Fine-grained access control API

    The API can be used to create, update, get and list roles, and create or remove built-in role assignments. To use the API, you would need to enable fine-grained access control.

    The API does not currently work with an API Token. So in order to use these API endpoints you will have to use .

    Returns an indicator to check if fine-grained access control is enabled or not.

    Example request

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    5.   "enabled": true
    6. }

    Status codes

    CodeDescription
    200Returned a flag indicating if the fine-grained access control is enabled or no.
    403Access denied
    404Not found, an indication that fine-grained access control is not available at all.
    500Unexpected error. Refer to body and/or server logs for more details.

    Get all roles

    GET /api/access-control/roles

    Gets all existing roles. The response contains all global and organization local roles, for the organization which user is signed in. Refer to the for more information.

    Required permissions

    ActionScope
    roles:listroles:*

    Example request

    1. GET /api/access-control/roles
    2. Accept: application/json
    3. Content-Type: application/json

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. [
    5.     {
    6.         "version": 1,
    7.         "uid": "Kz9m_YjGz",
    8.         "name": "fixed:reporting:admin:edit",
    9.         "description": "Gives access to edit any report or the organization's general reporting settings.",
    10.         "global": true,
    11.         "updated": "2021-05-13T16:24:26+02:00",
    12.         "created": "2021-05-13T16:24:26+02:00"
    13.     },
    14.     {
    15.         "version": 5,
    16.         "uid": "vi9mlLjGz",
    17.         "name": "fixed:permissions:admin:read",
    18.         "description": "Gives access to read and list roles and permissions, as well as built-in role assignments.",
    19.         "global": true,
    20.         "created": "2021-05-13T16:24:26+02:00"
    21.     }
    22. ]

    Status codes

    CodeDescription
    200Global and organization local roles are returned.
    403Access denied
    500Unexpected error. Refer to body and/or server logs for more details.

    Get a role

    GET /api/access-control/roles/:uid

    Get a role for the given UID.

    Required permissions

    ActionScope
    roles:readroles:*

    Example request

    1. GET /api/access-control/roles/PYnDO3rMk
    2. Accept: application/json
    3. Content-Type: application/json

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    5.     "version": 2,
    6.     "uid": "jZrmlLCGk",
    7.     "name": "fixed:permissions:admin:edit",
    8.     "description": "Gives access to create, update and delete roles, as well as manage built-in role assignments.",
    9.     "global": true,
    10.     "permissions": [
    11.         {
    12.             "action": "roles:delete",
    13.             "scope": "permissions:delegate",
    14.             "updated": "2021-05-13T16:24:26+02:00",
    15.             "created": "2021-05-13T16:24:26+02:00"
    16.         },
    17.         {
    18.             "action": "roles:list",
    19.             "scope": "roles:*",
    20.             "updated": "2021-05-13T16:24:26+02:00",
    21.             "created": "2021-05-13T16:24:26+02:00"
    22.         }
    23.     ],
    24.     "updated": "2021-05-13T16:24:26+02:00",
    25.     "created": "2021-05-13T16:24:26+02:00"
    26. }

    Status codes

    CodeDescription
    200Role is returned.
    403Access denied
    500Unexpected error. Refer to body and/or server logs for more details.

    Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles can’t be created.

    Required permissions

    permission:delegate scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.

    ActionScope
    roles:writepermissions:delegate

    Example request

    JSON body schema

    Field NameDate TypeRequiredDescription
    uidstringNoUID of the role. If not present, the UID will be automatically created for you and returned in response. Refer to the Custom roles for more information.
    globalbooleanNoA flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the for more information.
    versionnumberNoVersion of the role. If not present, version 0 will be assigned to the role and returned in the response. Refer to the Custom roles for more information.
    namestringYesName of the role. Refer to for more information.
    descriptionstringNoDescription of the role.
    permissionsPermissionNoIf not present, the role will be created without any permissions.

    Permission

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    6.     "uid": "jZrmlLCGka",
    7.     "name": "custom:delete:create:roles",
    8.     "description": "My custom role which gives users permissions to delete and create roles",
    9.     "global": true,
    10.     "permissions": [
    11.         {
    12.             "action": "roles:delete",
    13.             "scope": "permissions:delegate",
    14.             "updated": "2021-05-13T23:19:46+02:00",
    15.             "created": "2021-05-13T23:19:46+02:00"
    16.         }
    17.     ],
    18.     "updated": "2021-05-13T23:20:51.416518+02:00",
    19.     "created": "2021-05-13T23:19:46+02:00"
    20. }

    Status codes

    CodeDescription
    200Role is updated.
    400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
    403Access denied
    500Unexpected error. Refer to body and/or server logs for more details.

    Update a custom role

    PUT /api/access-control/roles/:uid

    Update the role with the given UID, and it’s permissions with the given UID. The operation is idempotent and all permissions of the role will be replaced with what is in the request. You would need to increment the version of the role with each update, otherwise the request will fail.

    Required permissions

    permission:delegate scope ensures that users can only update custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to update a custom role which allows to do that. This is done to prevent escalation of privileges.

    ActionScope
    roles:writepermissions:delegate

    Example request

    1. PUT /api/access-control/roles/jZrmlLCGka
    2. Accept: application/json
    3. Content-Type: application/json
    5. {
    6.     "version": 2,    
    7.     "name": "custom:delete:create:roles",
    8.     "description": "My custom role which gives users permissions to delete and create roles",    
    9.     "permissions": [
    10.         {
    11.             "action": "roles:delete",
    12.             "scope": "permissions:delegate"
    13.         },
    14.          {
    15.             "action": "roles:create",
    16.             "scope": "permissions:delegate"
    17.         }
    18.     ]
    19. }

    JSON body schema

    Field NameData TypeRequiredDescription
    versionnumberYesVersion of the role. Must be incremented for update to work.
    namestringYesName of the role.
    descriptionstringNoDescription of the role.
    permissionsList of PermissionsNoThe full list of permissions the role should have after the update.

    Permission

    Field NameData TypeRequiredDescription
    actionstringYesRefer to Permissions for full list of available actions.
    scopestringNoIf not present, no scope will be mapped to the permission. Refer to for full list of available scopes.

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    5.     "version": 3,    
    6.     "name": "custom:delete:create:roles",
    7.     "description": "My custom role which gives users permissions to delete and create roles",    
    8.     "permissions": [
    9.         {
    10.             "scope": "permissions:delegate",
    11.             "updated": "2021-05-13T23:19:46.546146+02:00",
    12.             "created": "2021-05-13T23:19:46.546146+02:00"
    13.         },
    14.          {
    15.             "action": "roles:create",
    16.             "scope": "permissions:delegate",
    17.             "updated": "2021-05-13T23:19:46.546146+02:00",
    18.             "created": "2021-05-13T23:19:46.546146+02:00"
    19.         }
    20.     ],
    21.     "updated": "2021-05-13T23:19:46.540987+02:00",
    22.     "created": "2021-05-13T23:19:46.540986+02:00"
    23. }

    Status codes

    CodeDescription
    200Role is updated.
    400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
    403Access denied
    404Role was not found to update.
    500Unexpected error. Refer to body and/or server logs for more details.

    Delete a custom role

    DELETE /api/access-control/roles/:uid?force=false

    Required permissions

    permission:delegate scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to delete a custom role which allows to do that.

    ActionScope
    roles:deletepermissions:delegate

    Example request

    1. DELETE /api/access-control/roles/jZrmlLCGka?force=true
    2. Accept: application/json

    Query parameters

    ParamTypeRequiredDescription
    forcebooleanNoWhen set to true, the role will be deleted with all it’s assignments.

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    5.     "message": "Role deleted"
    6. }

    Status codes

    API set allows to create or remove and list current assignments.

    GET /api/access-control/builtin-roles

    Gets all built-in role assignments.

    Required permissions

    ActionScope
    roles.builtin:listroles:*

    Example request

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    5.     "Admin": [
    6.         {
    7.             "version": 1,
    8.             "uid": "qQui_LCMk",
    9.             "name": "fixed:users:org:edit",
    10.             "description": "",
    11.             "global": true,
    12.             "updated": "2021-05-13T16:24:26+02:00",
    13.             "created": "2021-05-13T16:24:26+02:00"
    14.         },
    15.         {
    16.             "version": 1,
    17.             "uid": "PeXmlYjMk",
    18.             "name": "fixed:users:org:read",
    19.             "description": "",
    20.             "global": true,
    21.             "updated": "2021-05-13T16:24:26+02:00",
    22.             "created": "2021-05-13T16:24:26+02:00"
    23.         }
    24.     ],
    25.     "Grafana Admin": [
    26.         {
    27.             "version": 1,
    28.             "uid": "qQui_LCMk",
    29.             "name": "fixed:users:org:edit",
    30.             "description": "",
    31.             "global": true,
    32.             "updated": "2021-05-13T16:24:26+02:00",
    33.             "created": "2021-05-13T16:24:26+02:00"
    34.         }
    35.     ]
    36. }

    Status codes

    CodeDescription
    200Built-in role assignments are returned.
    403Access denied
    500Unexpected error. Refer to body and/or server logs for more details.

    Create a built-in role assignment

    POST /api/access-control/builtin-roles

    Creates a new built-in role assignment.

    Required permissions

    permission:delegate scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.

    ActionScope
    roles.builtin:addpermissions:delegate

    Example request

    1. POST /api/access-control/builtin-roles
    2. Accept: application/json
    3. Content-Type: application/json
    5. {
    6.     "roleUid": "LPMGN99Mk",
    7.     "builtinRole": "Grafana Admin",
    8.     "global": false
    9. }

    JSON body schema

    Field NameDate TypeRequiredDescription
    roleUidstringYesUID of the role.
    builtinRolebooleanYesCan be one of Viewer, Editor, Admin or Grafana Admin.
    globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to create organization local assignment. Refer to the for more information.

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {
    5.     "message": "Built-in role grant added"
    6. }

    Status codes

    CodeDescription
    200Role was assigned to built-in role.
    400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
    403Access denied
    404Role not found
    500Unexpected error. Refer to body and/or server logs for more details.

    Remove a built-in role assignment

    DELETE /api/access-control/builtin-roles/:builtinRole/roles/:roleUID

    Required permissions

    permission:delegate scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to remove a built-in role assignment which allows to do that.

    ActionScope
    roles.builtin:removepermissions:delegate

    Example request

    1. DELETE /api/access-control/builtin-roles/Grafana%20Admin/roles/LPMGN99Mk?global=false
    2. Accept: application/json

    Query parameters

    ParamTypeRequiredDescription
    globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to remove assignment. Refer to the Built-in role assignments for more information.

    Example response

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json; charset=UTF-8
    4. {

    Status codes