6Zwdatasources:createCreate data sources.
fixed:datasources:explorerfixed_qDzW9mzx9yM91T5Bi8dHUM2muTwdatasources:exploreEnable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
fixed:datasources:readerfixed_C2x8IxkiBc1KZVjyYH775T9jNMQdatasources:read
datasources:query
Read and query data sources.
fixed:datasources:writerfixed_q8HXq8kjjA5IlHHgBJlKlUyaNikAll permissions from fixed:datasources:reader and
datasources:create
datasources:write
datasources:delete
Read, query, create, delete, or update a data source.
fixed:datasources.caching:readerfixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4datasources.caching:readRead data source query caching settings.
fixed:datasources.caching:writerfixed_JtFjHr7jd7hSqUYcktKvRvIOGREdatasources.caching:read
datasources.caching:write
Enable, disable, or update query caching settings.
fixed:datasources.id:readerfixed_entg--fHmDqWY2-69N0ocawK0Osdatasources.id:readRead the ID of a data source based on its name.
fixed:datasources.insights:readerfixed_EBZ3NwlfecNPp2p0XcZRC1nfEYkdatasources.insights:readRead data source insights data.
fixed:datasources.permissions:readerfixed_ErYA-cTN3yn4h4GxaVPcawRhiOYdatasources.permissions:readRead data source permissions.
fixed:datasources.permissions:writerfixed_aiQh9YDfLOKjQhYasF9_SFUjQiwAll permissions from fixed:datasources.permissions:reader and
datasources.permissions:write
Create, read, or delete permissions of a data source.
fixed:folders:creatorfixed_gGLRbZGAGB6n9uECqSh_W382RlQfolders:createCreate folders in the root level.
fixed:folders:readerfixed_yeW-5QPeo-i5PZUIUXMlAA97GnQfolders:read
dashboards:read
Read all folders and dashboards.
fixed:folders:writerfixed_wJXLoTzgE7jVuz90dryYoiogL0oAll permissions from fixed:dashboards:writer and
folders:read
folders:write
folders:create
folders:delete
folders.permissions:read
folders.permissions:write
Read, update, and delete all folders and dashboards. Create folders and subfolders.
fixed:folders.permissions:readerfixed_E06l4cx0JFm47EeLBE4nmv3pnSofolders.permissions:readRead all folder permissions.
fixed:folders.permissions:writerfixed_3GAgpQ_hWG8o7-lwNb86_VB37eIAll permissions from fixed:folders.permissions:reader and
folders.permissions:write
Read and update all folder permissions.
fixed:ldap:readerfixed_lMcOPwSkxKY-qCK8NMJc5k6izLEldap.user:read
ldap.status:read
Read the LDAP configuration and LDAP status information.
fixed:groupsync:readerfixed_tLIbDrE6kw93sKqooF8GVS9BF4Egroupsync.mappings:readList all group attribute sync mappings. To use this role, enable the groupAttributeSync feature toggle.
fixed:groupsync:writerfixed_q7XUYx_efzxxsVmWhQgpiYClwBsgroupsync.mappings:read
groupsync.mappings:write
Create, read, update, and delete all group attribute sync mappings. To use this role, enable the groupAttributeSync feature toggle.
fixed:ldap:writerfixed_p6AvnU4GCQyIh7-hbwI-bk3GYnUAll permissions from fixed:ldap:reader and
ldap.user:sync
ldap.config:reload
Read and update the LDAP configuration, and read LDAP status information.
fixed:library.panels:creatorfixed_6eX6ItfegCIY5zLmPqTDW8ZV7KYlibrary.panels:create
folders:read
Create library panel at the root level.
fixed:library.panels:general.readerfixed_ct0DghiBWR_2BiQm3EvNPDVmpiolibrary.panels:readRead all library panels at the root level.
fixed:library.panels:general.writerfixed_DgprkmqfN_1EhZ2v1_d1fYG8LzIAll permissions from fixed:library.panels:general.reader plus
library.panels:create
library.panels:delete
library.panels:write
Create, read, write or delete all library panels and their permissions at the root level.
fixed:library.panels:readerfixed_tvTr9CnZ6La5vvUO_U_X1LPnhUslibrary.panels:readRead all library panels.
fixed:library.panels:writerfixed_JTljAr21LWLTXCkgfBC4H0lhBC8All permissions from fixed:library.panels:reader plus
library.panels:create
library.panels:delete
library.panels:write
Create, read, write or delete all library panels and their permissions.
fixed:licensing:readerfixed_OADpuXvNEylO2Kelu3GIuBXEAYElicensing:read
licensing.reports:read
Read licensing information and licensing reports.
fixed:licensing:writerfixed_gzbz3rJpQMdaKHt-E4q0PVaKMoEAll permissions from fixed:licensing:viewer and
licensing:write
licensing:delete
Read licensing information and licensing reports, update and delete the license token.
fixed:org.users:readerfixed_oCqNwlVHLOpw7-jAlwp4HzYqwGYorg.users:readRead users within a single organization.
fixed:org.users:writerfixed_VERj5nayasjgf_Yh0sWqqCkxWlwAll permissions from fixed:org.users:reader and
org.users:add
org.users:remove
org.users:write
Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
fixed:organization:maintainerfixed_CMm-uuBaPUBf4r8XG3jIvxo55bgAll permissions from fixed:organization:reader and
orgs:write
orgs:create
orgs:delete
orgs.quotas:write
Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
fixed:organization:readerfixed_0SZPJlTHdNEe8zO91zv7Zwiwa2worgs:read
orgs.quotas:read
Read an organization and its quotas.
fixed:organization:writerfixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3MAll permissions from fixed:organization:reader and
orgs:write
orgs.preferences:read
orgs.preferences:write
Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
fixed:plugins:maintainerfixed_yEOKidBcWgbm74x-nTa3lW5lOyYplugins:installInstall and uninstall plugins. Needs to be assigned globally.
fixed:plugins:writerfixed_MRYpGk7kpNNwt2VoVOXFiPnQziEplugins:writeEnable and disable plugins and edit plugins’ settings.
fixed:plugins.app:readerfixed_AcZRiNYx7NueYkUqzw1o2OGGUAAplugins.app:accessAccess application plugins (still enforcing the organization role).
fixed:provisioning:writerfixed_bgk1FCyR6OEDwhgirZlQgu5LlCAprovisioning:reloadReload provisioning.
fixed:reports:readerfixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8reports:read
reports:send
reports.settings:read
Read all reports and shared report settings.
fixed:reports:writerfixed_jBW3_7g1EWOjGVBYeVRwtFxhUNwAll permissions from fixed:reports:reader and
reports:create
reports:write
reports:delete
reports.settings:write
Create, read, update, or delete all reports and shared report settings.
fixed:roles:readerfixed_GkfG-1NSwEGb4hpK3-E3qHyNltcroles:read
teams.roles:read
users.roles:read
users.permissions:read
Read all access control roles, roles and permissions assigned to users, teams.
fixed:roles:resetterfixed_WgPpC3qJRmVpVTJavFNwfS5RuzQroles:write with scope permissions:type:escalateReset basic roles to their default.
fixed:roles:writerfixed_W5aFaw8isAM27x_eWfElBhZ0iOcAll permissions from fixed:roles:reader and
roles:write
roles:delete
teams.roles:add
teams.roles:remove
users.roles:add
users.roles:remove
Create, read, update, or delete all roles, assign or unassign roles to users, teams.
fixed:serviceaccounts:creatorfixed_Ikw60fckA0MyiiZ73BawSfOULy4serviceaccounts:createCreate Grafana service accounts.
fixed:serviceaccounts:readerfixed_QFjJAZ88iawMLInYOxPA1DB1w6Iserviceaccounts:readRead Grafana service accounts.
fixed:serviceaccounts:writerfixed_iBvUNUEZBZ7PUW0vdkN5iojc2skserviceaccounts:read
serviceaccounts:create
serviceaccounts:write
serviceaccounts:delete
serviceaccounts.permissions:read
serviceaccounts.permissions:write
Create, update, read and delete all Grafana service accounts and manage service account permissions.
fixed:settings:readerfixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Qsettings:readRead Grafana instance settings.
fixed:settings:writerfixed_joIHDgMrGg790hMhUufVzcU4j44All permissions from fixed:settings:reader and
settings:write
Read and update Grafana instance settings.
fixed:stats:readerfixed_OnRCXxZVINWpcKvTF5A1gecJ7pAserver.stats:readRead Grafana instance statistics.
fixed:teams:creatorfixed_nzVQoNSDSn0fg1MDgO6XnZX2RZIteams:create
org.users:read
Create a team and list organization users (required to manage the created team).
fixed:teams:readerfixed_3SNL15gkRtJ7XeEKpMVJyQjYbjgteams:readList all teams.
fixed:teams:writerfixed_xw1T0579h620MOYi4L96GUs7fZYteams:create
teams:delete
teams:read
teams:write
teams.permissions:read
teams.permissions:write
Create, read, update and delete teams and manage team memberships.
fixed:users:readerfixed_buZastUG3reWyQpPemcWjGqPAd0users:read
users.quotas:read
users.authtoken:read
`
Read all users and their information, such as team memberships, authentication tokens, and quotas.
fixed:users:writerfixed_wjzgHHo_Ux25DJuELn_oiAdB_yMAll permissions from fixed:users:reader and
users:write
users:create
users:delete
users:enable
users:disable
users.password:write
users.permissions:write
users:logout
users.authtoken:write
users.quotas:write
Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.

Alerting roles

You can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

  • Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
  • Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.

Grafana OnCall roles (beta)

Note

Available from Grafana 9.4 in early access.

Note

This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.

If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. For a detailed list of the available OnCall RBAC roles, refer to the table in Available Grafana OnCall RBAC roles and granted actions.

The following table lists the default RBAC OnCall role assignments to the basic roles:

Basic roleAssociated fixed rolesDescription
Grafana Adminplugins:grafana-oncall-app:adminDefault Grafana server administrator assignments.
Adminplugins:grafana-oncall-app:adminDefault Grafana organization administrator assignments.
Editorplugins:grafana-oncall-app:editorDefault Editor assignments.
Viewerplugins:grafana-oncall-app:readerDefault Viewer assignments.