public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Alerting docs: RBAC for enterprise and cloud (#86506)

Browse Source 
* Alerting docs: RBAC for enterprise and cloud

* rbac structure

* ran prettier

* updates to data source permissions

* adds tables for roles

* ran prettier

* adds examples for custom role

* ran prettier

* updates table

* typo fix

* ran prettier
This commit is contained in:
brendamuir
2024-04-18 20:32:04 +02:00
committed by GitHub
parent f3fcfad2c8
commit b311612cf2
4 changed files with 276 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/sources/alerting/set-up/configure-rbac/_index.md
+55
View File
@@ -0,0 +1,55 @@
---
canonical: https://grafana.com/docs/grafana/latest/alerting/set-up/configure-rbac/
description: Configure RBAC for Grafana Alerting
keywords:
- grafana
- alerting
- set up
- configure
- RBAC
labels:
products:
- enterprise
- cloud
title: Configure RBAC
weight: 155
---
# Configure RBAC
Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
Each permission contains one or more actions and a scope.
## Permissions
Grafana Alerting has the following permissions.
| Action | Applicable scope | Description |
| ------------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
| `alert.instances:create` | n/a | Create silences in the current organization. |
| `alert.instances:read` | n/a | Read alerts and silences in the current organization. |
| `alert.instances:write` | n/a | Update and expire silences in the current organization. |
| `alert.notifications.external:read` | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
| `alert.notifications:write` | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.notifications:read` | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:write` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.silences:create` | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders. |
| `alert.silences:read` | `folders:*`<br>`folders:uid:*` | Read general and rule-specific silences in a folder and its subfolders. |
| `alert.silences:write` | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders. |
| `alert.provisioning:read` | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.secrets:read` | n/a | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets. |
| `alert.provisioning:write` | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
| `alert.provisioning.provenance:write` | n/a | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources |
To help plan your RBAC rollout strategy, refer to [Plan your RBAC rollout strategy](https://grafana.com/docs/grafana/next/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/).
docs/sources/alerting/set-up/configure-rbac/access-folders/index.md
+62
View File
@@ -0,0 +1,62 @@
---
canonical: https://grafana.com/docs/grafana/latest/alerting/set-up/configure-rbac/access-folders/
description: Manage access using folders
keywords:
- grafana
- alerting
- set up
- configure
- RBAC
- folder access
labels:
products:
- enterprise
- cloud
title: Manage access using folders or data sources
weight: 200
---
## Manage access using folders or data sources
You can further customize access for alert rules by assigning permissions to individual folders or data sources, regardless of role assigned.
{{< admonition type="note" >}}
You can't use folders to customize access to notification resources.
{{< /admonition >}}
Details of how role access can combine with folder permissions for Grafana Alerting are below.
| Role | Folder | Access |
| ------ | ------ | ---------------------------------------------------------------------------------------- |
| Admin | - | Write access to alert rules in all folders. |
| Editor | - | Write access to alert rules in all folders. |
| Viewer | Admin | Write access to alert rules **only** in the folders where the Admin permission is added. |
| Viewer | Edit | Write access to alert rules **only** in the folders where the Edit permission is added. |
| Viewer | View | Read access to alert rules in all folders. |
## Folder permissions
To manage folder permissions, complete the following steps.
1. In the left-side menu, click **Dashboards**.
1. Choose the folder you want to add permissions for.
{{< admonition type="note" >}}It doesnt matter which tab youre on (Dashboards, Panels, or Alert rules); the folder permission you set applies to all.{{< /admonition >}}
2. Click **Manage permissions** from the Folder actions menu.
3. Update or add permissions as required.
## Data source permissions
By default, users with the basic roles Admin, Editor, and Viewer roles have query access to data sources for Grafana Alerting.
If you used fixed roles or custom roles, you need to update data source permissions.
Alternatively, an admin can assign the role **Datasource Reader**, which grants the user access to all data sources.
To manage data source permissions, complete the following steps.
1. In the left-side menu, click **Connections** > **Data sources**.
1. Click the data source you want to change the permissions for.
1. Click the **Permissions** tab.
1. In the **Permission column**, update the permission or remove it by clicking **X**.
docs/sources/alerting/set-up/configure-rbac/access-roles/index.md
+156
View File
@@ -0,0 +1,156 @@
---
canonical: https://grafana.com/docs/grafana/latest/alerting/set-up/configure-rbac/access-roles
description: Manage access using roles
keywords:
- grafana
- alerting
- set up
- configure
- RBAC
- role access
labels:
products:
- enterprise
- cloud
title: Manage access using roles
weight: 100
---
# Manage access using roles
In Grafana Enterprise and Grafana Cloud, there are Basic, Fixed, and Custom roles.
## Basic roles
There are four basic roles: Admin, Editor, Viewer, and No basic role. Each basic role contains a number of fixed roles.
The No basic role allows you to further customize access by assigning fixed roles to users, which you can also modify. You can also create and assign custom roles to a user with No basic role.
Details of the basic roles and the access they provide for Grafana Alerting are below.
| Role | Access |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences). |
| No basic role | A blank canvas to assign fixed or custom roles and craft permissions more precisely. For example, if you want to give a user the ability to see alert rules, but not notification settings, add No basic role and then the fixed role Rules reader. |
## Fixed roles
A fixed role is a group of multiple permissions.
Fixed roles provide users more granular access to create, view, and update Alerting resources than you would have with basic roles alone.
Details of the fixed roles and the access they provide for Grafana Alerting are below.
| Fixed role | Permissions | Description |
| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `fixed:alerting.instances:writer` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*` | Create, update and expire all silences. |
| `fixed:alerting.instances:reader` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*` | Read all alerts and silences. |
| `fixed:alerting.notifications:writer` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager. |
| `fixed:alerting.notifications:reader` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Read all Grafana and Alertmanager contact points, templates, and notification policies. |
| `fixed:alerting.rules:writer` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all alert rules and manage rule-specific silences. |
| `fixed:alerting.rules:reader` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list` | Read all alert rules and read rule-specific silences. |
| `fixed:alerting:writer` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer` | Create, update, and delete all alert rules, silences, contact points, templates, mute timings, and notification policies. |
| `fixed:alerting:reader` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader` | Read-only permissions for all alert rules, alerts, contact points, and notification policies. |
| `fixed:alerting.provisioning.secrets:reader` | `alert.provisioning:read` and `alert.provisioning.secrets:read` | Read-only permissions for Provisioning API and let export resources with decrypted secrets. |
| `fixed:alerting.provisioning:writer` | `alert.provisioning:read` and `alert.provisioning:write` | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. |
| `fixed:alerting.provisioning.status:writer` | `alert.provisioning.provenance:write` | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. |
## Create custom roles
Create custom roles of your own to manage permissions. Custom roles contain unique combinations of permissions, actions and scopes. Create a custom role when basic roles and fixed roles do not meet your permissions requirements.
For more information on creating custom roles, refer to [Create custom roles](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/#create-custom-roles).
### Examples
The following examples give you an idea of how you can combine permissions for Grafana Alerting.
A custom role for read access to alert rules that uses data source DS1 and DS2 in folder F:
<!-- prettier-ignore-start -->
```
PUT access-control/roles
{
"name": "custom:alert_rules_reader",
"displayName": "Alert rule reader in folder F",
"description": "Read access to rules in folder F that use DS1 and DS2",
"permissions": [
{
"action": "datasources:query",
"scope": "datasources:uid:UID_DS1"
},
{
"action": "datasources:query",
"scope": "datasources:uid:UID_DS2"
},
{
"action": "alert.rules:read",
"scope": "folders:uid:UID_F"
},
{
"action": "folders:read",
"scope": "folders:uid:UID_F"
}
]
}
```
<!-- prettier-ignore-end -->
A custom role for write access to alert rules that uses simplified routing:
<!-- prettier-ignore-start -->
```
PUT access-control/roles
{
"name": "custom:alert_rules_updater",
"displayName": "Alert rules editor in folder F",
"description": "Edit access to rules in folder F that use DS1 and DS2",
"permissions": [
{
"action": "datasources:query",
"scope": "datasources:uid:UID_DS1"
},
{
"action": "datasources:query",
"scope": "datasources:uid:UID_DS2"
},
{
"action": "alert.rules:read",
"scope": "folders:uid:UID_F"
},
{
"action": "alert.rules:read",
"scope": "folders:uid:UID_F"
},
{
"action": "alert.rules:write",
"scope": "folders:uid:UID_F"
},
{
"action": "alert.rules:create",
"scope": "folders:uid:UID_F"
},
{
"action": "alert.notifications.receivers:list",
},
{
"action": "alert.notifications.time-intervals:read",
},
]
}
```
<!-- prettier-ignore-end -->
{{< admonition type="note" >}}
Delete the last two permissions if you arent using simplified notification routing.
{{< /admonition >}}
## Assign roles
To assign roles, complete the following steps.
1. Navigate to Administration > Users and access > Users, Teams, or Service Accounts.
1. Search for the user, team or service account you want to add a role for.
1. Select the role you want to assign.
docs/sources/alerting/set-up/configure-roles/index.md
+3 -11
View File
@@ -42,15 +42,10 @@ To assign roles, admins need to complete the following steps.
## Manage access using folder permissions
You can further customize access for alert rules, simplified alert routing, and provisioning by assigning permissions to individual folders.
You can further customize access for alert rules by assigning permissions to individual folders.
This prevents every user from having access to modify all alert rules and gives them access to the folders with the alert rules they're working on.
For example, if you are using simplified alert routing and adding contact points to your alert rules, it also helps you avoid the scenario where someone from another team accidentally removes the wrong notification policy or adds a competing one, and all of a sudden you stop getting your notifications.
In this case, you would assign the **Viewer** role and then add **Editor** permission to the folder.
Adding the **Editor** permission to the folder doesn't overwrite the **Viewer** role.
Details on the adding folder permissions as well as roles and the access that provides for Grafana Alerting is below.
| Role | Folder permission | Access |
@@ -69,8 +64,5 @@ To manage folder permissions, complete the following steps.
1. In the left-side menu, click **Dashboards**.
1. Hover your mouse cursor over a folder and click **Go to folder**.
1. Click the **Permissions** tab.
1. Click **Add a permission**.
1. Select the user, service account, team, or role.
1. Select **Viewer, Editor or Admin**.
1. Click **Save**.
1. Click **Manage permissions** from the Folder actions menu.
1. Update or add permissions as required.