Data Source Permissions API

The Data Source Permissions is only available in Grafana Enterprise. Read more about Grafana Enterprise.

If you are running Grafana Enterprise, for some endpoints you’ll need to have specific permissions. Refer to Role-based access control permissions for more information.

This API can be used to list, add and remove permissions for a data source.

Permissions can be set for a user, team, service account or a basic role (Admin, Editor, Viewer).

Get permissions for a data source

GET /api/access-control/datasources/:uid

Gets all existing permissions for the data source with the given uid.

Required permissions

See note in the introduction for an explanation.

Action Scope

datasources.permissions:read

datasources:*datasources:uid:*datasources:uid:my_datasource (single data source)

Examples

Example request:

GET /api/access-control/datasources/my_datasource HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 551

[
    {
        "id": 1,
        "roleName": "fixed:datasources:reader",
        "isManaged": false,
        "isInherited": false,
        "isServiceAccount": false,
        "userId": 1,
        "userLogin": "admin_user",
        "userAvatarUrl": "/avatar/admin_user",
        "actions": [
            "datasources:read",
            "datasources:query",
            "datasources:read",
            "datasources:query",
            "datasources:write",
            "datasources:delete"
        ],
        "permission": "Edit"
    },
    {
        "id": 2,
        "roleName": "managed:teams:1:permissions",
        "isManaged": true,
        "isInherited": false,
        "isServiceAccount": false,
        "team": "A team",
        "teamId": 1,
        "teamAvatarUrl": "/avatar/523d70c8551046f441727d690431858c",
        "actions": [
            "datasources:read",
            "datasources:query"
        ],
        "permission": "Query"
    },
    {
        "id": 3,
        "roleName": "basic:admin",
        "isManaged": false,
        "isInherited": false,
        "isServiceAccount": false,
        "builtInRole": "Admin",
        "actions": [
            "datasources:query",
            "datasources:read",
            "datasources:write",
            "datasources:delete"
        ],
        "permission": "Edit"
    },
]

Status codes:

  • 200 - Ok

  • 401 - Unauthorized

  • 403 - Access denied

  • 500 - Internal error

Add or revoke access to a data source for a user

POST /api/access-control/datasources/:uid/users/:id

Sets user permission for the data source with the given uid.

To add a permission, set the permission field to either Query, Edit, or Admin. To remove a permission, set the permission field to an empty string.

Required permissions

See note in the introduction for an explanation.

Action Scope

datasources.permissions:write

datasources:*datasources:uid:*datasources:uid:my_datasource (single data source)

Examples

Example request:

POST /api/access-control/datasources/my_datasource/users/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "Query",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission updated"}

Example request:

POST /api/access-control/datasources/my_datasource/users/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission removed"}

Status codes:

  • 200 - Ok

  • 400 - Permission cannot be added, see response body for details

  • 401 - Unauthorized

  • 403 - Access denied

Add or revoke access to a data source for a team

POST /api/access-control/datasources/:uid/teams/:id

Sets team permission for the data source with the given uid.

To add a permission, set the permission field to either Query, Edit, or Admin. To remove a permission, set the permission field to an empty string.

Required permissions

See note in the introduction for an explanation.

Action Scope

datasources.permissions:write

datasources:*datasources:uid:*datasources:uid:my_datasource (single data source)

Examples

Example request:

POST /api/access-control/datasources/my_datasource/teams/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "Edit",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission updated"}

Example request:

POST /api/access-control/datasources/my_datasource/teams/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission removed"}

Status codes:

  • 200 - Ok

  • 400 - Permission cannot be added, see response body for details

  • 401 - Unauthorized

  • 403 - Access denied

Add or revoke access to a data source for a basic role

POST /api/access-control/datasources/:uid/builtInRoles/:builtinRoleName

Sets permission for the data source with the given uid to all users who have the specified basic role.

You can set permissions for the following basic roles: Admin, Editor, Viewer.

To add a permission, set the permission field to either Query, Edit, or Admin. To remove a permission, set the permission field to an empty string.

Required permissions

See note in the introduction for an explanation.

Action Scope

datasources.permissions:write

datasources:*datasources:uid:*datasources:uid:my_datasource (single data source)

Examples

Example request:

POST /api/access-control/datasources/my_datasource/builtInRoles/Admin
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "Edit",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission updated"}

Example request:

POST /api/access-control/datasources/my_datasource/builtInRoles/Viewer
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

{
  "permission": "",
}

Example response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35

{"message": "Permission removed"}

Status codes:

  • 200 - Ok

  • 400 - Permission cannot be added, see response body for details

  • 401 - Unauthorized

  • 403 - Access denied