Roles

    There are two types of roles:

    • Fixed roles, which provide granular access for specific resources within Grafana and are managed by the Grafana itself.
    • , which provide granular access based on the user specified set of permissions.

    You can use Fine-grained access control API to list available roles and permissions.

    A role can be either global or organization local. Global roles are not mapped to any specific organization and can be reused across multiple organizations, whereas organization local roles are only available for that specific organization.

    Fixed roles provide convenience and guarantee of consistent behaviour by combining relevant together. Fixed roles are created and updated by Grafana during startup. There are few basic rules for fixed roles:

    • All fixed roles are global.
    • All fixed roles have a prefix.
    • You can’t change or delete a fixed role.

    For more information, refer to Fine-grained access control references.

    Custom roles allow you to manage access to your users the way you want, by mapping fine-grained permissions to it and creating .

    A role’s name is intended as a human friendly identifier for the role, helping administrators understand the purpose of a role. The name cannot be longer than 190 characters, and we recommend using ASCII characters. Role names must be unique within an organization.

    Roles with names prefixed by are fixed roles created by Grafana and cannot be created or modified by users.

    Display name

    A role’s display name is intended as a human friendly identifier for the role, helping users understand the purpose of a role. The display name of the role is displayed in the role picker in the UI.

    A role’s group is used to organize roles in the role picker in the UI.

    Role version

    The version of a role is a positive integer which defines the current version of the role. When updating a role, you can either omit the version field to increment the previous value by 1 or set a new version which must be strictly larger than the previous version for the update to succeed.

    You manage access to Grafana resources by mapping to roles. You can create and assign roles without any permissions as placeholders.

    Role UID

    The same UID cannot be used for roles in different organizations within the same Grafana instance.

    You can create, update and delete custom roles by using the Access Control HTTP API or by using .

    By default, Grafana Server Admin has a built-in role assignment which allows a user to create, update or delete custom roles. If a Grafana Server Admin wants to delegate that privilege to other users, they can create a custom role with relevant and scope will allow those users to manage roles themselves.

    Note that you won’t be able to create, update or delete a custom role with permissions which you yourself do not have. For example, if the only permission you have is a , you won’t be able to create a role with other permissions.

    and Fixed roles can be assigned to users, the existing and to Grafana Server Admin role.

    Visit page for more details.