From 0828eaa14c47068ba704bde480a89e14cdbdbded Mon Sep 17 00:00:00 2001 From: "Grot (@grafanabot)" <43478413+grafanabot@users.noreply.github.com> Date: Fri, 2 Jun 2023 10:01:57 +0100 Subject: [PATCH] [v9.4.x] Docs: Rename External Group Sync references to Team Sync (#69398) Docs: Rename External Group Sync references to Team Sync (#69395) (cherry picked from commit 8235f774aa1afb49254861f3d6d3ea691baedde3) Co-authored-by: Vardan Torosyan --- .../custom-role-actions-scopes/index.md | 252 +++++++++--------- docs/sources/developers/http_api/_index.md | 2 +- .../{external_group_sync.md => team_sync.md} | 12 +- 3 files changed, 135 insertions(+), 131 deletions(-) rename docs/sources/developers/http_api/{external_group_sync.md => team_sync.md} (86%) diff --git a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md index 33c22c8a913..633e25a3259 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md +++ b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md @@ -10,7 +10,9 @@ weight: 80 # RBAC permissions, actions, and scopes -> **Note:** Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud Advanced](/docs/grafana-cloud). +{{% admonition type="note" %}} +Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud Advanced](/docs/grafana-cloud). +{{% /admonition %}} A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions. @@ -23,128 +25,129 @@ To learn more about the Grafana resources to which you can apply RBAC, refer to The following list contains role-based access control actions. -| Action | Applicable scope | Description | -| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `alert.instances.external:read` | `datasources:*`
`datasources:uid:*` | Read alerts and silences in data sources that support alerting. | -| `alert.instances.external:write` | `datasources:*`
`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. | -| `alert.instances:create` | n/a | Create silences in the current organization. | -| `alert.instances:read` | n/a | Read alerts and silences in the current organization. | -| `alert.instances:write` | n/a | Update and expire silences in the current organization. | -| `alert.notifications.external:read` | `datasources:*`
`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. | -| `alert.notifications.external:write` | `datasources:*`
`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. | -| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. | -| `alert.rules.external:read` | `datasources:*`
`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) | -| `alert.rules.external:write` | `datasources:*`
`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). | -| `alert.rules:create` | `folders:*`
`folders:uid:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:delete` | `folders:*`
`folders:uid:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:read` | `folders:*`
`folders:uid:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.rules:write` | `folders:*`
`folders:uid:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | -| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. | -| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. | -| `annotations:create` | `annotations:*`
`annotations:type:*` | Create annotations. | -| `annotations:delete` | `annotations:*`
`annotations:type:*` | Delete annotations. | -| `annotations:read` | `annotations:*`
`annotations:type:*` | Read annotations and annotation tags. | -| `annotations:write` | `annotations:*`
`annotations:type:*` | Update annotations. | -| `apikeys:create` | n/a | Create API keys. | -| `apikeys:read` | `apikeys:*`
`apikeys:id:*` | Read API keys. | -| `apikeys:delete` | `apikeys:*`
`apikeys:id:*` | Delete API keys. | -| `dashboards:create` | `folders:*`
`folders:uid:*` | Create dashboards in one or more folders. | -| `dashboards:delete` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Delete one or more dashboards. | -| `dashboards.insights:read` | n/a | Read dashboard insights data and see presence indicators. | -| `dashboards.permissions:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read permissions for one or more dashboards. | -| `dashboards.permissions:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update permissions for one or more dashboards. | -| `dashboards:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read one or more dashboards. | -| `dashboards:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update one or more dashboards. | -| `datasources.caching:read` | `datasources:*`
`datasources:uid:*` | Read data source query caching settings. | -| `datasources.caching:write` | `datasources:*`
`datasources:uid:*` | Update data source query caching settings. | -| `datasources:create` | n/a | Create data sources. | -| `datasources:delete` | `datasources:*`
`datasources:uid:*` | Delete data sources. | -| `datasources:explore` | n/a | Enable access to the **Explore** tab. | -| `datasources.id:read` | `datasources:*`
`datasources:uid:*` | Read data source IDs. | -| `datasources.insights:read` | n/a | Read data sources insights data. | -| `datasources.permissions:read` | `datasources:*`
`datasources:uid:*` | List data source permissions. | -| `datasources.permissions:write` | `datasources:*`
`datasources:uid:*` | Update data source permissions. | -| `datasources:query` | `datasources:*`
`datasources:uid:*` | Query data sources. | -| `datasources:read` | `datasources:*`
`datasources:uid:*` | List data sources. | -| `datasources:write` | `datasources:*`
`datasources:uid:*` | Update data sources. | -| `folders.permissions:read` | `folders:*`
`folders:uid:*` | Read permissions for one or more folders. | -| `folders.permissions:write` | `folders:*`
`folders:uid:*` | Update permissions for one or more folders. | -| `folders:create` | n/a | Create folders. | -| `folders:delete` | `folders:*`
`folders:uid:*` | Delete one or more folders. | -| `folders:read` | `folders:*`
`folders:uid:*` | Read one or more folders. | -| `folders:write` | `folders:*`
`folders:uid:*` | Update one or more folders. | -| `ldap.config:reload` | n/a | Reload the LDAP configuration. | -| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. | -| `ldap.user:read` | n/a | Read users via LDAP. | -| `ldap.user:sync` | n/a | Sync users via LDAP. | -| `licensing.reports:read` | n/a | Get custom permission reports. | -| `licensing:delete` | n/a | Delete the license token. | -| `licensing:read` | n/a | Read licensing information. | -| `licensing:write` | n/a | Update the license token. | -| `org.users:write` | `users:*`
`users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. | -| `org.users:add` | `users:*` | Add a user to an organization or invite a new user to an organization. | -| `org.users:read` | `users:*`
`users:id:*` | Get user profiles within an organization. | -| `org.users:remove` | `users:*`
`users:id:*` | Remove a user from an organization. | -| `org:create` | n/a | Create an organization. | -| `orgs.preferences:read` | `orgs:*`
`orgs:id:*` | Read organization preferences. | -| `orgs.preferences:write` | `orgs:*`
`orgs:id:*` | Update organization preferences. | -| `orgs.quotas:read` | `orgs:*`
`orgs:id:*` | Read organization quotas. | -| `orgs.quotas:write` | `orgs:*`
`orgs:id:*` | Update organization quotas. | -| `orgs:delete` | `orgs:*`
`orgs:id:*` | Delete one or more organizations. | -| `orgs:read` | `orgs:*`
`orgs:id:*` | Read one or more organizations. | -| `orgs:write` | `orgs:*`
`orgs:id:*` | Update one or more organizations. | -| `plugins.app:access` | `plugins:*`
`plugins:id:*` | Access one or more application plugins (still enforcing the organization role) | -| `plugins:install` | n/a | Install and uninstall plugins. | -| `plugins:write` | `plugins:*`
`plugins:id:*` | Edit settings for one or more plugins. | -| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). | -| `reports:create` | n/a | Create reports. | -| `reports:write` | `reports:*`
`reports:id:*` | Update reports. | -| `reports.settings:read` | n/a | Read report settings. | -| `reports.settings:write` | n/a | Update report settings. | -| `reports:delete` | `reports:*`
`reports:id:*` | Delete reports. | -| `reports:read` | `reports:*` | List all available reports or get a specific report. | -| `reports:send` | `reports:*` | Send a report email. | -| `roles:delete` | `permissions:type:delegate` | Delete a custom role. | -| `roles:read` | `roles:*`
`roles:uid:*` | List roles and read a specific with its permissions. | -| `roles:write` | `permissions:type:delegate` | Create or update a custom role. | -| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. | -| `server.stats:read` | n/a | Read Grafana instance statistics. | -| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. | -| `serviceaccounts:create` | n/a | Update Grafana service accounts. | -| `serviceaccounts:delete` | `serviceaccounts:*` | Delete Grafana service accounts. | -| `serviceaccounts:read` | `serviceaccounts:*` | Read Grafana service accounts. | -| `serviceaccounts.permissions:write` | `serviceaccounts:*` | Update Grafana service account permissions to control who can do what with the service account. | -| `serviceaccounts.permissions:read` | `serviceaccounts:*` | Read Grafana service account permissions to see who can do what with the service account. | -| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) | -| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). | -| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | -| `teams.permissions:read` | `teams:*`
`teams:id:*` | Read members and External Group Synchronization setup for teams. | -| `teams.permissions:write` | `teams:*`
`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. | -| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. | -| `teams.roles:read` | `teams:*` | List roles assigned directly to a team. | -| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. | -| `teams:create` | n/a | Create teams. | -| `teams:delete` | `teams:*`
`teams:id:*` | Delete one or more teams. | -| `teams:read` | `teams:*`
`teams:id:*` | Read one or more teams and team preferences. | -| `teams:write` | `teams:*`
`teams:id:*` | Update one or more teams and team preferences. | -| `users.authtoken:read` | `global.users:*`
`global.users:id:*` | List authentication tokens that are assigned to a user. | -| `users.authtoken:write` | `global.users:*`
`global.users:id:*` | Update authentication tokens that are assigned to a user. | -| `users.password:write` | `global.users:*`
`global.users:id:*` | Update a user’s password. | -| `users.permissions:read` | `users:*` | List permissions of a user. | -| `users.permissions:write` | `global.users:*`
`global.users:id:*` | Update a user’s organization-level permissions. | -| `users.quotas:read` | `global.users:*`
`global.users:id:*` | List a user’s quotas. | -| `users.quotas:write` | `global.users:*`
`global.users:id:*` | Update a user’s quotas. | -| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. | -| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. | -| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. | -| `users:create` | n/a | Create a user. | -| `users:delete` | `global.users:*`
`global.users:id:*` | Delete a user. | -| `users:disable` | `global.users:*`
`global.users:id:*` | Disable a user. | -| `users:enable` | `global.users:*`
`global.users:id:*` | Enable a user. | -| `users:logout` | `global.users:*`
`global.users:id:*` | Sign out a user. | -| `users:read` | `global.users:*` | Read or search user profiles. | -| `users:write` | `global.users:*`
`global.users:id:*` | Update a user’s profile. | +| Action | Applicable scope | Description | +| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `alert.instances.external:read` | `datasources:*`
`datasources:uid:*` | Read alerts and silences in data sources that support alerting. | +| `alert.instances.external:write` | `datasources:*`
`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. | +| `alert.instances:create` | n/a | Create silences in the current organization. | +| `alert.instances:read` | n/a | Read alerts and silences in the current organization. | +| `alert.instances:write` | n/a | Update and expire silences in the current organization. | +| `alert.notifications.external:read` | `datasources:*`
`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. | +| `alert.notifications.external:write` | `datasources:*`
`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. | +| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. | +| `alert.rules.external:read` | `datasources:*`
`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) | +| `alert.rules.external:write` | `datasources:*`
`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). | +| `alert.rules:create` | `folders:*`
`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:delete` | `folders:*`
`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:read` | `folders:*`
`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.rules:write` | `folders:*`
`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. | +| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. | +| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. | +| `annotations:create` | `annotations:*`
`annotations:type:*` | Create annotations. | +| `annotations:delete` | `annotations:*`
`annotations:type:*` | Delete annotations. | +| `annotations:read` | `annotations:*`
`annotations:type:*` | Read annotations and annotation tags. | +| `annotations:write` | `annotations:*`
`annotations:type:*` | Update annotations. | +| `apikeys:create` | n/a | Create API keys. | +| `apikeys:read` | `apikeys:*`
`apikeys:id:*` | Read API keys. | +| `apikeys:delete` | `apikeys:*`
`apikeys:id:*` | Delete API keys. | +| `dashboards:create` | `folders:*`
`folders:uid:*` | Create dashboards in one or more folders and their subfolders. | +| `dashboards:delete` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Delete one or more dashboards. | +| `dashboards.insights:read` | n/a | Read dashboard insights data and see presence indicators. | +| `dashboards.permissions:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read permissions for one or more dashboards. | +| `dashboards.permissions:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update permissions for one or more dashboards. | +| `dashboards:read` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Read one or more dashboards. | +| `dashboards:write` | `dashboards:*`
`dashboards:uid:*`
`folders:*`
`folders:uid:*` | Update one or more dashboards. | +| `dashboards.public:write` | `dashboards:*`
`dashboards:uid:*` | Write public dashboard configuration. | +| `datasources.caching:read` | `datasources:*`
`datasources:uid:*` | Read data source query caching settings. | +| `datasources.caching:write` | `datasources:*`
`datasources:uid:*` | Update data source query caching settings. | +| `datasources:create` | n/a | Create data sources. | +| `datasources:delete` | `datasources:*`
`datasources:uid:*` | Delete data sources. | +| `datasources:explore` | n/a | Enable access to the **Explore** tab. | +| `datasources.id:read` | `datasources:*`
`datasources:uid:*` | Read data source IDs. | +| `datasources.insights:read` | n/a | Read data sources insights data. | +| `datasources.permissions:read` | `datasources:*`
`datasources:uid:*` | List data source permissions. | +| `datasources.permissions:write` | `datasources:*`
`datasources:uid:*` | Update data source permissions. | +| `datasources:query` | `datasources:*`
`datasources:uid:*` | Query data sources. | +| `datasources:read` | `datasources:*`
`datasources:uid:*` | List data sources. | +| `datasources:write` | `datasources:*`
`datasources:uid:*` | Update data sources. | +| `folders.permissions:read` | `folders:*`
`folders:uid:*` | Read permissions for one or more folders and their subfolders. | +| `folders.permissions:write` | `folders:*`
`folders:uid:*` | Update permissions for one or more folders and their subfolders. | +| `folders:create` | n/a | Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update. | +| `folders:delete` | `folders:*`
`folders:uid:*` | Delete one or more folders and their subfolders. | +| `folders:read` | `folders:*`
`folders:uid:*` | Read one or more folders and their subfolders. | +| `folders:write` | `folders:*`
`folders:uid:*` | Update one or more folders and their subfolders. If granted together with `folders:create` permission, also allows creating subfolders under these folders. | +| `ldap.config:reload` | n/a | Reload the LDAP configuration. | +| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. | +| `ldap.user:read` | n/a | Read users via LDAP. | +| `ldap.user:sync` | n/a | Sync users via LDAP. | +| `licensing.reports:read` | n/a | Get custom permission reports. | +| `licensing:delete` | n/a | Delete the license token. | +| `licensing:read` | n/a | Read licensing information. | +| `licensing:write` | n/a | Update the license token. | +| `org.users:write` | `users:*`
`users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. | +| `org.users:add` | `users:*` | Add a user to an organization or invite a new user to an organization. | +| `org.users:read` | `users:*`
`users:id:*` | Get user profiles within an organization. | +| `org.users:remove` | `users:*`
`users:id:*` | Remove a user from an organization. | +| `org:create` | n/a | Create an organization. | +| `orgs.preferences:read` | `orgs:*`
`orgs:id:*` | Read organization preferences. | +| `orgs.preferences:write` | `orgs:*`
`orgs:id:*` | Update organization preferences. | +| `orgs.quotas:read` | `orgs:*`
`orgs:id:*` | Read organization quotas. | +| `orgs.quotas:write` | `orgs:*`
`orgs:id:*` | Update organization quotas. | +| `orgs:delete` | `orgs:*`
`orgs:id:*` | Delete one or more organizations. | +| `orgs:read` | `orgs:*`
`orgs:id:*` | Read one or more organizations. | +| `orgs:write` | `orgs:*`
`orgs:id:*` | Update one or more organizations. | +| `plugins.app:access` | `plugins:*`
`plugins:id:*` | Access one or more application plugins (still enforcing the organization role) | +| `plugins:install` | n/a | Install and uninstall plugins. | +| `plugins:write` | `plugins:*`
`plugins:id:*` | Edit settings for one or more plugins. | +| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}). | +| `reports:create` | n/a | Create reports. | +| `reports:write` | `reports:*`
`reports:id:*` | Update reports. | +| `reports.settings:read` | n/a | Read report settings. | +| `reports.settings:write` | n/a | Update report settings. | +| `reports:delete` | `reports:*`
`reports:id:*` | Delete reports. | +| `reports:read` | `reports:*` | List all available reports or get a specific report. | +| `reports:send` | `reports:*` | Send a report email. | +| `roles:delete` | `permissions:type:delegate` | Delete a custom role. | +| `roles:read` | `roles:*`
`roles:uid:*` | List roles and read a specific with its permissions. | +| `roles:write` | `permissions:type:delegate` | Create or update a custom role. | +| `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. | +| `server.stats:read` | n/a | Read Grafana instance statistics. | +| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. | +| `serviceaccounts:create` | n/a | Update Grafana service accounts. | +| `serviceaccounts:delete` | `serviceaccounts:*` | Delete Grafana service accounts. | +| `serviceaccounts:read` | `serviceaccounts:*` | Read Grafana service accounts. | +| `serviceaccounts.permissions:write` | `serviceaccounts:*` | Update Grafana service account permissions to control who can do what with the service account. | +| `serviceaccounts.permissions:read` | `serviceaccounts:*` | Read Grafana service account permissions to see who can do what with the service account. | +| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) | +| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). | +| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | +| `teams.permissions:read` | `teams:*`
`teams:id:*` | Read members and Team Sync setup for teams. | +| `teams.permissions:write` | `teams:*`
`teams:id:*` | Add, remove and update members and manage Team Sync setup for teams. | +| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. | +| `teams.roles:read` | `teams:*` | List roles assigned directly to a team. | +| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. | +| `teams:create` | n/a | Create teams. | +| `teams:delete` | `teams:*`
`teams:id:*` | Delete one or more teams. | +| `teams:read` | `teams:*`
`teams:id:*` | Read one or more teams and team preferences. | +| `teams:write` | `teams:*`
`teams:id:*` | Update one or more teams and team preferences. | +| `users.authtoken:read` | `global.users:*`
`global.users:id:*` | List authentication tokens that are assigned to a user. | +| `users.authtoken:write` | `global.users:*`
`global.users:id:*` | Update authentication tokens that are assigned to a user. | +| `users.password:write` | `global.users:*`
`global.users:id:*` | Update a user’s password. | +| `users.permissions:read` | `users:*` | List permissions of a user. | +| `users.permissions:write` | `global.users:*`
`global.users:id:*` | Update a user’s organization-level permissions. | +| `users.quotas:read` | `global.users:*`
`global.users:id:*` | List a user’s quotas. | +| `users.quotas:write` | `global.users:*`
`global.users:id:*` | Update a user’s quotas. | +| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. | +| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. | +| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. | +| `users:create` | n/a | Create a user. | +| `users:delete` | `global.users:*`
`global.users:id:*` | Delete a user. | +| `users:disable` | `global.users:*`
`global.users:id:*` | Disable a user. | +| `users:enable` | `global.users:*`
`global.users:id:*` | Enable a user. | +| `users:logout` | `global.users:*`
`global.users:id:*` | Sign out a user. | +| `users:read` | `global.users:*` | Read or search user profiles. | +| `users:write` | `global.users:*`
`global.users:id:*` | Update a user’s profile. | ### Grafana OnCall action definitions (beta) @@ -193,7 +196,7 @@ The following list contains role-based access control scopes. | `apikeys:*`
`apikeys:id:*` | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. | | `dashboards:*`
`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. | | `datasources:*`
`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. | -| `folders:*`
`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. | +| `folders:*`
`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it | | `global.users:*`
`global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. | | `orgs:*`
`orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | | `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | @@ -207,3 +210,4 @@ The following list contains role-based access control scopes. | `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | | `teams:*`
`teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | | `users:*`
`users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | +| `n/a` | `n/a` means not applicable. If an action has `n/a` specified for the scope, then the action does not require a scope. For example, the `teams:create` action does not require a scope and allows users to create teams. | diff --git a/docs/sources/developers/http_api/_index.md b/docs/sources/developers/http_api/_index.md index 704b52e40f6..a34ea461999 100644 --- a/docs/sources/developers/http_api/_index.md +++ b/docs/sources/developers/http_api/_index.md @@ -56,6 +56,6 @@ Grafana Enterprise includes all of the Grafana OSS APIs as well as those that fo - [Role-based access control API]({{< relref "access_control/" >}}) - [Data source permissions API]({{< relref "datasource_permissions/" >}}) -- [External group sync API]({{< relref "external_group_sync/" >}}) +- [Team sync API]({{< relref "team_sync/" >}}) - [License API]({{< relref "licensing/" >}}) - [Reporting API]({{< relref "reporting/" >}}) diff --git a/docs/sources/developers/http_api/external_group_sync.md b/docs/sources/developers/http_api/team_sync.md similarity index 86% rename from docs/sources/developers/http_api/external_group_sync.md rename to docs/sources/developers/http_api/team_sync.md index 644fc6098eb..d5d150ca7dc 100644 --- a/docs/sources/developers/http_api/external_group_sync.md +++ b/docs/sources/developers/http_api/team_sync.md @@ -1,8 +1,8 @@ --- aliases: - - ../../http_api/external_group_sync/ -canonical: /docs/grafana/latest/developers/http_api/external_group_sync/ -description: Grafana External Group Sync HTTP API + - ../../http_api/team_sync/ +canonical: /docs/grafana/latest/developers/http_api/team_sync/ +description: Grafana Team Sync HTTP API keywords: - grafana - http @@ -13,12 +13,12 @@ keywords: - group - member - enterprise -title: External Group Sync HTTP API +title: Team Sync HTTP API --- -# External Group Synchronization API +# Team Sync API -> External Group Synchronization is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "/docs/grafana/latest/introduction/grafana-enterprise" >}}). +> Team Sync is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "/docs/grafana/latest/introduction/grafana-enterprise" >}}). > If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to [Role-based access control permissions]({{< relref "/docs/grafana/latest/administration/roles-and-permissions/access-control/custom-role-actions-scopes" >}}) for more information.