Fine-grained access control usage scenarios

Before you get started, make sure to enable fine-grained access control.

You can use the Fine-grained access control HTTP API to see all available built-in role assignments. The response contains a mapping between one of the organization roles (, Editor, Admin) or Grafana Admin to the custom or fixed roles.

Example request:

Example response:

{
    "Admin": [
        ...
        {
            "version": 2,
            "uid": "qQui_LCMk",
            "name": "fixed:users:org:edit",
            "description": "Allows every read action for user organizations and in addition allows to administer user organizations.",
            "global": true,
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-13T16:24:26+02:00"
        },       
        {
            "version": 1,
            "uid": "Kz9m_YjGz",
            "name": "fixed:reporting:admin:edit",
            "description": "Gives access to edit any report or the organization's general reporting settings.",
            "global": true,
            "updated": "2021-05-13T16:24:26+02:00",
            "created": "2021-05-13T16:24:26+02:00"
        }
        ...
    ],
    "Grafana Admin": [
        ...
        {
            "version": 2,
            "uid": "qQui_LCMk",
            "name": "fixed:users:org:edit",
            "description": "Allows every read action for user organizations and in addition allows to administer user organizations.",
            "global": true,
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-13T16:24:26+02:00"
        },               
            "version": 2,
            "uid": "ajum_YjGk",
            "name": "fixed:users:admin:read",
            "description": "Allows to list and get users and related information.",
            "updated": "2021-05-17T20:49:17+02:00",
            "created": "2021-05-13T16:24:26+02:00"
        },
        {
            "version": 2,
            "uid": "K3um_LCMk",
            "name": "fixed:users:admin:edit",
            "description": "Allows every read action for users and in addition allows to administer users.",
            "global": true,
            "updated": "2021-05-17T20:49:17+02:00",
            "created": "2021-05-13T16:24:26+02:00"
        },        
        ... 
    ]
}

To see what permissions each of the assigned roles have, you can a by using an HTTP API.

Example response:

{
    "version": 2,
    "uid": "qQui_LCMk",
    "name": "fixed:users:org:edit",
    "description": "Allows every read action for user organizations and in addition allows to administer user organizations.",
    "global": true,
    "permissions": [
        {
            "action": "org.users:add",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:read",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
            "action": "org.users:remove",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users.role:update",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        }
    ],
    "updated": "2021-05-17T20:49:18+02:00",
    "created": "2021-05-13T16:24:26+02:00"
}

You can create your custom role by either using an or by using Grafana provisioning. You can take a look at to decide what permissions would you like to map to your role.

Example HTTP request:

Example response:

{
    "version": 1,
    "uid": "jZrmlLCkGksdka",
    "name": "custom:users:admin",
    "description": "My custom role which gives users permissions to create users",
    "global": true,
    "permissions": [
        {
            "action": "users:create"            
            "updated": "2021-05-17T22:07:31.569936+02:00",
            "created": "2021-05-17T22:07:31.569935+02:00"
        }
    ],
    "updated": "2021-05-17T22:07:31.564403+02:00",
    "created": "2021-05-17T22:07:31.564403+02:00"
}

Once the custom role is created, you can create a built-in role assignment by using an HTTP API. If you created your role using , you can also create the assignment with it.

Example response:

{
    "message": "Built-in role grant added"
}

In order to create reports, you would need to have reports.admin:write permission. By default, Grafana Admin’s or organization Admin can create reports as there is a which comes with reports.admin:write permission.

If you want your users who have Viewer organization role to create reports, you have two options:

First option is to create a built-in role assignment and map fixed:reporting:admin:edit fixed role to the Viewer built-in role. Note that fixed:reporting:admin:edit fixed role allows doing more than creating reports. Refer to fixed roles for full list of permission assignments.
Second option is to with reports.admin:write permission, and create a built-in role assignment for Viewer organization role.

In order to create users, you would need to have users:create permission. By default, user with Grafana Admin role can create users as there is a which comes with users:create permission.

If you want to prevent Grafana Admin from creating users, you can do the following:

Check all built-in role assignments to see what built-in role assignments are available.
From built-in role assignments, find the role which gives users:create permission. Refer to for full list of permission assignments.
Remove the built-in role assignment by using an Fine-grained access control HTTP API or by using .

Second option is to with roles.builtin:add and roles:write permissions, and create a built-in role assignment for organization role.

Note that in any scenario, your Editor would be able to create and manage roles only with the permissions they have, or with a subset of them.