Troubleshooting RBAC

In this section, you’ll learn about logs that are available for RBAC and you’ll find the most common RBAC issues.

Enable debug logging

You can enable debug log messages for RBAC in the Grafana configuration file. Debug logs are added to the Grafana server logs.

[log]
filters = accesscontrol:debug accesscontrol.evaluator:debug dashboard.permissions:debug

Enable audit logging

NOTE: Available in Grafana Enterprise version 7.3 and later, and Grafana Cloud.

You can enable auditing in the Grafana configuration file.

[auditing]
enabled = true

All permission and role updates, and role assignments are added to audit logs. Learn more about access control audit logs.

Missing dashboard, folder or data source permissions

Dashboard and folder permissions and data source permissions can go out of sync if a Grafana instance version is upgraded, downgraded and then upgraded again. This happens when an instance is downgraded from a version that uses RBAC to a version that uses the legacy access control, and dashboard, folder or data source permissions are updated. These permission updates will not be applied to RBAC, so permissions will be out of sync when the instance is next upgraded to a version with RBAC.

NOTE: the steps provided below will set all dashboard, folder and data source permissions to what they are set to with the legacy access control. If you have made dashboard, folder or data source permission updates with RBAC enabled, these updates will be wiped.

To resynchronize the permissions:

  1. make a backup of your database

  2. run the following SQL queries

    DELETE
    FROM builtin_role
    where role_id IN (SELECT id
                      FROM role
                      WHERE name LIKE 'managed:%');
    DELETE
    FROM team_role
    where role_id IN (SELECT id
                      FROM role
                      WHERE name LIKE 'managed:%');
    DELETE
    FROM user_role
    where role_id IN (SELECT id
                      FROM role
                      WHERE name LIKE 'managed:%');
    DELETE
    FROM permission
    where role_id IN (SELECT id
                      FROM role
                      WHERE name LIKE 'managed:%');
    DELETE
    FROM role
    WHERE name LIKE 'managed:%';
    DELETE
    FROM migration_log
    WHERE migration_id IN ('teams permissions migration',
                           'dashboard permissions',
                           'dashboard permissions uid scopes',
                           'data source permissions',
                           'data source uid permissions',
                           'managed permissions migration',
                           'managed folder permissions alert actions repeated migration',
                           'managed permissions migration enterprise');
  3. restart your Grafana instance