我的书签
添加书签
移除书签Permissions
A permission is an action and a scope. When creating a fine-grained access control, consider what specific action a user should be allowed to perform, and on what resources (its scope).
To grant permissions to a user, you create a built-in role assignment to map a role to a built-in role. A built-in role assignment modifies to one of the existing built-in roles in Grafana (Viewer, Editor, Admin). For more information, refer to Built-in role assignments.
To learn more about which permissions are used for which resources, refer to Resources with fine-grained permissions.
action
The specific action on a resource defines what a user is allowed to perform if they have permission with the relevant action assigned to it.
scope
The scope describes where an action can be performed, such as reading a specific user profile. In such case, a permission is associated with the scope users:<userId> to the relevant role.
Action definitions
The following list contains fine-grained access control actions.
| Actions | Applicable scopes | Descriptions |
|---|---|---|
| roles:list | roles: | List available roles without permissions. |
| roles:read | roles: | Read a specific role with it’s permissions. |
| roles:write | permissions:delegate | Create or update a custom role. |
| roles:delete | permissions:delegate | Delete a custom role. |
| roles.builtin:list | roles: | List built-in role assignments. |
| roles.builtin:add | permissions:delegate | Create a built-in role assignment. |
| roles.builtin:remove | permissions:delegate | Delete a built-in role assignment. |
| reports.admin:create | reports: | Create reports. |
| reports.admin:write | reports: | Update reports. |
| reports:delete | reports: | Delete reports. |
| reports:read | reports: | List all available reports or get a specific report. |
| reports:send | reports: | Send a report email. |
| reports.settings:write | n/a | Update report settings. |
| reports.settings:read | n/a | Read report settings. |
| provisioning:reload | service:access-control | Reload provisioning files. |
| users:read | global:users: | Read or search user profiles. |
| users:write | global:users: | Update a user’s profile. |
| users.teams:read | global:users: | Read a user’s teams. |
| users.authtoken:list | global:users: | List authentication tokens that are assigned to a user. |
| users.authtoken:update | global:users: | Update authentication tokens that are assigned to a user. |
| users.password:update | global:users: | Update a user’s password. |
| users:delete | global:users: | Delete a user. |
| users:create | n/a | Create a user. |
| users:enable | global:users: | Enable a user. |
| users:disable | global:users: | Disable a user. |
| users.permissions:update | global:users: | Update a user’s organization-level permissions. |
| users:logout | global:users: | Log out a user. |
| users.quotas:list | global:users: | List a user’s quotas. |
| users.quotas:update | global:users: | Update a user’s quotas. |
| org.users.read | users: | Get user profiles within an organization. |
| org.users.add | users: | Add a user to an organization. |
| org.users.remove | users: | Remove a user from an organization. |
| org.users.role:update | users:* | Update the organization role (Viewer, Editor, Admin) for an organization. |
| ldap.user:read | n/a | Get a user via LDAP. |
| ldap.user:sync | n/a | Sync a user via LDAP. |
| ldap.status:read | n/a | Verify the LDAP servers’ availability. |
| status:accesscontrol | service:access-control | Get access-control enabled status. |
Scope definitions
The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
|---|---|
| roles: | Restrict an action to a set of roles. For example, roles: matches any role, roles:randomuid matches only the role with UID randomuid and roles:custom:reports:{editor,viewer} matches both custom:reports:editor and custom:reports:viewer roles. |
| permissions:delegate | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| reports: | Restrict an action to a set of reports. For example, reports: matches any report and reports:1 matches the report with id 1. |
| service:accesscontrol | Restrict an action to target only the fine-grained access control service. For example, you can use this in conjunction with the provisioning:reload or the status:accesscontrol actions. |
| global:users: | Restrict an action to a set of global users. |
| users: | Restrict an action to a set of users from an organization. |
