Manage RBAC roles

This section includes instructions for how to view permissions associated with roles, create custom roles, and update and delete roles.

The following example includes the base64 username:password Basic Authorization. You cannot use authorization tokens in the request.

Use a command to see the actions and scopes associated with a role. For more information about seeing a list of permissions for each role, refer to .

To see the permissions associated with basic roles, refer to the following basic role UIDs:

Example request

Example response

{
    "version": 2,
    "uid": "qQui_LCMk",
    "name": "fixed:users:writer",
    "displayName": "User writer",
    "description": "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.",
    "global": true,
    "permissions": [
        {
            "action": "org.users:add",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:read",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:remove",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        },
        {
            "action": "org.users:write",
            "scope": "users:*",
            "updated": "2021-05-17T20:49:18+02:00",
            "created": "2021-05-17T20:49:18+02:00"
        }
    ],
    "updated": "2021-05-17T20:49:18+02:00",
    "created": "2021-05-13T16:24:26+02:00"
}

Refer to the RBAC HTTP API for more details.

This section shows you how to create a custom RBAC role using Grafana provisioning and the HTTP API.

Create a custom role when basic roles and fixed roles do not meet your permissions requirements.

Before you begin:

Plan your RBAC rollout strategy.
Determine which permissions you want to add to the custom role. To see a list of actions and scope, refer to .
Enable role provisioning.
Ensure that you have permissions to create a custom role.
- By default, the Grafana Admin role has permission to create custom roles.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the permissions:type:delegate scope.

File-based provisioning is one method you can use to create custom roles.

Open the YAML configuration file and locate the roles section.

Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

# config file version
apiVersion: 2
roles:
  - name: custom:users:writer
    description: 'List, create, or update other users.'
    version: 1
    orgId: 1
    permissions:
      - action: 'users:read'
        scope: 'global.users:*'
      - action: 'users:write'
        scope: 'global.users:*'
      - action: 'users:create'

The following example creates a hidden global role. The global: true option creates a global role, and the hidden: true option hides the role from the role picker.

The following example creates a global role based on other fixed roles. The from option contains the roles from which we want to copy permissions. The permission state: absent option can be used to specify permissions to exclude from the copy.

# config file version
apiVersion: 2
roles:
  - name: custom:org.users:writer
    description: 'List and remove other users from the organization.'
    version: 1
    global: true
    from:
      - name: 'fixed:org.users:reader'
        global: true
      - name: 'fixed:org.users:writer'
        global: true
    permissions:
      - action: 'org.users:write'
        scope: 'users:*'
        state: 'absent'
      - action: 'org.users:add'
        scope: 'users:*'
        state: 'absent'

Create custom roles using the HTTP API

The following examples show you how to create a custom role using the Grafana HTTP API. For more information about the HTTP API, refer to Create a new custom role.

The following example creates a custom:users:admin role and assigns the users:create action to it.

Example request

curl --location --request POST '<grafana_url>/api/access-control/roles/' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
    "version": 1,
    "uid": "jZrmlLCkGksdka",
    "name": "custom:users:admin",
    "displayName": "custom users admin",
    "description": "My custom role which gives users permissions to create users",
    "global": true,
    "permissions": [
        {
            "action": "users:create"
        }
    ]

Example response

Refer to the for more details.

If the default basic role definitions do not meet your requirements, you can change their permissions.

Before you begin:

Determine the permissions you want to add or remove from a basic role. For more information about the permissions associated with basic roles, refer to .

To change permissions from a basic role:

Open the YAML configuration file and locate the roles section.
Refer to the following table to add attributes and values.
Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to Reload provisioning configurations.

Permissions to list, grant, and revoke roles to teams are removed.
Permission to read and write Grafana folders is added.

# config file version
apiVersion: 2
roles:
  - name: 'basic:grafana_admin'
    global: true
    version: 3
    from:
      - name: 'basic:grafana_admin'
        global: true
    permissions:
      # Permissions to remove
      - action: 'teams.roles:read'
        scope: 'teams:*'
        state: 'absent'
      - action: 'teams.roles:remove'
        scope: 'permissions:type:delegate'
        state: 'absent'
      - action: 'teams.roles:add'
        scope: 'permissions:type:delegate'
        state: 'absent'
      # Permissions to add
      - action: 'folders:read'
        scope: 'folder:*'
      - action: 'folders:write'
        scope: 'folder:*'

You can also change basic roles’ permissions using the API. Refer to the for more details.

This section describes how to reset the basic roles to their default:

Open the YAML configuration file and locate the roles section.

Grant the action: "roles:write", scope: "permissions:type:escalate permission to Grafana Admin. Note that this permission has not been granted to any basic roles by default, because users could acquire more permissions than they previously had through the basic role permissions reset.

apiVersion: 2
roles:
  - name: 'basic:grafana_admin'
    global: true
    version: 3
    from:
      - name: 'basic:grafana_admin'
        global: true
    permissions:
      # Permission allowing to reset basic roles
      - action: 'roles:write'
       scope: 'permissions:type:escalate'

As a Grafana Admin, call the API endpoint to reset the basic roles to their default. Refer to the for more details.

Delete a custom role when you no longer need it. When you delete a custom role, the custom role is removed from users and teams to which it is assigned.

Before you begin:

Identify the role or roles that you want to delete.
Ensure that you have access to the YAML configuration file.

To delete a custom role:

Open the YAML configuration file and locate the roles section.
Reload the provisioning configuration file.

For more information about reloading the provisioning configuration at runtime, refer to .

The following example deletes a custom role:

You can also delete a custom role using the API. Refer to the RBAC HTTP API for more details.