我的书签
添加书签
移除书签Permissions
To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.
To learn more about which permissions are used for which resources, refer to .
The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.
scope
The following list contains fine-grained access control actions.
Scope definitions
The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
|---|---|
permissions:delegate | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
roles:roles:uid: | Restrict an action to a set of roles. For example, roles: matches any role and roles:uid:randomuid matches only the role whose UID is randomuid. |
reports:reports:id: | Restrict an action to a set of reports. For example, reports: matches any report and reports:id:1 matches the report whose ID is 1. |
services:accesscontrol | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the status:accesscontrol actions. |
global:users:global:users:id: | Restrict an action to a set of global users. For example, global:users: matches any user and global:users:id:1 matches the user whose ID is 1. |
users:users:id: | Restrict an action to a set of users from an organization. For example, users: matches any user and users:id:1 matches the user whose ID is 1. |
orgs:orgs:id: | Restrict an action to a set of organizations. For example, orgs: matches any organization and orgs:id:1 matches the organization whose ID is 1. |
settings: | Restrict an action to a subset of settings. For example, settings: matches all settings, settings:auth.saml: matches all SAML settings, and settings:auth.saml:enabled matches the enable property on the SAML settings. |
provisioners: | Restrict an action to a set of provisioners. For example, provisioners: matches any provisioner, and provisioners:accesscontrol matches the fine-grained access control provisioner. |
datasources:datasources:id:datasources:uid:datasources:name: | Restrict an action to a set of data sources. For example, datasources: matches any data source, and datasources:name:postgres matches the data source named postgres. |
serviceaccounts:serviceaccounts:id: | Restrict an action to a set of service accounts. For example, serviceaccounts: matches any service account and matches the service account whose ID is 1. |
