Fine-grained access control
Note: Fine-grained access control is in beta, and you can expect changes in future releases.
Fine-grained access control provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as users and reports. Fine-grained access control works alongside the current Grafana permissions, and it allows you granular control of users’ actions. For more information about Grafana permissions, refer to About users and permissions.
To learn more about how fine-grained access control works, refer to Roles and Permissions. To use the fine-grained access control system, refer to Fine-grained access control usage scenarios.
Access management
Fine-grained access control considers a) who has an access (identity
), and b) what they can do and on which Grafana resource (role
).
You can grant, change, or revoke access to users (identity
). When an authenticated user tries to access a Grafana resource, the authorization system checks the required fine-grained permissions for the resource and determines whether or not the action is allowed. Refer to Fine-grained permissions for a complete list of available permissions.
Refer to Assign roles to learn about grant or revoke access to your users.
Resources with fine-grained permissions
Fine-grained access control is available for the following capabilities:
- Use Explore mode
- Manage users
- Manage LDAP authentication
- Manage data sources
- Manage data source permissions
- Manage a Grafana Enterprise license
- Provision Grafana
- Manage reports
- View server information
- Manage teams
- Manage dashboards and folders
- Manage annotations
- Alerting
To learn about specific endpoints where you can use fine-grained access control, refer to Permissions and to the relevant API documentation.
Enable fine-grained access control
Fine-grained access control is available behind the accesscontrol
feature toggle in Grafana Enterprise 8.0+. You can enable it either in a config file or by configuring an environment variable.
Enable in config file
In your config file, add accesscontrol
as a feature_toggle.
[feature_toggles]
# enable features, separated by spaces
enable = accesscontrol
Enable with an environment variable
You can use GF_FEATURE_TOGGLES_ENABLE = accesscontrol
environment variable to override the config file configuration and enable fine-grained access control.
Refer to Configuring with environment variables for more information.
Verify if enabled
You can verify if fine-grained access control is enabled or not by sending an HTTP request to the Check endpoint.
Caveats
If you have created a folder with unique identifier (uid) set to “general”, you will not be able to manage its permissions with fine-grained access control. Any folder permissions set for this folder will be disregarded when fine-grained access control is enabled.