我的书签
添加书签
移除书签Permissions
To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.
To learn more about which permissions are used for which resources, refer to .
The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.
scope
The following list contains fine-grained access control actions.
Scope definitions
The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
|---|---|
roles: | Restrict an action to a set of roles. For example, roles: matches any role, roles:randomuid matches only the role with UID randomuid and roles:custom:reports:{editor,viewer} matches both custom:reports:editor and custom:reports:viewer roles. |
permissions:delegate | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
reports: | Restrict an action to a set of reports. For example, reports: matches any report and reports:1 matches the report with id 1. |
services:accesscontrol | Restrict an action to target only the fine-grained access control service. For example, you can use this in conjunction with the provisioning:reload or the status:accesscontrol actions. |
global:users: | Restrict an action to a set of global users. |
users: | Restrict an action to a set of users from an organization. |
settings: | Restrict an action to a subset of settings. For example, settings: matches all settings, matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings. |
