Untitled :: Tecnisys Docs

RBAC role definitions

NOTE: Available in Grafana Enterprise and Grafana Cloud.

The following tables list permissions associated with basic and fixed roles.

Basic role assignments

Basic role Associated fixed roles Description

Basic role	Associated fixed roles	Description
Grafana Admin	fixed:roles:readerfixed:roles:writerfixed:users:readerfixed:users:writerfixed:org.users:readerfixed:org.users:writerfixed:ldap:readerfixed:ldap:writerfixed:stats:readerfixed:settings:readerfixed:settings:writerfixed:provisioning:writerfixed:organization:readerfixed:organization:maintainerfixed:licensing:readerfixed:licensing:writerfixed:datasources.caching:readerfixed:datasources.caching:writerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:plugins:maintainerfixed:authentication.config:writerfixed:library.panels:creatorfixed:library.panels:readerfixed:library.panels:general.readerfixed:library.panels:writerfixed:library.panels:general.writer	Default Grafana server administrator assignments.
Admin	fixed:reports:readerfixed:reports:writerfixed:datasources:readerfixed:datasources:writerfixed:organization:writerfixed:datasources.permissions:readerfixed:datasources.permissions:writerfixed:teams:writerfixed:dashboards:readerfixed:dashboards:writerfixed:dashboards.permissions:readerfixed:dashboards.permissions:writerfixed:dashboards.public:writerfixed:folders:readerfixed:folders:writerfixed:folders.permissions:readerfixed:folders.permissions:writerfixed:alerting:writerfixed:apikeys:readerfixed:apikeys:writerfixed:alerting.provisioning.secrets:readerfixed:alerting.provisioning:writerfixed:datasources.caching:readerfixed:datasources.caching:writerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:plugins:writerfixed:library.panels:creatorfixed:library.panels:readerfixed:library.panels:general.readerfixed:library.panels:writer`fixed:library.panels:general.writer`	Default Grafana organization administrator assignments.
Editor	`fixed:datasources:explorerfixed:dashboards:creatorfixed:folders:creatorfixed:annotations:writerfixed:teams:creator` if the `editors_can_admin` configuration flag is enabled`fixed:alerting:writer`fixed:dashboards.insights:reader`fixed:datasources.insights:reader`fixed:library.panels:creator`fixed:library.panels:general.reader`fixed:library.panels:general.writer	Default Editor assignments.
Viewer	`fixed:datasources.id:readerfixed:organization:readerfixed:annotations:readerfixed:annotations.dashboard:writerfixed:alerting:readerfixed:plugins.app:readerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:library.panels:general.reader`	Default Viewer assignments.
No Basic Role		Default No Basic Role

Grafana Admin

fixed:roles:readerfixed:roles:writerfixed:users:readerfixed:users:writerfixed:org.users:readerfixed:org.users:writerfixed:ldap:readerfixed:ldap:writerfixed:stats:readerfixed:settings:readerfixed:settings:writerfixed:provisioning:writerfixed:organization:readerfixed:organization:maintainerfixed:licensing:readerfixed:licensing:writerfixed:datasources.caching:readerfixed:datasources.caching:writerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:plugins:maintainerfixed:authentication.config:writerfixed:library.panels:creatorfixed:library.panels:readerfixed:library.panels:general.readerfixed:library.panels:writerfixed:library.panels:general.writer

Default Grafana server administrator assignments.

Admin

fixed:reports:readerfixed:reports:writerfixed:datasources:readerfixed:datasources:writerfixed:organization:writerfixed:datasources.permissions:readerfixed:datasources.permissions:writerfixed:teams:writerfixed:dashboards:readerfixed:dashboards:writerfixed:dashboards.permissions:readerfixed:dashboards.permissions:writerfixed:dashboards.public:writerfixed:folders:readerfixed:folders:writerfixed:folders.permissions:readerfixed:folders.permissions:writerfixed:alerting:writerfixed:apikeys:readerfixed:apikeys:writerfixed:alerting.provisioning.secrets:readerfixed:alerting.provisioning:writerfixed:datasources.caching:readerfixed:datasources.caching:writerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:plugins:writerfixed:library.panels:creatorfixed:library.panels:readerfixed:library.panels:general.readerfixed:library.panels:writer`fixed:library.panels:general.writer`

Default Grafana organization administrator assignments.

Editor

fixed:datasources:explorerfixed:dashboards:creatorfixed:folders:creatorfixed:annotations:writerfixed:teams:creator if the editors_can_admin configuration flag is enabled`fixed:alerting:writerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:library.panels:creatorfixed:library.panels:general.reader`fixed:library.panels:general.writer

Default Editor assignments.

Viewer

fixed:datasources.id:readerfixed:organization:readerfixed:annotations:readerfixed:annotations.dashboard:writerfixed:alerting:readerfixed:plugins.app:readerfixed:dashboards.insights:readerfixed:datasources.insights:readerfixed:library.panels:general.reader

Default Viewer assignments.

No Basic Role

Default No Basic Role

Fixed role definitions

Fixed role Permissions Description

Fixed role	Permissions	Description
`fixed:alerting.instances:writer`	All permissions from `fixed:alerting.instances:reader` and alert.instances:create`alert.instances:write` for organization scope `alert.instances.external:write` for scope `datasources:*`	Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*
`fixed:alerting.instances:reader`	`alert.instances:read` for organization scope `alert.instances.external:read` for scope `datasources:*`	Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*
`fixed:alerting.notifications:writer`	All permissions from `fixed:alerting.notifications:reader` and`alert.notifications:write`for organization scope`alert.notifications.external:read` for scope `datasources:*`	Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*
`fixed:alerting.notifications:reader`	`alert.notifications:read` for organization scope`alert.notifications.external:read` for scope `datasources:*`	Read all Grafana and Alertmanager contact points, templates, and notification policies.*
`fixed:alerting.rules:writer`	All permissions from `fixed:alerting.rules:reader` and `alert.rule:create` `alert.rule:write` `alert.rule:delete` for scope `folders:` `alert.rules.external:write` for scope `datasources:`	Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*
`fixed:alerting.rules:reader`	`alert.rule:read` for scope `folders:` `alert.rules.external:read` for scope `datasources:`	Read all* Grafana, Mimir, and Loki alert rules.*
`fixed:alerting:writer`	All permissions from `fixed:alerting.rules:writer` fixed:alerting.instances:writer`fixed:alerting.notifications:writer`	Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules, silences, contact points, templates, mute timings, and notification policies.
`fixed:alerting:reader`	All permissions from `fixed:alerting.rules:reader` fixed:alerting.instances:reader`fixed:alerting.notifications:reader`	Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules, alerts, contact points, and notification policies.
`fixed:alerting.provisioning.secrets:reader`	`alert.provisioning:read` and `alert.provisioning.secrets:read`	Read-only permissions for Provisioning API and let export resources with decrypted secrets *
`fixed:alerting.provisioning:writer`	`alert.provisioning:read` and `alert.provisioning:write`	Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *
`fixed:annotations.dashboard:writer`	`annotations:write` `annotations.create` `annotations:delete` for scope `annotations:type:dashboard`	Create, update and delete dashboard annotations and annotation tags.
`fixed:annotations:reader`	`annotations:read` for scopes `annotations:type:*`	Read all annotations and annotation tags.
`fixed:annotations:writer`	All permissions from `fixed:annotations:reader` `annotations:write` `annotations.create` `annotations:delete` for scope `annotations:type:*`	Read, create, update and delete all annotations and annotation tags.
`fixed:apikeys:reader`	`apikeys:read` for scope `apikeys:*`	Read all api keys.
`fixed:apikeys:writer`	All permissions from `fixed:apikeys:reader` and `apikeys:create` `apikeys:delete` for scope `apikeys:*`	Read, create, delete all api keys.
`fixed:authentication.config:writer`	`settings:read` for scope `settings:auth.saml:` `settings:write` for scope `settings:auth.saml:`	Read and update authentication and SAML settings.
`fixed:dashboards:creator`	dashboards:create`folders:read`	Create dashboards.
`fixed:dashboards.insights:reader`	`dashboards.insights:read`	Read dashboard insights data and see presence indicators.
`fixed:dashboards.permissions:reader`	`dashboards.permissions:read`	Read all dashboard permissions.
`fixed:dashboards.permissions:writer`	All permissions from `fixed:dashboards.permissions:reader` and `dashboards.permissions:write`	Read and update all dashboard permissions.
`fixed:dashboards.public:writer`	`dashboards.public:write`	Create, update, delete or pause a public dashboard.
`fixed:dashboards:reader`	`dashboards:read`	Read all dashboards.
`fixed:dashboards:writer`	All permissions from `fixed:dashboards:reader` and dashboards:writedashboards:editdashboards:deletedashboards:createdashboards.permissions:read`dashboards.permissions:write`	Read, create, update, and delete all dashboards.
`fixed:datasources.caching:reader`	`datasources.caching:read`	Read data source query caching settings.
`fixed:datasources.caching:writer`	datasources.caching:read`datasources.caching:write`	Enable, disable, or update query caching settings.
`fixed:datasources:explorer`	`datasources:explore`	Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.
`fixed:datasources.id:reader`	`datasources.id:read`	Read the ID of a data source based on its name.
`fixed:datasources.insights:reader`	`datasources.insights:read`	Read data source insights data.
`fixed:datasources.permissions:reader`	`datasources.permissions:read`	Read data source permissions.
`fixed:datasources.permissions:writer`	All permissions from `fixed:datasources.permissions:reader` and `datasources.permissions:write`	Create, read, or delete permissions of a data source.
`fixed:datasources:creator`	`datasources:create`	Create data sources.
`fixed:datasources:reader`	datasources:read`datasources:query`	Read and query data sources.
`fixed:datasources:writer`	All permissions from `fixed:datasources:reader` and `datasources:createdatasources:writedatasources:delete`	Read, query, create, delete, or update a data source.
`fixed:folders.permissions:reader`	`folders.permissions:read`	Read all folder permissions.
`fixed:folders.permissions:writer`	All permissions from `fixed:folders.permissions:reader` and `folders.permissions:write`	Read and update all folder permissions.
`fixed:folders:creator`	`folders:create`	Create folders in the root level. If granted together with `folders:write` permission, also allows creating subfolders under all folders.
`fixed:folders:reader`	folders:read`dashboards:read`	Read all folders and dashboards.
`fixed:folders:writer`	All permissions from `fixed:dashboards:writer` and folders:readfolders:writefolders:createfolders:deletefolders.permissions:read`folders.permissions:write`	Read, create, update, and delete all folders and dashboards. If granted together with `fixed:folders:creator`, allows creating subfolders under all folders.
`fixed:ldap:reader`	ldap.user:read`ldap.status:read`	Read the LDAP configuration and LDAP status information.
`fixed:ldap:writer`	All permissions from `fixed:ldap:reader` and ldap.user:sync`ldap.config:reload`	Read and update the LDAP configuration, and read LDAP status information.
`fixed:library.panels:creator`	library.panels:create`folders:read`	Create library panel at the root level.
`fixed:library.panels:reader`	`library.panels:read`	Read all library panels.
`fixed:library.panels:general.reader`	`library.panels:read`	Read all library panels at the root level.
`fixed:library.panels:writer`	All permissions from `fixed:library.panels:reader` plus`library.panels:create`library.panels:delete`library.panels:write`	Create, read, write or delete all library panels and their permissions.
`fixed:library.panels:general.writer`	All permissions from `fixed:library.panels:general.reader` plus`library.panels:create`library.panels:delete`library.panels:write`	Create, read, write or delete all library panels and their permissions at the root level.
`fixed:licensing:reader`	licensing:read`licensing.reports:read`	Read licensing information and licensing reports.
`fixed:licensing:writer`	All permissions from `fixed:licensing:viewer` and licensing:write`licensing:delete`	Read licensing information and licensing reports, update and delete the license token.
`fixed:org.users:reader`	`org.users:read`	Read users within a single organization.
`fixed:org.users:writer`	All permissions from `fixed:org.users:reader` and `org.users:addorg.users:removeorg.users:write`	Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.
`fixed:organization:maintainer`	All permissions from `fixed:organization:reader` and orgs:writeorgs:createorgs:delete`orgs.quotas:write`	Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.
`fixed:organization:reader`	orgs:read`orgs.quotas:read`	Read an organization and its quotas.
`fixed:organization:writer`	All permissions from `fixed:organization:reader` and `orgs:writeorgs.preferences:readorgs.preferences:write`	Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.
`fixed:plugins.app:reader`	`plugins.app:access`	Access application plugins (still enforcing the organization role).
`fixed:plugins:maintainer`	`plugins:install`	Install and uninstall plugins. Needs to be assigned globally.
`fixed:plugins:writer`	`plugins:write`	Enable and disable plugins and edit plugins’ settings.
`fixed:provisioning:writer`	`provisioning:reload`	Reload provisioning.
`fixed:reports:reader`	`reports:readreports:sendreports.settings:read`	Read all reports and shared report settings.
`fixed:reports:writer`	All permissions from `fixed:reports:reader` and reports:createreports:writereports:delete`reports.settings:write`	Create, read, update, or delete all reports and shared report settings.
`fixed:roles:reader`	roles:readteams.roles:readusers.roles:read`users.permissions:read`	Read all access control roles, roles and permissions assigned to users, teams.
`fixed:roles:writer`	All permissions from `fixed:roles:reader` and roles:writeroles:deleteteams.roles:addteams.roles:removeusers.roles:add`users.roles:remove`	Create, read, update, or delete all roles, assign or unassign roles to users, teams.
`fixed:roles:resetter`	`roles:write` with scope `permissions:type:escalate`	Reset basic roles to their default.
`fixed:serviceaccounts:reader`	`serviceaccounts:read`	Read Grafana service accounts.
`fixed:serviceaccounts:creator`	`serviceaccounts:create`	Create Grafana service accounts.
`fixed:serviceaccounts:writer`	serviceaccounts:readserviceaccounts:createserviceaccounts:writeserviceaccounts:deleteserviceaccounts.permissions:read`serviceaccounts.permissions:write`	Create, update, read and delete all Grafana service accounts and manage service account permissions.
`fixed:settings:reader`	`settings:read`	Read Grafana instance settings.
`fixed:settings:writer`	All permissions from `fixed:settings:reader` and`settings:write`	Read and update Grafana instance settings.
`fixed:stats:reader`	`server.stats:read`	Read Grafana instance statistics.
`fixed:teams:reader`	`teams:read`	List all teams.
`fixed:teams:creator`	teams:create`org.users:read`	Create a team and list organization users (required to manage the created team).
`fixed:teams:writer`	teams:createteams:deleteteams:readteams:writeteams.permissions:read`teams.permissions:write`	Create, read, update and delete teams and manage team memberships.
`fixed:users:reader`	users:readusers.quotas:readusers.authtoken:read`+	Read all users and their information, such as team memberships, authentication tokens, and quotas.
	`fixed:users:writer`	All permissions from+`fixed:users:reader`and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`

fixed:alerting.instances:writer

All permissions from fixed:alerting.instances:reader and alert.instances:create`alert.instances:write` for organization scope alert.instances.external:write for scope datasources:*

Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.*

fixed:alerting.instances:reader

alert.instances:read for organization scope alert.instances.external:read for scope datasources:*

Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.*

fixed:alerting.notifications:writer

All permissions from fixed:alerting.notifications:reader and`alert.notifications:writefor organization scopealert.notifications.external:read` for scope datasources:*

Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.*

fixed:alerting.notifications:reader

alert.notifications:read for organization scope`alert.notifications.external:read` for scope datasources:*

Read all Grafana and Alertmanager contact points, templates, and notification policies.*

fixed:alerting.rules:writer

All permissions from fixed:alerting.rules:reader and alert.rule:create alert.rule:write alert.rule:delete for scope folders:* alert.rules.external:write for scope datasources:*

Create, update, and delete all* Grafana, Mimir, and Loki alert rules.*

fixed:alerting.rules:reader

alert.rule:read for scope folders:* alert.rules.external:read for scope datasources:*

Read all* Grafana, Mimir, and Loki alert rules.*

fixed:alerting:writer

All permissions from fixed:alerting.rules:writer fixed:alerting.instances:writer`fixed:alerting.notifications:writer`

Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules*, silences, contact points, templates, mute timings, and notification policies.*

fixed:alerting:reader

All permissions from fixed:alerting.rules:reader fixed:alerting.instances:reader`fixed:alerting.notifications:reader`

Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules*, alerts, contact points, and notification policies.*

fixed:alerting.provisioning.secrets:reader

alert.provisioning:read and alert.provisioning.secrets:read

Read-only permissions for Provisioning API and let export resources with decrypted secrets *

fixed:alerting.provisioning:writer

alert.provisioning:read and alert.provisioning:write

Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. *

fixed:annotations.dashboard:writer

annotations:write annotations.create annotations:delete for scope annotations:type:dashboard

Create, update and delete dashboard annotations and annotation tags.

fixed:annotations:reader

annotations:read for scopes annotations:type:*

Read all annotations and annotation tags.

fixed:annotations:writer

All permissions from fixed:annotations:reader annotations:write annotations.create annotations:delete for scope annotations:type:*

Read, create, update and delete all annotations and annotation tags.

fixed:apikeys:reader

apikeys:read for scope apikeys:*

Read all api keys.

fixed:apikeys:writer

All permissions from fixed:apikeys:reader and apikeys:create apikeys:delete for scope apikeys:*

Read, create, delete all api keys.

fixed:authentication.config:writer

settings:read for scope settings:auth.saml:* settings:write for scope settings:auth.saml:*

Read and update authentication and SAML settings.

fixed:dashboards:creator

dashboards:create`folders:read`

Create dashboards.

fixed:dashboards.insights:reader

dashboards.insights:read

Read dashboard insights data and see presence indicators.

fixed:dashboards.permissions:reader

dashboards.permissions:read

Read all dashboard permissions.

fixed:dashboards.permissions:writer

All permissions from fixed:dashboards.permissions:reader and dashboards.permissions:write

Read and update all dashboard permissions.

fixed:dashboards.public:writer

dashboards.public:write

Create, update, delete or pause a public dashboard.

fixed:dashboards:reader

dashboards:read

Read all dashboards.

fixed:dashboards:writer

All permissions from fixed:dashboards:reader and dashboards:writedashboards:editdashboards:deletedashboards:createdashboards.permissions:read`dashboards.permissions:write`

Read, create, update, and delete all dashboards.

fixed:datasources.caching:reader

datasources.caching:read

Read data source query caching settings.

fixed:datasources.caching:writer

datasources.caching:read`datasources.caching:write`

Enable, disable, or update query caching settings.

fixed:datasources:explorer

datasources:explore

Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.

fixed:datasources.id:reader

datasources.id:read

Read the ID of a data source based on its name.

fixed:datasources.insights:reader

datasources.insights:read

Read data source insights data.

fixed:datasources.permissions:reader

datasources.permissions:read

Read data source permissions.

fixed:datasources.permissions:writer

All permissions from fixed:datasources.permissions:reader and datasources.permissions:write

Create, read, or delete permissions of a data source.

fixed:datasources:creator

datasources:create

Create data sources.

fixed:datasources:reader

datasources:read`datasources:query`

Read and query data sources.

fixed:datasources:writer

All permissions from fixed:datasources:reader and datasources:createdatasources:writedatasources:delete

Read, query, create, delete, or update a data source.

fixed:folders.permissions:reader

folders.permissions:read

Read all folder permissions.

fixed:folders.permissions:writer

All permissions from fixed:folders.permissions:reader and folders.permissions:write

Read and update all folder permissions.

fixed:folders:creator

folders:create

Create folders in the root level. If granted together with folders:write permission, also allows creating subfolders under all folders.

fixed:folders:reader

folders:read`dashboards:read`

Read all folders and dashboards.

fixed:folders:writer

All permissions from fixed:dashboards:writer and folders:readfolders:writefolders:createfolders:deletefolders.permissions:read`folders.permissions:write`

Read, create, update, and delete all folders and dashboards. If granted together with fixed:folders:creator, allows creating subfolders under all folders.

fixed:ldap:reader

ldap.user:read`ldap.status:read`

Read the LDAP configuration and LDAP status information.

fixed:ldap:writer

All permissions from fixed:ldap:reader and ldap.user:sync`ldap.config:reload`

Read and update the LDAP configuration, and read LDAP status information.

fixed:library.panels:creator

library.panels:create`folders:read`

Create library panel at the root level.

fixed:library.panels:reader

library.panels:read

Read all library panels.

fixed:library.panels:general.reader

library.panels:read

Read all library panels at the root level.

fixed:library.panels:writer

All permissions from fixed:library.panels:reader plus`library.panels:createlibrary.panels:deletelibrary.panels:write`

Create, read, write or delete all library panels and their permissions.

fixed:library.panels:general.writer

All permissions from fixed:library.panels:general.reader plus`library.panels:createlibrary.panels:deletelibrary.panels:write`

Create, read, write or delete all library panels and their permissions at the root level.

fixed:licensing:reader

licensing:read`licensing.reports:read`

Read licensing information and licensing reports.

fixed:licensing:writer

All permissions from fixed:licensing:viewer and licensing:write`licensing:delete`

Read licensing information and licensing reports, update and delete the license token.

fixed:org.users:reader

org.users:read

Read users within a single organization.

fixed:org.users:writer

All permissions from fixed:org.users:reader and org.users:addorg.users:removeorg.users:write

Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.

fixed:organization:maintainer

All permissions from fixed:organization:reader and orgs:writeorgs:createorgs:delete`orgs.quotas:write`

Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.

fixed:organization:reader

orgs:read`orgs.quotas:read`

Read an organization and its quotas.

fixed:organization:writer

All permissions from fixed:organization:reader and orgs:writeorgs.preferences:readorgs.preferences:write

Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.

fixed:plugins.app:reader

plugins.app:access

Access application plugins (still enforcing the organization role).

fixed:plugins:maintainer

plugins:install

Install and uninstall plugins. Needs to be assigned globally.

fixed:plugins:writer

plugins:write

Enable and disable plugins and edit plugins’ settings.

fixed:provisioning:writer

provisioning:reload

Reload provisioning.

fixed:reports:reader

reports:readreports:sendreports.settings:read

Read all reports and shared report settings.

fixed:reports:writer

All permissions from fixed:reports:reader and reports:createreports:writereports:delete`reports.settings:write`

Create, read, update, or delete all reports and shared report settings.

fixed:roles:reader

roles:readteams.roles:readusers.roles:read`users.permissions:read`

Read all access control roles, roles and permissions assigned to users, teams.

fixed:roles:writer

All permissions from fixed:roles:reader and roles:writeroles:deleteteams.roles:addteams.roles:removeusers.roles:add`users.roles:remove`

Create, read, update, or delete all roles, assign or unassign roles to users, teams.

fixed:roles:resetter

roles:write with scope permissions:type:escalate

Reset basic roles to their default.

fixed:serviceaccounts:reader

serviceaccounts:read

Read Grafana service accounts.

fixed:serviceaccounts:creator

serviceaccounts:create

Create Grafana service accounts.

fixed:serviceaccounts:writer

serviceaccounts:readserviceaccounts:createserviceaccounts:writeserviceaccounts:deleteserviceaccounts.permissions:read`serviceaccounts.permissions:write`

Create, update, read and delete all Grafana service accounts and manage service account permissions.

fixed:settings:reader

settings:read

Read Grafana instance settings.

fixed:settings:writer

All permissions from fixed:settings:reader and`settings:write`

Read and update Grafana instance settings.

fixed:stats:reader

server.stats:read

Read Grafana instance statistics.

fixed:teams:reader

teams:read

List all teams.

fixed:teams:creator

teams:create`org.users:read`

Create a team and list organization users (required to manage the created team).

fixed:teams:writer

teams:createteams:deleteteams:readteams:writeteams.permissions:read`teams.permissions:write`

Create, read, update and delete teams and manage team memberships.

fixed:users:reader

users:readusers.quotas:readusers.authtoken:read`+

Read all users and their information, such as team memberships, authentication tokens, and quotas.

`fixed:users:writer`

All permissions from+fixed:users:readerand users:write users:create users:delete users:enable users:disable users.password:write users.permissions:write users:logout users.authtoken:write users.quotas:write

Alerting roles

If alerting is enabled, you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.

Access to Grafana alert rules is an intersection of many permissions:

Permission to read a folder. For example, the fixed role fixed:folders:reader includes the action folders:read and a folder scope folders:id:.
Permission to query all data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.

There is only one exclusion at this moment. Role fixed:alerting.provisioning:writer does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.

For more information about the permissions required to access alert rules, refer to Create a custom role to access alerts in a folder.

Grafana OnCall roles (beta)

NOTE: Available from Grafana 9.4 in early access.

NOTE: This feature is behind the accessControlOnCall feature toggle. You can enable feature toggles through configuration file or environment variables. See configuration docs for details.

If you are using Grafana OnCall, you can try out the integration between Grafana OnCall and RBAC. For a detailed list of the available OnCall RBAC roles, refer to the table in Available Grafana OnCall RBAC roles and granted actions.

The following table lists the default RBAC OnCall role assignments to the basic roles: