Assign RBAC roles

    In this topic you’ll learn how to use the role picker, provisioning, and the HTTP API to assign fixed and custom roles to users and teams.

    This section describes how to:

    • Assign a fixed role to a user, team or service account as an organization administrator.
    • Assign a fixed role to a user as a server administrator. This approach enables you to assign a fixed role to a user in multiple organizations, without needing to switch organizations.

    In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the Data source editor role in the Main organization, then the user can edit data sources in the Main organization, but not in other organizations.

    Before you begin:

    • .

    • Identify the fixed roles that you want to assign to the user, team or service account.

      For more information about available fixed roles, refer to RBAC role definitions.

    • Ensure that your own user account has the correct permissions:

      • If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
      • If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
      • Your Grafana user can also assign fixed role if it has either the fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with users.roles:add and users.roles:remove permissions.
      • Your own user account must have the roles you are granting. For example, if you would like to grant the fixed:users:writer role to a team, you must have that role yourself.

    To assign a fixed role to a user, team or service account:

    2. Switch to the organization that contains the user, team or service account.

      For more information about switching organizations, refer to .

    3. Hover your cursor over Configuration (the gear icon) in the left navigation menu, and click Users or Teams or Service Accounts.

    4. In the Role column, select the fixed role that you want to assign to the user, team or service account.

    5. Click Update.

    To assign a fixed role as a server administrator:

    1. Sign in to Grafana, hover your cursor over Server Admin (the shield icon) in the left navigation menu, and click Users.
    2. Click a user.
    3. In the Organizations section, select a role within an organization that you want to assign to the user.
    4. Click Update.

    Assign fixed or custom roles to a team using provisioning

    Instead of using the Grafana role picker, you can use file-based provisioning to assign fixed roles to teams. If you have a large number of teams, provisioning can provide an easier approach to assigning and managing role assignments.

    Before you begin:

    • Ensure that the team to which you are adding the fixed role exists. For more information about creating teams, refer to

    To assign a role to a team:

    2. Refer to the following table to add attributes and values.

      For more information about managing custom roles, refer to Create custom roles using provisioning.

    3. Reload the provisioning configuration file.

      For more information about reloading the provisioning configuration at runtime, refer to .

    The following example creates the custom:users:writer role and assigns it to the user writers and teams along with the fixed:users:writer role:

    The following example:

    • Creates the custom:users:writer role.
    • Assigns the custom:users:writer role and the fixed:users:writer role to the user admins and user writers teams.

    Remove a role assignment from a team:

    If you want to remove an assignment from a team, add state: absent to the teams > roles section, and reload the configuration file.

    • Creates the custom:users:writer role
    • Assigns the custom:users:writer role and the fixed:users:writer role to the user admins team
    • Removes the custom:users:writer and the fixed:users:writer assignments from the user writers team, if those assignments exist.
    1. # config file version
    2. apiVersion: 2
    4. # Roles to insert/update in the database
    5. roles:
    6.   - name: 'custom:users:writer'
    7.     description: 'List/update other users in the organization'
    8.     version: 1
    10.     permissions:
    11.       - action: 'org.users:read'
    12.       - action: 'org.users:write'
    13.         scope: 'users:*'
    15. # Assignments to teams
    16. teams:
    17.   - name: 'user writers'
    18.     orgId: 1
    19.     roles:
    20.       - name: 'fixed:users:writer'
    21.         global: true
    22.         state: 'absent' # Remove assignment
    23.       - name: 'custom:users:writer'
    24.         global: true
    25.         state: 'absent' # Remove assignment
    26.   - name: 'user admins'
    27.     orgId: 1
    28.     roles:
    29.       - name: 'fixed:users:writer'
    30.         global: true
    31.       - name: 'custom:users:writer'