我的书签
添加书签
移除书签Fine-grained access control usage scenarios
Before you get started, make sure to enable fine-grained access control.
You can use the Fine-grained access control HTTP API to see all available built-in role assignments. The response contains a mapping between one of the organization roles (, Editor, Admin) or Grafana Admin to the custom or fixed roles.
Example request:
You must use the base64 username:password Basic Authorization here. Auth tokens are not applicable here.
Example response:
{"Admin": [...{"version": 2,"uid": "qQui_LCMk","name": "fixed:users:org:edit","description": "Allows every read action for user organizations and in addition allows to administer user organizations.","global": true,"updated": "2021-05-17T20:49:18+02:00","created": "2021-05-13T16:24:26+02:00"},{"version": 1,"uid": "Kz9m_YjGz","name": "fixed:reporting:admin:edit","description": "Gives access to edit any report or the organization's general reporting settings.","global": true,"updated": "2021-05-13T16:24:26+02:00","created": "2021-05-13T16:24:26+02:00"}...],"Grafana Admin": [...{"version": 2,"uid": "qQui_LCMk","name": "fixed:users:org:edit","description": "Allows every read action for user organizations and in addition allows to administer user organizations.","global": true,"updated": "2021-05-17T20:49:18+02:00","created": "2021-05-13T16:24:26+02:00"},"version": 2,"uid": "ajum_YjGk","name": "fixed:users:admin:read","description": "Allows to list and get users and related information.","updated": "2021-05-17T20:49:17+02:00","created": "2021-05-13T16:24:26+02:00"},{"version": 2,"uid": "K3um_LCMk","name": "fixed:users:admin:edit","description": "Allows every read action for users and in addition allows to administer users.","global": true,"updated": "2021-05-17T20:49:17+02:00","created": "2021-05-13T16:24:26+02:00"},...]}
To see what permissions each of the assigned roles have, you can a by using an HTTP API.
Example response:
{"version": 2,"uid": "qQui_LCMk","name": "fixed:users:org:edit","description": "Allows every read action for user organizations and in addition allows to administer user organizations.","global": true,"permissions": [{"action": "org.users:add","scope": "users:*","updated": "2021-05-17T20:49:18+02:00","created": "2021-05-17T20:49:18+02:00"},{"action": "org.users:read","scope": "users:*","updated": "2021-05-17T20:49:18+02:00","created": "2021-05-17T20:49:18+02:00"},"action": "org.users:remove","scope": "users:*","updated": "2021-05-17T20:49:18+02:00","created": "2021-05-17T20:49:18+02:00"},{"action": "org.users.role:update","updated": "2021-05-17T20:49:18+02:00","created": "2021-05-17T20:49:18+02:00"}],"updated": "2021-05-17T20:49:18+02:00","created": "2021-05-13T16:24:26+02:00"}
You can create your custom role by either using an or by using Grafana provisioning. You can take a look at to decide what permissions would you like to map to your role.
Example HTTP request:
Example response:
{"version": 1,"uid": "jZrmlLCkGksdka","name": "custom:users:admin","description": "My custom role which gives users permissions to create users","global": true,"permissions": [{"action": "users:create""updated": "2021-05-17T22:07:31.569936+02:00","created": "2021-05-17T22:07:31.569935+02:00"}],"updated": "2021-05-17T22:07:31.564403+02:00","created": "2021-05-17T22:07:31.564403+02:00"}
Once the custom role is created, you can create a built-in role assignment by using an HTTP API. If you created your role using , you can also create the assignment with it.
Example HTTP request:
{"message": "Built-in role grant added"}
In order to create reports, you need to have reports.admin:write permission. By default, a Grafana Admin or organization Admin can create reports as there is a which comes with reports.admin:write permission.
If you want your users who have the Viewer organization role to create reports, you have two options:
- Create a built-in role assignment and map the
fixed:reporting:admin:editfixed role to theViewerbuilt-in role. Note that thefixed:reporting:admin:editfixed role allows doing more than creating reports. Refer to fixed roles for full list of permission assignments. - with
reports.admin:writepermission, and create a built-in role assignment forViewerorganization role.
In order to create users, you need to have users:create permission. By default, a user with the Grafana Admin role can create users as there is a which comes with users:create permission.
If you want to prevent Grafana Admin from creating users, you can do the following:
- Check all built-in role assignments to see what built-in role assignments are available.
- From built-in role assignments, find the role which gives
users:createpermission. Refer to for full list of permission assignments. - Remove the built-in role assignment by using an Fine-grained access control HTTP API or by using .
By default, the Grafana Server Admin is the only user who can create and manage custom roles. If you want your users to do the same, you have two options:
- with
roles.builtin:addandroles:writepermissions, then create a built-in role assignment for organization role.
Note that any user with the ability to modify roles can only create, update or delete roles with permissions they themselves have been granted. For example, a user with the Editor role would be able to create and manage roles only with the permissions they have, or with a subset of them.
