"Release: Updated versions in package to 9.1.0-beta.1" (#439 )

Alerting: Extract alert rule diff logic into separate file with exported API (#53083 )
* Refactor diff logic into separate file with exported API * Fix linter complaint
2022-08-02 10:56:55 +03:00 · 2022-08-01 23:41:23 -05:00 · 2022-08-01 22:02:30 -04:00 · 2022-08-01 20:32:41 -05:00 · 2022-08-01 19:28:38 -04:00 · 2022-08-01 14:46:48 -08:00
2279 changed files with 116045 additions and 53843 deletions
@@ -1,28 +1,18 @@
 import { regexp } from '@betterer/regexp';
-import { eslint } from '@betterer/eslint';
 import { BettererFileTest } from '@betterer/betterer';
+import { ESLint, Linter } from 'eslint';
+import { existsSync } from 'fs';

 export default {
  'no enzyme tests': () => regexp(/from 'enzyme'/g).include('**/*.test.*'),
-  'better eslint': () =>
-    eslint({
-      '@typescript-eslint/no-explicit-any': 'error',
-      '@typescript-eslint/consistent-type-assertions': [
-        'error',
-        {
-          assertionStyle: 'never',
-        },
-      ],
-    }).include('**/*.{ts,tsx}'),
-  'no undocumented stories': () => countUndocumentedStories().include('**/*.{story.tsx,mdx}'),
+  'better eslint': () => countEslintErrors().include('**/*.{ts,tsx}'),
+  'no undocumented stories': () => countUndocumentedStories().include('**/*.story.tsx'),
 };

 function countUndocumentedStories() {
  return new BettererFileTest(async (filePaths, fileTestResult) => {
-    const storyFilePaths = filePaths.filter((filePath) => filePath.endsWith('story.tsx'));
-    const mdxFilePaths = filePaths.filter((filePath) => filePath.endsWith('mdx'));
-    storyFilePaths.forEach((filePath) => {
-      if (!mdxFilePaths.includes(filePath.replace(/\.story.tsx$/, '.mdx'))) {
+    filePaths.forEach((filePath) => {
+      if (!existsSync(filePath.replace(/\.story.tsx$/, '.mdx'))) {
        // In this case the file contents don't matter:
        const file = fileTestResult.addFile(filePath, '');
        // Add the issue to the first character of the file:
@@ -31,3 +21,49 @@ function countUndocumentedStories() {
    });
  });
 }
+
+function countEslintErrors() {
+  return new BettererFileTest(async (filePaths, fileTestResult, resolver) => {
+    const { baseDirectory } = resolver;
+    const cli = new ESLint({ cwd: baseDirectory });
+
+    await Promise.all(
+      filePaths.map(async (filePath) => {
+        const linterOptions = (await cli.calculateConfigForFile(filePath)) as Linter.Config;
+
+        const rules: Partial<Linter.RulesRecord> = {
+          '@typescript-eslint/no-explicit-any': 'error',
+        };
+
+        if (!filePath.endsWith('.test.tsx') && !filePath.endsWith('.test.ts')) {
+          rules['@typescript-eslint/consistent-type-assertions'] = [
+            'error',
+            {
+              assertionStyle: 'never',
+            },
+          ];
+        }
+
+        const runner = new ESLint({
+          baseConfig: {
+            ...linterOptions,
+            rules,
+          },
+          useEslintrc: false,
+          cwd: baseDirectory,
+        });
+
+        const lintResults = await runner.lintFiles([filePath]);
+        lintResults
+          .filter((lintResult) => lintResult.source)
+          .forEach((lintResult) => {
+            const { messages } = lintResult;
+            const file = fileTestResult.addFile(filePath, '');
+            messages.forEach((message, index) => {
+              file.addIssue(0, 0, message.message, `${index}`);
+            });
+          });
+      })
+    );
+  });
+}
@@ -4,12 +4,12 @@
 # 3. Run `make drone`
 # More information about this process here: https://github.com/grafana/deployment_tools/blob/master/docs/infrastructure/drone/signing.md

-load('scripts/drone/pipelines/pr.star', 'pr_pipelines')
-load('scripts/drone/pipelines/main.star', 'main_pipelines')
+load('scripts/drone/events/pr.star', 'pr_pipelines')
+load('scripts/drone/events/main.star', 'main_pipelines')
 load('scripts/drone/pipelines/docs.star', 'docs_pipelines')
-load('scripts/drone/pipelines/release.star', 'release_pipelines', 'publish_image_pipelines', 'publish_artifacts_pipelines', 'publish_npm_pipelines', 'publish_packages_pipeline')
+load('scripts/drone/events/release.star', 'release_pipelines', 'publish_image_pipelines', 'publish_artifacts_pipelines', 'publish_npm_pipelines', 'publish_packages_pipeline', 'artifacts_page_pipeline')
 load('scripts/drone/version.star', 'version_branch_pipelines')
-load('scripts/drone/pipelines/cron.star', 'cronjobs')
+load('scripts/drone/events/cron.star', 'cronjobs')
 load('scripts/drone/vault.star', 'secrets')

 def main(ctx):
@@ -17,5 +17,5 @@ def main(ctx):
    return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \
        publish_image_pipelines('public') + publish_image_pipelines('security') + \
        publish_artifacts_pipelines('security') + publish_artifacts_pipelines('public') + \
-        publish_npm_pipelines('public') + publish_packages_pipeline() + \
+        publish_npm_pipelines('public') + publish_packages_pipeline() + artifacts_page_pipeline() + \
        version_branch_pipelines() + cronjobs(edition=edition) + secrets()
@@ -17,7 +17,7 @@ vendor
 # TS generate from cue by cuetsy
 **/*.gen.ts

-# Auto-generated localisation files
+# Auto-generated internationalization files
 public/locales/_build/
 public/locales/**/*.js

@@ -38,10 +38,10 @@ go.sum @grafana/backend-platform
 # Observability backend code
 /pkg/tsdb/prometheus @grafana/observability-metrics
 /pkg/tsdb/influxdb @grafana/observability-metrics
-/pkg/tsdb/elasticsearch @grafana/observability-logs-and-traces
+/pkg/tsdb/elasticsearch @grafana/observability-logs
 /pkg/tsdb/graphite @grafana/observability-metrics
 /pkg/tsdb/jaeger @grafana/observability-logs-and-traces
-/pkg/tsdb/loki @grafana/observability-logs-and-traces
+/pkg/tsdb/loki @grafana/observability-logs
 /pkg/tsdb/zipkin @grafana/observability-logs-and-traces
 /pkg/tsdb/tempo @grafana/observability-logs-and-traces

@@ -108,6 +108,7 @@ pkg/tsdb/testdatasource/sims/ @grafana/grafana-edge-squad
 /public/app/features/comments/ @grafana/grafana-edge-squad
 /public/app/features/dimensions/ @grafana/grafana-edge-squad
 /public/app/features/geo/ @grafana/grafana-edge-squad
+/public/app/features/storage/ @grafana/grafana-edge-squad
 /public/app/features/live/ @grafana/grafana-edge-squad
 /public/app/features/explore/ @grafana/observability-experience-squad
 /public/app/features/plugins @grafana/plugins-platform-frontend
@@ -116,7 +117,7 @@ pkg/tsdb/testdatasource/sims/ @grafana/grafana-edge-squad
 /public/app/plugins/panel/barchart @grafana/grafana-bi-squad
 /public/app/plugins/panel/heatmap @grafana/grafana-bi-squad
 /public/app/plugins/panel/histogram @grafana/grafana-bi-squad
-/public/app/plugins/panel/logs @grafana/observability-logs-and-traces
+/public/app/plugins/panel/logs @grafana/observability-logs
 /public/app/plugins/panel/nodeGraph @grafana/observability-logs-and-traces
 /public/app/plugins/panel/piechart @grafana/grafana-bi-squad
 /public/app/plugins/panel/state-timeline @grafana/grafana-bi-squad
@@ -143,18 +144,19 @@ lerna.json @grafana/frontend-ops
 .eslintrc @grafana/frontend-ops
 .pa11yci.conf.js @grafana/user-essentials
 .pa11yci-pr.conf.js @grafana/user-essentials
+.betterer.results @joshhunt

 # @grafana/ui component documentation
 *.mdx @marcusolsson @jessover9000 @grafana/plugins-platform-frontend

 # Core datasources
 /public/app/plugins/datasource/cloudwatch @grafana/aws-plugins
-/public/app/plugins/datasource/elasticsearch @grafana/observability-logs-and-traces
+/public/app/plugins/datasource/elasticsearch @grafana/observability-logs
 /public/app/plugins/datasource/grafana-azure-monitor-datasource @grafana/cloud-provider-plugins
 /public/app/plugins/datasource/graphite @grafana/observability-metrics
 /public/app/plugins/datasource/influxdb @grafana/observability-metrics
 /public/app/plugins/datasource/jaeger @grafana/observability-logs-and-traces
-/public/app/plugins/datasource/loki @grafana/observability-logs-and-traces
+/public/app/plugins/datasource/loki @grafana/observability-logs
 /public/app/plugins/datasource/mssql @grafana/grafana-bi-squad
 /public/app/plugins/datasource/mysql @grafana/grafana-bi-squad
 /public/app/plugins/datasource/opentsdb @grafana/backend-platform
@@ -79,7 +79,7 @@
    "name":"datasource/Azure",
    "action":"addToProject",
    "addToProject":{
-      "url":"https://github.com/orgs/grafana/projects/97"
+      "url":"https://github.com/orgs/grafana/projects/190"
    }
  },
  {
@@ -103,7 +103,7 @@
    "name":"datasource/GoogleCloudMonitoring",
    "action":"addToProject",
    "addToProject":{
-      "url":"https://github.com/orgs/grafana/projects/97"
+      "url":"https://github.com/orgs/grafana/projects/190"
    }
  },
  {
@@ -138,20 +138,12 @@
      "url":"https://github.com/orgs/grafana/projects/112"
    }
  },
-  {
-    "type":"label",
-    "name":"datasource/OpenSearch",
-    "action":"addToProject",
-    "addToProject":{
-      "url":"https://github.com/orgs/grafana/projects/110"
-    }
-  },
  {
    "type":"label",
    "name":"datasource/Loki",
    "action":"addToProject",
    "addToProject":{
-      "url":"https://github.com/orgs/grafana/projects/110"
+      "url":"https://github.com/orgs/grafana/projects/203"
    }
  },
  {
@@ -167,7 +159,7 @@
    "name":"datasource/Elasticsearch",
    "action":"addToProject",
    "addToProject":{
-      "url":"https://github.com/orgs/grafana/projects/110"
+      "url":"https://github.com/orgs/grafana/projects/203"
    }
  },
  {
@@ -74,7 +74,7 @@ jobs:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.0
        with:
          node-version: '16'
      - name: Install Actions
@@ -14,4 +14,7 @@ on:

 jobs:
  workflow-call:
-    uses: grafana/code-coverage/.github/workflows/code-coverage.yml@v0.1.2
+    uses: grafana/code-coverage/.github/workflows/code-coverage.yml@v0.1.6
+    with:
+      frontend-path-regexp: public\/app\/plugins\/datasource\/(grafana-azure-monitor-datasource|cloud-monitoring|cloudwatch)
+      backend-path-regexp: pkg\/tsdb\/(azuremonitor|cloudmonitoring|cloudwatch)
@@ -0,0 +1,16 @@
+name: "doc-validator"
+on:
+  pull_request:
+    paths: ["docs/sources/**"]
+  workflow_dispatch:
+jobs:
+  doc-validator:
+    runs-on: "ubuntu-latest"
+    container:
+      image: "grafana/doc-validator:latest"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+      - name: "Run doc-validator tool"
+        # Ensure that the CI always passes until all errors are resolved.
+        run: "doc-validator ./docs/sources || true"
@@ -17,7 +17,7 @@ jobs:
    - uses: actions/checkout@v3
    - run: git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.GH_BOT_ACCESS_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync
    - name: generate-packages-docs
-      uses: actions/setup-node@v3.3.0
+      uses: actions/setup-node@v3.4.0
      id: generate-docs
      with:
        node-version: '16'
@@ -162,7 +162,7 @@ compilation-stats.json
 !pkg/coremodel/**/*_gen.go
 !pkg/framework/**/*_gen.go

-# Auto-generated localisation files
+# Auto-generated internationalization files
 public/locales/_build/
 public/locales/**/*.js

@@ -1,8 +1,8 @@
 {
  "locales": [
-    "en",
-    "fr",
-    "es",
+    "en-US",
+    "fr-FR",
+    "es-ES",
    "pseudo-LOCALE"
  ],
  "catalogs": [
@@ -20,11 +20,11 @@
    }
  ],
  "fallbackLocales": {
-    "pseudo-LOCALE": "en",
-    "default": "en"
+    "pseudo-LOCALE": "en-US",
+    "default": "en-US"
  },
  "pseudoLocale": "pseudo-LOCALE",
-  "sourceLocale": "en",
+  "sourceLocale": "en-US",
  "format": "po",
  "formatOptions": {
    "lineNumbers": false
@@ -3,6 +3,7 @@ var config = {
    concurrency: 1,
    runners: ['axe'],
    useIncognitoBrowserContext: false,
+    standard: 'WCAG2AA',
    chromeLaunchConfig: {
      args: ['--no-sandbox'],
    },
@@ -60,7 +61,7 @@ var config = {
      rootElement: '.main-view',
      // the unified alerting promotion alert's content contrast is too low
      // see https://github.com/grafana/grafana/pull/41829
-      threshold: 5,
+      threshold: 4,
    },
    {
      url: '${HOST}/datasources',
@@ -96,7 +97,7 @@ var config = {
      url: '${HOST}/org/apikeys',
      wait: 500,
      rootElement: '.main-view',
-      threshold: 0,
+      threshold: 3,
    },
    {
      url: '${HOST}/dashboards',
@@ -3,6 +3,7 @@ var config = {
    concurrency: 1,
    runners: ['axe'],
    useIncognitoBrowserContext: false,
+    standard: 'WCAG2AA',
    chromeLaunchConfig: {
      args: ['--no-sandbox'],
    },
@@ -18,7 +18,7 @@ vendor
 # TS generate from cue by cuetsy
 **/*.gen.ts

-# Auto-generated localisation files
+# Auto-generated internationalization files
 public/locales/_build/
 public/locales/**/*.js

@@ -1,6 +1,6 @@
 {
  "name": "eslint",
-  "version": "8.17.0-sdk",
+  "version": "8.20.0-sdk",
  "main": "./lib/api.js",
  "type": "commonjs"
 }
@@ -1,6 +1,6 @@
 {
  "name": "prettier",
-  "version": "2.6.2-sdk",
+  "version": "2.7.1-sdk",
  "main": "./index.js",
  "type": "commonjs"
 }
@@ -1,6 +1,6 @@
 {
  "name": "typescript",
-  "version": "4.6.4-sdk",
+  "version": "4.7.4-sdk",
  "main": "./lib/typescript.js",
  "type": "commonjs"
 }
@@ -81,4 +81,4 @@ plugins:
  - path: .yarn/plugins/@yarnpkg/plugin-outdated.cjs
    spec: "https://mskelton.dev/yarn-outdated/v2"

-yarnPath: .yarn/releases/yarn-3.2.1.cjs
+yarnPath: .yarn/releases/yarn-3.2.2.cjs
@@ -1,3 +1,115 @@
+<!-- 9.0.5 START -->
+
+# 9.0.5 (2022-07-26)
+
+### Features and enhancements
+
+- **Access control:** Show dashboard settings to users who can edit dashboard. [#52535](https://github.com/grafana/grafana/pull/52535), [@grafanabot](https://github.com/grafanabot)
+- **Alerting:** Allow the webhook notifier to support a custom Authorization header. [#52515](https://github.com/grafana/grafana/pull/52515), [@gotjosh](https://github.com/gotjosh)
+- **Chore:** Upgrade to Go version 1.17.12. [#52523](https://github.com/grafana/grafana/pull/52523), [@sakjur](https://github.com/sakjur)
+- **Plugins:** Add signature wildcard globbing for dedicated private plugin type. [#52163](https://github.com/grafana/grafana/pull/52163), [@wbrowne](https://github.com/wbrowne)
+- **Prometheus:** Don't show errors from unsuccessful API checks like rules or exemplar checks. [#52193](https://github.com/grafana/grafana/pull/52193), [@darrenjaneczek](https://github.com/darrenjaneczek)
+
+### Bug fixes
+
+- **Access control:** Allow organisation admins to add existing users to org (#51668). [#52553](https://github.com/grafana/grafana/pull/52553), [@vtorosyan](https://github.com/vtorosyan)
+- **Alerting:** Fix alert panel instance-based rules filtering. [#52583](https://github.com/grafana/grafana/pull/52583), [@konrad147](https://github.com/konrad147)
+- **Apps:** Fixes navigation between different app plugin pages. [#52571](https://github.com/grafana/grafana/pull/52571), [@torkelo](https://github.com/torkelo)
+- **Cloudwatch:** Upgrade grafana-aws-sdk to fix auth issue with secret keys. [#52420](https://github.com/grafana/grafana/pull/52420), [@sarahzinger](https://github.com/sarahzinger)
+- **Grafana/toolkit:** Fix incorrect image and font generation for plugin builds. [#52661](https://github.com/grafana/grafana/pull/52661), [@academo](https://github.com/academo)
+- **Loki:** Fix `show context` not working in some occasions. [#52458](https://github.com/grafana/grafana/pull/52458), [@svennergr](https://github.com/svennergr)
+- **RBAC:** Fix permissions on dashboards and folders created by anonymous users. [#52615](https://github.com/grafana/grafana/pull/52615), [@gamab](https://github.com/gamab)
+
+<!-- 9.0.5 END -->
+<!-- 9.0.4 START -->
+
+# 9.0.4 (2022-07-20)
+
+### Features and enhancements
+
+- **Browse/Search:** Make browser back work properly when visiting Browse or search. [#52271](https://github.com/grafana/grafana/pull/52271), [@torkelo](https://github.com/torkelo)
+- **Logs:** Improve getLogRowContext API. [#52130](https://github.com/grafana/grafana/pull/52130), [@gabor](https://github.com/gabor)
+- **Loki:** Improve handling of empty responses. [#52397](https://github.com/grafana/grafana/pull/52397), [@gabor](https://github.com/gabor)
+- **Plugins:** Always validate root URL if specified in signature manfiest. [#52332](https://github.com/grafana/grafana/pull/52332), [@wbrowne](https://github.com/wbrowne)
+- **Preferences:** Get home dashboard from teams. [#52225](https://github.com/grafana/grafana/pull/52225), [@sakjur](https://github.com/sakjur)
+- **SQLStore:** Support Upserting multiple rows. [#52228](https://github.com/grafana/grafana/pull/52228), [@joeblubaugh](https://github.com/joeblubaugh)
+- **Traces:** Add more template variables in Tempo & Zipkin. [#52306](https://github.com/grafana/grafana/pull/52306), [@joey-grafana](https://github.com/joey-grafana)
+- **Traces:** Remove serviceMap feature flag. [#52375](https://github.com/grafana/grafana/pull/52375), [@joey-grafana](https://github.com/joey-grafana)
+
+### Bug fixes
+
+- **Access Control:** Fix missing folder permissions. [#52410](https://github.com/grafana/grafana/pull/52410), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Access control:** Fix org user removal for OSS users. [#52473](https://github.com/grafana/grafana/pull/52473), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Alerting:** Fix Slack notification preview. [#50230](https://github.com/grafana/grafana/pull/50230), [@ekrucio](https://github.com/ekrucio)
+- **Alerting:** Fix Slack push notifications. [#52391](https://github.com/grafana/grafana/pull/52391), [@grobinson-grafana](https://github.com/grobinson-grafana)
+- **Alerting:** Fixes slack push notifications. [#50267](https://github.com/grafana/grafana/pull/50267), [@jgillick](https://github.com/jgillick)
+- **Alerting:** Preserve new-lines from custom email templates in rendered email. [#52253](https://github.com/grafana/grafana/pull/52253), [@alexweav](https://github.com/alexweav)
+- **Insights:** Fix dashboard and data source insights pages. (Enterprise)
+- **Log:** Fix text logging for unsupported types. [#51306](https://github.com/grafana/grafana/pull/51306), [@papagian](https://github.com/papagian)
+- **Loki:** Fix incorrect TopK value type in query builder. [#52226](https://github.com/grafana/grafana/pull/52226), [@ivanahuckova](https://github.com/ivanahuckova)
+
+<!-- 9.0.4 END -->
+<!-- 9.0.3 START -->
+
+# 9.0.3 (2022-07-14)
+
+### Features and enhancements
+
+- **Access Control:** Allow dashboard admins to query org users. [#51652](https://github.com/grafana/grafana/pull/51652), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Access control:** Allow organisation admins to add existing users to org. [#51668](https://github.com/grafana/grafana/pull/51668), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Alerting:** Add method to provisioning API for obtaining a group and its rules. [#51761](https://github.com/grafana/grafana/pull/51761), [@alexweav](https://github.com/alexweav)
+- **Alerting:** Add method to provisioning API for obtaining a group and its rules. [#51398](https://github.com/grafana/grafana/pull/51398), [@alexweav](https://github.com/alexweav)
+- **Alerting:** Allow filtering of contact points by name. [#51933](https://github.com/grafana/grafana/pull/51933), [@alexweav](https://github.com/alexweav)
+- **Alerting:** Disable /api/admin/pause-all-alerts with Unified Alerting. [#51895](https://github.com/grafana/grafana/pull/51895), [@joeblubaugh](https://github.com/joeblubaugh)
+- **Analytics:** Add total queries and cached queries in usage insights logs. (Enterprise)
+- **Annotations:** Use point marker for short time range annotations. [#51520](https://github.com/grafana/grafana/pull/51520), [@codeincarnate](https://github.com/codeincarnate)
+- **AzureMonitor:** Update UI to experimental package. [#52123](https://github.com/grafana/grafana/pull/52123), [@asimpson](https://github.com/asimpson)
+- **AzureMonitor:** Update resource and namespace metadata. [#52030](https://github.com/grafana/grafana/pull/52030), [@despian](https://github.com/despian)
+- **CloudWatch:** Remove simplejson in favor of 'encoding/json'. [#51062](https://github.com/grafana/grafana/pull/51062), [@asimpson](https://github.com/asimpson)
+- **DashboardRow:** Collapse shortcut prevent to move the collapsed rows. [#51589](https://github.com/grafana/grafana/pull/51589), [@ivanortegaalba](https://github.com/ivanortegaalba)
+- **Insights:** Add dashboard UID to exported logs. (Enterprise)
+- **Navigation:** Highlight active nav item when Grafana is served from subpath. [#51767](https://github.com/grafana/grafana/pull/51767), [@kianelbo](https://github.com/kianelbo)
+- **Plugins:** InfluxDB datasource - set epoch query param value as "ms". [#51651](https://github.com/grafana/grafana/pull/51651), [@itsmylife](https://github.com/itsmylife)
+- **Plugins:** InfluxDB update time range query. [#51833](https://github.com/grafana/grafana/pull/51833), [@itsmylife](https://github.com/itsmylife)
+- **StateTimeline:** Try to sort time field. [#51569](https://github.com/grafana/grafana/pull/51569), [@zoltanbedi](https://github.com/zoltanbedi)
+
+### Bug fixes
+
+- **API:** Do not validate/save legacy alerts when saving a dashboard if legacy alerting is disabled. [#51883](https://github.com/grafana/grafana/pull/51883), [@papagian](https://github.com/papagian)
+- **Access Control:** Fix missing folder permissions. [#52153](https://github.com/grafana/grafana/pull/52153), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Alerting:** Add method to reset notification policy tree back to the default. [#51934](https://github.com/grafana/grafana/pull/51934), [@alexweav](https://github.com/alexweav)
+- **Alerting:** Fix Teams notifier not failing on 200 response with error. [#52254](https://github.com/grafana/grafana/pull/52254), [@JacobsonMT](https://github.com/JacobsonMT)
+- **Alerting:** Fix bug where state did not change between Alerting and Error. [#52204](https://github.com/grafana/grafana/pull/52204), [@grobinson-grafana](https://github.com/grobinson-grafana)
+- **Alerting:** Fix consistency errors in OpenAPI documentation. [#51935](https://github.com/grafana/grafana/pull/51935), [@alexweav](https://github.com/alexweav)
+- **Alerting:** Fix normalization of alert states for panel annotations. [#51637](https://github.com/grafana/grafana/pull/51637), [@gillesdemey](https://github.com/gillesdemey)
+- **Alerting:** Provisioning API respects global rule quota. [#52180](https://github.com/grafana/grafana/pull/52180), [@alexweav](https://github.com/alexweav)
+- **CSRF:** Fix additional headers option. [#50629](https://github.com/grafana/grafana/pull/50629), [@sakjur](https://github.com/sakjur)
+- **Chore:** Bump parse-url to 6.0.2 to fix security vulnerabilities. [#51796](https://github.com/grafana/grafana/pull/51796), [@jackw](https://github.com/jackw)
+- **Chore:** Fix CVE-2020-7753. [#51752](https://github.com/grafana/grafana/pull/51752), [@jackw](https://github.com/jackw)
+- **Chore:** Fix CVE-2021-3807. [#51753](https://github.com/grafana/grafana/pull/51753), [@jackw](https://github.com/jackw)
+- **Chore:** Fix CVE-2021-3918. [#51745](https://github.com/grafana/grafana/pull/51745), [@jackw](https://github.com/jackw)
+- **Chore:** Fix CVE-2021-43138. [#51751](https://github.com/grafana/grafana/pull/51751), [@jackw](https://github.com/jackw)
+- **Chore:** Fix CVE-2022-0155. [#51755](https://github.com/grafana/grafana/pull/51755), [@jackw](https://github.com/jackw)
+- **Custom Branding:** Fix login logo size. (Enterprise)
+- **Dashboard:** Fixes tooltip issue with TimePicker and Setting buttons. [#51836](https://github.com/grafana/grafana/pull/51836), [@torkelo](https://github.com/torkelo)
+- **Dashboard:** Prevent unnecessary scrollbar when viewing single panel. [#52122](https://github.com/grafana/grafana/pull/52122), [@lpskdl](https://github.com/lpskdl)
+- **Logs:** Fixed wrapping log lines from detected fields. [#52108](https://github.com/grafana/grafana/pull/52108), [@svennergr](https://github.com/svennergr)
+- **Loki:** Add missing operators in label filter expression. [#51880](https://github.com/grafana/grafana/pull/51880), [@ivanahuckova](https://github.com/ivanahuckova)
+- **Loki:** Fix error when changing operations with different parameters. [#51779](https://github.com/grafana/grafana/pull/51779), [@svennergr](https://github.com/svennergr)
+- **Loki:** Fix suggesting of correct operations in query builder. [#52034](https://github.com/grafana/grafana/pull/52034), [@ivanahuckova](https://github.com/ivanahuckova)
+- **Plugins:** InfluxDB variable interpolation fix. [#51917](https://github.com/grafana/grafana/pull/51917), [@itsmylife](https://github.com/itsmylife)
+- **Plugins:** InfluxDB variable interpolation fix for influxdbBackendMigration feature flag. [#51624](https://github.com/grafana/grafana/pull/51624), [@itsmylife](https://github.com/itsmylife)
+- **Reports:** Fix line breaks in message. (Enterprise)
+- **Reports:** Fix saving report formats. (Enterprise)
+- **SQLstore:** Fix fetching an inexistent playlist. [#51962](https://github.com/grafana/grafana/pull/51962), [@papagian](https://github.com/papagian)
+- **Security:** Fixes for CVE-2022-31107 and CVE-2022-31097. [#52279](https://github.com/grafana/grafana/pull/52279), [@kminehart](https://github.com/kminehart)
+- **Snapshots:** Fix deleting external snapshots when using RBAC. [#51897](https://github.com/grafana/grafana/pull/51897), [@idafurjes](https://github.com/idafurjes)
+- **Table:** Fix scrollbar being hidden by pagination. [#51501](https://github.com/grafana/grafana/pull/51501), [@zoltanbedi](https://github.com/zoltanbedi)
+- **Templating:** Changing between variables with the same name now correctly triggers a dashboard refresh. [#51490](https://github.com/grafana/grafana/pull/51490), [@ashharrison90](https://github.com/ashharrison90)
+- **Time series panel:** Fix an issue with stacks being not complete due to the incorrect data frame length. [#51910](https://github.com/grafana/grafana/pull/51910), [@dprokop](https://github.com/dprokop)
+- **[v9.0.x] Snapshots:** Fix deleting external snapshots when using RBAC (#51897). [#51904](https://github.com/grafana/grafana/pull/51904), [@idafurjes](https://github.com/idafurjes)
+
+<!-- 9.0.3 END -->
 <!-- 9.0.2 START -->

 # 9.0.2 (2022-06-28)
@@ -576,6 +688,16 @@ In the Loki data source, for consistency and performance reasons, we changed how

 The dependency to [grafana/aws-sdk](https://github.com/grafana/grafana-aws-sdk-react) is moved from [grafana/ui](https://github.com/grafana/grafana/blob/main/packages/grafana-ui/package.json) to the plugin. This means that any plugin that use SIGV4 auth need to pass a SIGV4 editor component as a prop to the `DataSourceHttpSettings` component. Issue [#43559](https://github.com/grafana/grafana/issues/43559)

+<!-- 8.5.9 START -->
+
+# 8.5.9 (2022-07-14)
+
+### Bug fixes
+
+- **Security:** Fixes for CVE-2022-31107 and CVE-2022-31097. [#52238](https://github.com/grafana/grafana/pull/52238), [@xlson](https://github.com/xlson)
+
+<!-- 8.5.9 END -->
+
 <!-- 8.5.6 START -->

 # 8.5.6 (2022-06-14)
@@ -816,6 +938,16 @@ When user is using Github OAuth, GitHub login is showed as both Grafana login an

 The meaning of the default data source has now changed from being a persisted property in a panel. Before when you selected the default data source for a panel and later changed the default data source to another data source it would change all panels who were configured to use the default data source. From now on the default data source is just the default for new panels and changing the default will not impact any currently saved dashboards. Issue [#45132](https://github.com/grafana/grafana/issues/45132)

+<!-- 8.4.10 START -->
+
+# 8.4.10 (2022-07-14)
+
+### Bug fixes
+
+- **Security:** Fixes for CVE-2022-31107 and CVE-2022-31097. [#52218](https://github.com/grafana/grafana/pull/52218), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+
+<!-- 8.4.10 END -->
+
 <!-- 8.4.7 START -->

 # 8.4.7 (2022-04-19)
@@ -20,14 +20,13 @@ COPY emails emails
 ENV NODE_ENV production
 RUN yarn build

-FROM golang:1.17.11-alpine3.15 as go-builder
+FROM golang:1.17.12-alpine3.15 as go-builder

 RUN apk add --no-cache gcc g++ make

 WORKDIR /grafana

 COPY go.mod go.sum embed.go Makefile build.go package.json ./
-COPY cue cue
 COPY packages/grafana-schema packages/grafana-schema
 COPY public/app/plugins public/app/plugins
 COPY public/api-spec.json public/api-spec.json
@@ -21,7 +21,7 @@ COPY emails emails
 ENV NODE_ENV production
 RUN yarn build

-FROM golang:1.17.11 AS go-builder
+FROM golang:1.17.12 AS go-builder

 WORKDIR /src/grafana

@@ -29,7 +29,6 @@ COPY go.mod go.sum embed.go ./
 COPY Makefile build.go package.json ./
 COPY .bingo .bingo
 COPY pkg pkg/
-COPY cue cue/
 COPY cue.mod cue.mod/
 COPY packages/grafana-schema packages/grafana-schema/
 COPY public/app/plugins public/app/plugins/
@@ -12,7 +12,6 @@ include .bingo/Variables.mk
 GO = go
 GO_FILES ?= ./pkg/...
 SH_FILES ?= $(shell find ./scripts -name *.sh)
-API_DEFINITION_FILES = $(shell find ./pkg/api/docs/definitions -name '*.go' -print)
 GO_BUILD_FLAGS += $(if $(GO_BUILD_DEV),-dev)
 GO_BUILD_FLAGS += $(if $(GO_BUILD_TAGS),-build-tags=$(GO_BUILD_TAGS))

@@ -39,14 +38,15 @@ NGALERT_SPEC_TARGET = pkg/services/ngalert/api/tooling/api.json
 $(NGALERT_SPEC_TARGET):
 	+$(MAKE) -C pkg/services/ngalert/api/tooling api.json

-$(MERGED_SPEC_TARGET): $(SPEC_TARGET) $(NGALERT_SPEC_TARGET) ## Merge generated and ngalert API specs
-	go run pkg/api/docs/merge/merge_specs.go -o=$(MERGED_SPEC_TARGET) $(<) $(NGALERT_SPEC_TARGET)
+$(MERGED_SPEC_TARGET): $(SPEC_TARGET) $(NGALERT_SPEC_TARGET) $(SWAGGER) ## Merge generated and ngalert API specs
+	# known conflicts DsPermissionType, AddApiKeyCommand, Json, Duration (identical models referenced by both specs)
+	$(SWAGGER) mixin $(SPEC_TARGET) $(NGALERT_SPEC_TARGET) --ignore-conflicts -o $(MERGED_SPEC_TARGET)

--swagger-api-spec: $(API_DEFINITION_FILES) $(SWAGGER) ## Generate API Swagger specification
+--swagger-api-spec: $(SWAGGER) ## Generate API Swagger specification
 	SWAGGER_GENERATE_EXTENSION=false $(SWAGGER) generate spec -m -w pkg/server -o public/api-spec.json \
 	-x "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions" \
 	-x "github.com/prometheus/alertmanager" \
-	-i pkg/api/docs/tags.json
+	-i pkg/api/swagger_tags.json

 swagger-api-spec: gen-go --swagger-api-spec $(MERGED_SPEC_TARGET) validate-api-spec

@@ -94,9 +94,30 @@ run-frontend: deps-js ## Fetch js dependencies and watch frontend for rebuild

 ##@ Testing

-test-go: ## Run tests for backend.
-	@echo "test backend"
-	$(GO) test -v ./pkg/...
+.PHONY: test-go
+test-go: test-go-unit test-go-integration
+
+.PHONY: test-go-unit
+test-go-unit: ## Run unit tests for backend with flags.
+	@echo "test backend unit tests"
+	$(GO) test -short -covermode=atomic -timeout=30m ./pkg/...
+
+.PHONY: test-go-integration
+test-go-integration: ## Run integration tests for backend with flags.
+	@echo "test backend integration tests"
+	$(GO) test -run Integration -covermode=atomic -timeout=30m ./pkg/...
+
+.PHONY: test-go-integration-postgres
+test-go-integration-postgres: devenv-postgres ## Run integration tests for postgres backend with flags.
+	@echo "test backend integration postgres tests"
+	$(GO) clean -testcache
+	$(GO) list './pkg/...' | xargs -I {} sh -c 'GRAFANA_TEST_DB=postgres go test -run Integration -covermode=atomic -timeout=30m {}'
+
+.PHONY: test-go-integration-mysql
+test-go-integration-mysql: devenv-mysql ## Run integration tests for mysql backend with flags.
+	@echo "test backend integration mysql tests"
+	$(GO) clean -testcache
+	$(GO) list './pkg/...' | xargs -I {} sh -c 'GRAFANA_TEST_DB=mysql go test -run Integration -covermode=atomic -timeout=30m {}'

 test-js: ## Run tests for frontend.
 	@echo "test frontend"
@@ -153,6 +174,14 @@ devenv-down: ## Stop optional services.
 	test -f docker-compose.yaml && \
 	docker-compose down || exit 0;

+devenv-postgres:
+	@cd devenv; \
+	sources=postgres_tests
+
+devenv-mysql:
+	@cd devenv; \
+	sources=mysql_tests
+
 ##@ Helpers

 # We separate the protobuf generation because most development tasks on
@@ -125,7 +125,7 @@ path = grafana.db
 # For "sqlite3" only. cache mode setting used for connecting to the database
 cache_mode = private

-# For "mysql" only if lockingMigration feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
+# For "mysql" only if migrationLocking feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
 locking_attempt_timeout_sec = 0

 #################################### Cache server #############################
@@ -467,6 +467,8 @@ api_url = https://api.github.com/user
 allowed_domains =
 team_ids =
 allowed_organizations =
+role_attribute_path =
+role_attribute_strict = false

 #################################### GitLab Auth #########################
 [auth.gitlab]
@@ -576,7 +578,7 @@ tls_client_cert =
 tls_client_key =
 tls_client_ca =
 use_pkce = false
-auth_style = 
+auth_style =

 #################################### Basic Auth ##########################
 [auth.basic]
@@ -597,6 +599,7 @@ enable_login_token = false
 #################################### Auth JWT ##########################
 [auth.jwt]
 enabled = false
+enable_login_token = false
 header_name =
 email_claim =
 username_claim =
@@ -762,7 +765,7 @@ instrumentations_console_enabled = false
 instrumentations_webvitals_enabled = false

 # Api Key, only applies to Grafana Javascript Agent provider
-api_key = 
+api_key =

 #################################### Usage Quotas ########################
 [quota]
@@ -805,6 +808,9 @@ global_session = -1
 # global limit of alerts
 global_alert_rule = -1

+# global limit of files uploaded to the SQL DB
+global_file = 1000
+
 #################################### Unified Alerting ####################
 [unified_alerting]
 # Enable the Unified Alerting sub-system and interface. When enabled we'll migrate all of your alert rules and notification channels to the new system. New alert rules will be created and your notification channels will be converted into an Alertmanager configuration. Previous data is preserved to enable backwards compatibility but new data is removed when switching. When this configuration section and flag are not defined, the state is defined at runtime. See the documentation for more details.
@@ -861,8 +867,8 @@ max_attempts = 3
 min_interval = 10s

 [unified_alerting.screenshots]
-# Enable screenshots in notifications. This option requires a remote HTTP image rendering service. Please
-# see [rendering] for further configuration options.
+# Enable screenshots in notifications. This option requires the Grafana Image Renderer plugin.
+# For more information on configuration options, refer to [rendering].
 capture = false

 # The maximum number of screenshots that can be taken at the same time. This option is different from
@@ -876,6 +882,11 @@ max_concurrent_screenshots = 5
 # screenshots will be persisted to disk for up to temp_data_lifetime.
 upload_external_image_storage = false

+[unified_alerting.reserved_labels]
+# Comma-separated list of reserved labels added by the Grafana Alerting engine that should be disabled.
+# For example: `disabled_labels=grafana_folder`
+disabled_labels =
+
 #################################### Alerting ############################
 [alerting]
 # Enable the legacy alerting sub-system and interface. If Unified Alerting is already enabled and you try to go back to legacy alerting, all data that is part of Unified Alerting will be deleted. When this configuration section and flag are not defined, the state is defined at runtime. See the documentation for more details.
@@ -1255,3 +1266,10 @@ max_crawl_duration =
 # Minimum interval between two subsequent scheduler runs. Default is 12h.
 # This setting should be expressed as a duration. Examples: 10s (seconds), 1m (minutes).
 scheduler_interval =
+
+
+#################################### Storage ################################################
+
+[storage]
+# Allow uploading SVG files without sanitization.
+allow_unsanitized_svg_upload = false
@@ -25,6 +25,9 @@ bind_dn = "cn=admin,dc=grafana,dc=org"
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 bind_password = 'grafana'

+# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
+timeout = 10
+
 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
 search_filter = "(cn=%s)"

@@ -126,7 +126,7 @@
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private

-# For "mysql" only if lockingMigration feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
+# For "mysql" only if migrationLocking feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
 ;locking_attempt_timeout_sec = 0

 ################################### Data sources #########################
@@ -847,6 +847,11 @@
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;min_interval = 10s

+[unified_alerting.reserved_labels]
+# Comma-separated list of reserved labels added by the Grafana Alerting engine that should be disabled.
+# For example: `disabled_labels=grafana_folder`
+;disabled_labels =
+
 #################################### Alerting ############################
 [alerting]
 # Disable legacy alerting engine & UI features
@@ -1,4 +1,4 @@
-# Localisation
+# Internationalization

 Grafana uses the [LinguiJS](https://github.com/lingui/js-lingui) framework for managing translating phrases in the Grafana frontend.

@@ -59,7 +59,7 @@ For components used all over the site, use just two segments:

 ### Top-level provider

-In [AppWrapper.tsx](/public/app/AppWrapper.tsx) the app is wrapped with `I18nProvider` from `public/app/core/localisation.tsx` where the Lingui instance is created with the user's preferred locale. This sets the appropriate context and allows any component from `@lingui/macro` to use the translations for the user's preferred locale.
+In [AppWrapper.tsx](/public/app/AppWrapper.tsx) the app is wrapped with `I18nProvider` from `public/app/core/internationalization/index.tsx` where the Lingui instance is created with the user's preferred locale. This sets the appropriate context and allows any component from `@lingui/macro` to use the translations for the user's preferred locale.

 ### Message format

@@ -191,4 +191,4 @@ import { Plural } from "@lingui/macro"

 ## Documentation

-[Grafana's documentation](https://grafana.com/docs/grafana/latest/) is not yet open for translation and should be authored in English only.
+[Grafana's documentation](https://grafana.com/docs/grafana/latest/) is not yet open for translation and should be authored in American English only.
@@ -26,10 +26,10 @@ Let's start with a simple [JSX](https://reactjs.org/docs/introducing-jsx.html) e
 <input className="gf-form-input login-form-input" type="text" />
 ```

-We _could_ target the field with a CSS selector like `.gf-form-input.login-form-input` but that would be brittle as style changes occur frequently. Furthermore there is nothing that signals to future developers that this input is part of an E2E test. At Grafana, we use `aria-label` attributes as our preferred way of defining selectors instead of [`data-*`](https://mdn.io/docs/Web/HTML/Global_attributes/data-*) as they also aid in [accessibility](https://mdn.io/docs/Learn/Accessibility/What_is_accessibility):
+We _could_ target the field with a CSS selector like `.gf-form-input.login-form-input` but that would be brittle as style changes occur frequently. Furthermore there is nothing that signals to future developers that this input is part of an E2E test. At Grafana, we use `data-testid` attributes as our preferred way of defining selectors. See [Aria-Labels vs data-testid](#aria-labels-vs-data-testid) for more details.

 ```jsx
-<input aria-label="Username input field" className="gf-form-input login-form-input" type="text" />
+<input data-testid="Username input field" className="gf-form-input login-form-input" type="text" />
 ```

 The next step is to create a `Page` representation in our E2E framework to glue the test with the real implementation using the `pageFactory` function. For that function we can supply a `url` and `selectors` like in the example below:
@@ -39,10 +39,12 @@ export const Login = {
  // Called via `Login.visit()`
  url: '/login',
  // Called via `Login.username()`
-  username: 'Username input field',
+  username: 'data-testid Username input field',
 };
 ```

+Note that the selector is prefixed with `data-testid` - this is a signal to the framework to look for the selector in the `data-testid` attribute.
+
 The next step is to add the `Login` page to the `Pages` export within [_\<repo-root>/packages/grafana-e2e-selectors/src/selectors/pages.ts_](../../packages/grafana-e2e-selectors/src/selectors/pages.ts) so that it appears when we type `e2e.pages` in our IDE.

 ```typescript
@@ -59,7 +61,7 @@ Now that we have a `Page` called `Login` in our `Pages` const we can use that to
 ```jsx
 import { selectors } from '@grafana/e2e-selectors';

-<input aria-label={selectors.pages.Login.username} className="gf-form-input login-form-input" type="text" />;
+<input data-testid={selectors.pages.Login.username} className="gf-form-input login-form-input" type="text" />;
 ```

 The last step in our example is to use our `Login` page as part of a test.
@@ -100,7 +102,7 @@ Just as before in the basic example we'll start by creating a page abstraction u
 ```typescript
 export const DataSources = {
  url: '/datasources',
-  dataSources: (dataSourceName: string) => `Data source list item ${dataSourceName}`,
+  dataSources: (dataSourceName: string) => `data-testid Data source list item ${dataSourceName}`,
 };
 ```

@@ -115,7 +117,7 @@ The next step is to use the `dataSources` selector function as in our example be
  {dataSources.map(({ id, name }) => (
    <li className="card-item-wrapper" key={id}>
      <a className="card-item" href={`datasources/edit/${id}`}>
-        <div className="card-item-name" aria-label={selectors.pages.DataSources.dataSources(name)}>
+        <div className="card-item-name" data-testid={selectors.pages.DataSources.dataSources(name)}>
          {name}
        </div>
      </a>
@@ -127,9 +129,9 @@ The next step is to use the `dataSources` selector function as in our example be
 When this list is rendered with the data sources with names `A`, `B` and `C` ,the resulting HTML would look like:

 ```html
-<div class="card-item-name" aria-label="Data source list item A">A</div>
-<div class="card-item-name" aria-label="Data source list item B">B</div>
-<div class="card-item-name" aria-label="Data source list item C">C</div>
+<div class="card-item-name" data-testid="data-testid Data source list item A">A</div>
+<div class="card-item-name" data-testid="data-testid Data source list item B">B</div>
+<div class="card-item-name" data-testid="data-testid Data source list item C">C</div>
 ```

 Now we can write our test. The one thing that differs from the [basic example](#basic-example) above is that we pass in which data source we want to click on as an argument to the selector function:
@@ -351,7 +351,7 @@ static defaultProps: Partial<Props> = { ... }
 We recommend using named regular functions when creating a new react functional component.

 ```typescript
-export function Component(props: Props): ReactElement { ... }
+export function Component(props: Props) { ... }
 ```

 ## State management
@@ -1,4 +0,0 @@
-#!/bin/bash
-
-ab -n 20000 -c 100 -H "Authorization: Bearer vEustw23NSOZ27y3zlj28ZL3B7BpBk5kqR85DOfT5AwiS3nCi33dnsk6nhvXhZdn" \
-  http://localhost:3000/api/dashboards/db/dash1
@@ -247,7 +247,15 @@ datasources:
    access: proxy
    url: http://localhost:3100
    editable: false
+    correlations:
+      - targetUID: gdev-jaeger
+        label: "Jaeger traces"
+        description: "Related traces stored in Jaeger"
+      - targetUID: gdev-zipkin
+        label: "Zipkin traces"
+        description: "Related traces stored in Zipkin"
    jsonData:
+      something: here
      manageAlerts: false
      derivedFields:
        - name: "traceID"
@@ -1 +0,0 @@
-http-bind-address: :8086
@@ -5,6 +5,7 @@
      - '8086:8086'
    environment:
      INFLUXD_REPORTING_DISABLED: 'true'
+      INFLUXD_HTTP_BIND_ADDRESS: ':8086'
      DOCKER_INFLUXDB_INIT_MODE: 'setup'
      DOCKER_INFLUXDB_INIT_USERNAME: 'grafana'
      DOCKER_INFLUXDB_INIT_PASSWORD: 'grafana12345'
@@ -12,7 +13,6 @@
      DOCKER_INFLUXDB_INIT_BUCKET: 'mybucket'
      DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: 'mytoken'
    volumes:
-      - ./docker/blocks/influxdb/config.yaml:/etc/influxdb2/config.yaml
      - ./docker/blocks/influxdb/setup_influxql.sh:/docker-entrypoint-initdb.d/setup_influxql.sh

  telegraf:
@@ -0,0 +1,9 @@
+#/bin/sh
+
+VERSION=12.0.1 # set version here
+
+cd /tmp
+git clone git@github.com:keycloak/keycloak-containers.git
+cd keycloak-containers/server
+git checkout $VERSION
+docker build -t "quay.io/keycloak/keycloak:${VERSION}" .
@@ -0,0 +1,54 @@
+  oauthkeycloakdb:
+    image: postgres:12.2
+    container_name: oauthkeycloakdb
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+    volumes:
+      - ./docker/blocks/jwt_proxy/cloak.sql:/docker-entrypoint-initdb.d/cloak.sql
+    restart: unless-stopped
+
+  oauthkeycloak:
+    image: quay.io/keycloak/keycloak:12.0.1
+    container_name: oauthkeycloak
+    environment:
+      DB_VENDOR: POSTGRES
+      DB_ADDR: oauthkeycloakdb
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_PASSWORD: password
+      KEYCLOAK_USER: admin
+      KEYCLOAK_PASSWORD: admin
+      PROXY_ADDRESS_FORWARDING: "true"
+    ports:
+      - 8087:8080
+    depends_on:
+      - oauthkeycloakdb
+    links:
+      - "oauthkeycloakdb:oauthkeycloakdb"
+    restart: unless-stopped
+
+  oauthproxy:
+    image: docker.io/bitnami/oauth2-proxy:7.3.0
+    container_name: oauthproxy
+    command: [
+    "--cookie-secret=yI-CWT5s4sBR2Zd0DDJJlTYc0aQ3jwGH15jYA18ZAQA=",
+    "--upstream=http://localhost:3000",
+    "--provider=keycloak",
+    "--client-id=grafana-oauth",
+    "--client-secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8",
+    "--login-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/auth",
+    "--redeem-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/token",
+    "--profile-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
+    "--validate-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
+    "--cookie-secure=false",
+    "--http-address=0.0.0.0:8088",
+    "--redirect-url=http://127.0.0.1:8088/oauth2/callback",
+    "--pass-access-token=true",
+    "--email-domain=*",
+    ]
+    network_mode: "host"
+    depends_on:
+      - oauthkeycloak
+    restart: unless-stopped
@@ -0,0 +1 @@
+{"keys":[{"kid":"On2FQuJ8Y-909uJGWQEDkbzG-GRNmMc43HslEgVv_VQ","kty":"RSA","alg":"RS256","use":"sig","n":"qDmQHfTcOQOzmNJbVvtvuS8p_EgmiscP7vA_PZNyKx9O7utyGuoAmJH8e2w8gLIDDWHl5_x8aAIl_-TTPTSiyX8I68ryIdR28ZSe5u4pRdpXCVvJpOefKNIxQCTH7rs4KuRj0HZ2u1mu1Vz5_CeCCoKwKSmheD3u1xTJ8-VxQmdqfGxhuKtnkof7977HWOWy4GLDFqxyYHgihP_MmSeTmXUhVeZI6IOCqHMpF8eFWVGKM6V8rIKf8QO2K_vDJBM_3C933vMY8mqSQXbI3G54x-0myAaQXr4JkxjvUGKg5YC3ZXw7AjfZv_W_fQOG0GYp2hQ0akR4KNKT3XPNmpMVlQ","e":"AQAB","x5c":["MIICnTCCAYUCBgF+u1ir8jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdncmFmYW5hMB4XDTIyMDIwMjE2NDkxN1oXDTMyMDIwMjE2NTA1N1owEjEQMA4GA1UEAwwHZ3JhZmFuYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKg5kB303DkDs5jSW1b7b7kvKfxIJorHD+7wPz2TcisfTu7rchrqAJiR/HtsPICyAw1h5ef8fGgCJf/k0z00osl/COvK8iHUdvGUnubuKUXaVwlbyaTnnyjSMUAkx+67OCrkY9B2drtZrtVc+fwnggqCsCkpoXg97tcUyfPlcUJnanxsYbirZ5KH+/e+x1jlsuBiwxascmB4IoT/zJknk5l1IVXmSOiDgqhzKRfHhVlRijOlfKyCn/EDtiv7wyQTP9wvd97zGPJqkkF2yNxueMftJsgGkF6+CZMY71BioOWAt2V8OwI32b/1v30DhtBmKdoUNGpEeCjSk91zzZqTFZUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABlW64QxuREB81VMGsyhj4Q5RykFaVuD5O8YlwUpmVfAVLzb0Drf54Kn4bnpnckKyYV+T+HsN4QXt81UE41xH0Aai2H3vrGH+PJf6aLPCDE+jpMqtN3n6IgImJXJPL8upMfhhWDv4nkM4uynEwWupzmrKi4oJuTETSMktJby4o6//XWnCzCVMoAGFJU4gtjBUzOMLW26zD+yc+BuUtfR3HzItVHSZKQSNSFO0kVS68RgrER8qJw07z3BOJ2bPpPM0PYyEngGMaowz/T6lI32ymGMWYMAnslthS1KAW9xcTBwnrW1nMhe5a0LPxIktys/wJtxIHZLc5sOddGT4xYklLg=="],"x5t":"prs-h1NBqOSJMH-tQWLTqguWets","x5t#S256":"YjK3HobZW8xbNL1IPDgFhCM41UC5c0hG2cxaF6v961Q"}]}
@@ -0,0 +1,87 @@
+# OAUTH BLOCK
+## Devenv setup jwt auth
+
+To launch the block, use the oauth source. Ex:
+
+```bash
+make devenv sources="jwt_proxy"
+```
+
+Here is the conf you need to add to your configuration file (conf/custom.ini):
+
+```ini
+[auth]
+signout_redirect_url = http://127.0.0.1:8088/oauth2/sign_out
+
+[auth.jwt]
+enabled = true
+enable_login_token = true
+header_name = X-Forwarded-Access-Token
+username_claim = login
+email_claim = email
+jwk_set_file = devenv/docker/blocks/oauth/jwks.json
+cache_ttl = 60m
+expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
+auto_sign_up = true
+```
+
+Access Grafana through: 
+
+```sh
+http://127.0.0.1:8088
+```
+
+## Devenv setup jwt auth iframe embedding
+
+- Add previous configuration and next snippet to grafana.ini
+
+```ini
+[security]
+allow_embedding = true
+```
+
+- Create dashboard and copy UID
+
+- Clone [https://github.com/grafana/grafana-iframe-oauth-sample](https://github.com/grafana/grafana-iframe-oauth-sample)
+
+- Change the dashboard URL in `grafana-iframe-oauth-sample/src/pages/restricted.tsx` to use the dashboard you created (keep URL query values)
+
+- Start sample app from the `grafana-iframe-oauth-sample` folder with: `yarn start`
+
+- Navigate to [http://localhost:4200](http://localhost:4200) and press restricted area
+
+Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard
+
+## Backing up keycloak DB
+
+In case you want to make changes to the devenv setup, you can dump keycloack's DB:
+
+```bash
+cd devenv;
+docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/jwt_proxy/cloak.sql
+```
+
+## Connecting to keycloack:
+
+- keycloak admin:                     http://localhost:8087
+- keycloak admin login:               admin:admin
+- grafana jwt viewer login:          jwt-viewer:grafana
+- grafana jwt editor login:          jwt-editor:grafana
+- grafana jwt admin login:           jwt-admin:grafana
+
+# Troubleshooting
+
+## Mac M1 Users
+
+The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved.
+Until then you need to build the docker image locally and then run `devenv`.
+
+1. Remove any lingering keycloack image
+```sh
+$ docker rmi $(docker images | grep 'keycloack')
+```
+1. Build keycloack image locally
+```sh
+$ ./docker-build-keycloack-m1-image.sh
+```
+1. Start from beginning of this readme
@@ -0,0 +1,9 @@
+#/bin/sh
+
+VERSION=12.0.1 # set version here
+
+cd /tmp
+git clone git@github.com:keycloak/keycloak-containers.git
+cd keycloak-containers/server
+git checkout $VERSION
+docker build -t "quay.io/keycloak/keycloak:${VERSION}" .
@@ -0,0 +1,30 @@
+  oauthkeycloakdb:
+    image: postgres:12.2
+    container_name: oauthkeycloakdb
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+    volumes:
+      - ./docker/blocks/oauth/cloak.sql:/docker-entrypoint-initdb.d/cloak.sql
+    restart: unless-stopped
+  
+  oauthkeycloak:
+    image: quay.io/keycloak/keycloak:12.0.1
+    container_name: oauthkeycloak
+    environment:
+      DB_VENDOR: POSTGRES
+      DB_ADDR: oauthkeycloakdb
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_PASSWORD: password
+      KEYCLOAK_USER: admin
+      KEYCLOAK_PASSWORD: admin
+      PROXY_ADDRESS_FORWARDING: "true"
+    ports:
+      - 8087:8080
+    depends_on:
+      - oauthkeycloakdb
+    links:
+      - "oauthkeycloakdb:oauthkeycloakdb"
+    restart: unless-stopped
@@ -0,0 +1 @@
+{"keys":[{"kid":"On2FQuJ8Y-909uJGWQEDkbzG-GRNmMc43HslEgVv_VQ","kty":"RSA","alg":"RS256","use":"sig","n":"qDmQHfTcOQOzmNJbVvtvuS8p_EgmiscP7vA_PZNyKx9O7utyGuoAmJH8e2w8gLIDDWHl5_x8aAIl_-TTPTSiyX8I68ryIdR28ZSe5u4pRdpXCVvJpOefKNIxQCTH7rs4KuRj0HZ2u1mu1Vz5_CeCCoKwKSmheD3u1xTJ8-VxQmdqfGxhuKtnkof7977HWOWy4GLDFqxyYHgihP_MmSeTmXUhVeZI6IOCqHMpF8eFWVGKM6V8rIKf8QO2K_vDJBM_3C933vMY8mqSQXbI3G54x-0myAaQXr4JkxjvUGKg5YC3ZXw7AjfZv_W_fQOG0GYp2hQ0akR4KNKT3XPNmpMVlQ","e":"AQAB","x5c":["MIICnTCCAYUCBgF+u1ir8jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdncmFmYW5hMB4XDTIyMDIwMjE2NDkxN1oXDTMyMDIwMjE2NTA1N1owEjEQMA4GA1UEAwwHZ3JhZmFuYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKg5kB303DkDs5jSW1b7b7kvKfxIJorHD+7wPz2TcisfTu7rchrqAJiR/HtsPICyAw1h5ef8fGgCJf/k0z00osl/COvK8iHUdvGUnubuKUXaVwlbyaTnnyjSMUAkx+67OCrkY9B2drtZrtVc+fwnggqCsCkpoXg97tcUyfPlcUJnanxsYbirZ5KH+/e+x1jlsuBiwxascmB4IoT/zJknk5l1IVXmSOiDgqhzKRfHhVlRijOlfKyCn/EDtiv7wyQTP9wvd97zGPJqkkF2yNxueMftJsgGkF6+CZMY71BioOWAt2V8OwI32b/1v30DhtBmKdoUNGpEeCjSk91zzZqTFZUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABlW64QxuREB81VMGsyhj4Q5RykFaVuD5O8YlwUpmVfAVLzb0Drf54Kn4bnpnckKyYV+T+HsN4QXt81UE41xH0Aai2H3vrGH+PJf6aLPCDE+jpMqtN3n6IgImJXJPL8upMfhhWDv4nkM4uynEwWupzmrKi4oJuTETSMktJby4o6//XWnCzCVMoAGFJU4gtjBUzOMLW26zD+yc+BuUtfR3HzItVHSZKQSNSFO0kVS68RgrER8qJw07z3BOJ2bPpPM0PYyEngGMaowz/T6lI32ymGMWYMAnslthS1KAW9xcTBwnrW1nMhe5a0LPxIktys/wJtxIHZLc5sOddGT4xYklLg=="],"x5t":"prs-h1NBqOSJMH-tQWLTqguWets","x5t#S256":"YjK3HobZW8xbNL1IPDgFhCM41UC5c0hG2cxaF6v961Q"}]}
@@ -0,0 +1,134 @@
+# OAUTH BLOCK
+
+## Devenv setup oauth
+
+To launch the block, use the oauth source. Ex:
+```bash
+make devenv sources="oauth"
+```
+
+Here is the conf you need to add to your configuration file (conf/custom.ini):
+
+```ini
+[auth]
+signout_redirect_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin
+
+[auth.generic_oauth]
+enabled = true
+name = Keycloak-OAuth
+allow_sign_up = true
+client_id = grafana-oauth
+client_secret = d17b9ea9-bcb1-43d2-b132-d339e55872a8
+empty_scopes = true
+email_attribute_path = email
+login_attribute_path = login
+name_attribute_path = name
+auth_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/auth
+token_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/token
+api_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/userinfo
+role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+```
+
+## Devenv setup jwt auth
+
+To launch the block, use the oauth source. Ex:
+
+```bash
+make devenv sources="oauth"
+```
+
+Here is the conf you need to add to your configuration file (conf/custom.ini):
+
+```ini
+[auth.jwt]
+enabled = true
+header_name = X-JWT-Assertion
+username_claim = login
+email_claim = email
+jwk_set_file = devenv/docker/blocks/oauth/jwks.json
+cache_ttl = 60m
+expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
+auto_sign_up = true
+```
+
+You can obtain a jwt token by using the following command for oauth-admin:
+
+```sh
+curl --request POST \
+  --url http://localhost:8087/auth/realms/grafana/protocol/openid-connect/token \
+  --header 'Content-Type: application/x-www-form-urlencoded' \
+  --data client_id=grafana-oauth \
+  --data grant_type=password \
+  --data client_secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8 \
+  --data scope=openid \
+  --data username=oauth-admin \
+  --data password=grafana
+```
+
+
+Grafana call example:
+
+```sh
+curl --request GET \
+  --url http://127.0.0.1:3000/api/folders \
+  --header 'Accept: application/json' \
+  --header 'X-JWT-Assertion: eyJ......'
+```
+
+### Alternative devenv setup jwk_set_url
+
+Run a reverse proxy pointing to the jwk_set_url (only an https-uri can be used as jwk_set_url).
+
+Ex (using localtunnel):
+
+```sh
+npx localtunnel --port 8087
+```
+
+And using the following conf:
+
+```ini
+[auth.jwt]
+enabled = true
+header_name = X-JWT-Assertion
+username_claim = login
+email_claim = email
+jwk_set_url = <YOUR REVERSE PROXY URL>/auth/realms/grafana/protocol/openid-connect/certs
+cache_ttl = 60m
+expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
+auto_sign_up = true
+```
+
+## Backing up keycloak DB
+
+In case you want to make changes to the devenv setup, you can dump keycloack's DB:
+
+```bash
+cd devenv;
+docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/oauth/cloak.sql
+```
+
+## Connecting to keycloack:
+
+- keycloak admin:                     http://localhost:8087
+- keycloak admin login:               admin:admin
+- grafana oauth viewer login:          oauth-viewer:grafana
+- grafana oauth editor login:          oauth-editor:grafana
+- grafana oauth admin login:           oauth-admin:grafana
+
+# Troubleshooting
+
+## Mac M1 Users
+
+The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved.
+Until then you need to build the docker image locally and then run `devenv`.
+
+1. Remove any lingering keycloack image
+```sh
+$ docker rmi $(docker images | grep 'keycloack')
+```
+1. Build keycloack image locally
+```sh
+$ ./docker-build-keycloack-m1-image.sh
+```
+1. Start from beginning of this readme
@@ -1,4 +1,4 @@
 Right now Tempo is before stable release so this uses :latest tag which means there can be changes depending on when
 you pull the image.

-For adding some traces easily you can run Loki block and enable tracing (see ../loki/README.md)
+For adding some traces easily you can run Loki block and enable tracing (see ../loki-promtail/README.md)
@@ -14,29 +14,23 @@ weight: 700

 # API keys

-API keys can be used to interact with Grafana HTTP APIs.
-
-We recommend using service accounts instead of API keys if you are on Grafana 8.5+, for more information refer to [About service accounts]({{< relref "../service-accounts/about-service-accounts/#" >}}).
-
-{{< section >}}
-
-## About API keys
-
 An API key is a randomly generated string that external systems use to interact with Grafana HTTP APIs.

-When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources. For more information about creating API keys, refer to [Create an API key]({{< relref "create-api-key/#" >}}).
+When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources.
+
+> **Note:** If you use Grafana v8.5 or newer, use service accounts instead of API keys. For more information, refer to [Grafana service accounts]({{< relref "../service-accounts/" >}}).
+
+{{< section >}}

 ## Create an API key

 Create an API key when you want to manage your computed workload with a user.

-For more information about API keys, refer to [About API keys in Grafana]({{< relref "about-api-keys/" >}}).
-
 This topic shows you how to create an API key using the Grafana UI. You can also create an API key using the Grafana HTTP API. For more information about creating API keys via the API, refer to [Create API key via API]({{< relref "../../developers/http_api/create-api-tokens-for-org/#how-to-create-a-new-organization-and-an-api-token" >}}).

 ### Before you begin:

- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
+- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [Roles and permissions]({{< relref "../roles-and-permissions/#" >}}).

 **To create an API key:**

@@ -50,3 +44,40 @@ This topic shows you how to create an API key using the Grafana UI. You can also
   - The maximum length of time is 30 days (one month). You enter a number and a letter. Valid letters include `s` for seconds,`m` for minutes, `h` for hours, `d `for days, `w` for weeks, and `M `for month. For example, `12h` is 12 hours and `1M` is 1 month (30 days).
   - If you are unsure about how long an API key should be valid, we recommend that you choose a short duration, such as a few hours. This approach limits the risk of having API keys that are valid for a long time.
 1. Click **Add**.
+
+## Migrate API Keys to Grafana service accounts
+
+You can migrate one or all API keys to [Grafana service accounts]({{< relref "../service-accounts/" >}}). When you migrate an API key to a service account, a service account will be created with a service account token.
+The API key will continue to work, and you can find it in the [Grafana service account tokens]({{< relref "../service-accounts/#service-account-benefits/#service-account-tokens" >}}) details.
+For more information about benefits of service accounts, refer to [Grafana service account benefits]({{< relref "../service-accounts/#service-account-benefits" >}}).
+
+You can choose to migrate a single API key or all API keys. Note that when you migrate all API keys, you can't create new API keys anymore and will have to use service accounts instead.
+
+### Before you begin
+
+- Ensure you have permission to create Grafana service accounts. For more information about permissions, refer to [Roles and permissions]({{< relref "../roles-and-permissions/#" >}}).
+
+**To migrate all API keys to service accounts:**
+
+1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**.
+2. In the top of the page, find the section which says **Switch from API keys to service accounts**
+3. Click **Migrate to service accounts now**.
+4. A confirmation window will appear, asking to confirm the migration. Click **Yes, migrate now** if you are willing to continue.
+5. Once migration is successful, you can choose to forever hide the API keys page. Click **Hide API keys page forever** if you want to do that.
+
+**To migrate single API key to a service account:**
+
+1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**.
+1. Find the API Key you want to migrate.
+1. Click **Migrate to service account**.
+
+### Revert service account token to API key
+
+**Note:** This is undesired operation and should be used only in emergency situations.
+
+It is possible to convert back service account token to API key. You can use the [Revert service account token to API key HTTP API]({{< relref "../../developers/http_api/create-api-tokens-for-org/#how-to-create-a-new-organization-and-an-api-token" >}}) for that.
+
+**The revert will perform the following actions:**
+
+1. Convert the given service account token back to API key
+1. Delete the service account associated with the given key. **Make sure there are no other tokens associated with the service account, otherwise they all will be deleted.**
@@ -29,7 +29,7 @@ If the user is aware of the change and intended it, then that's great! But if th

 In Grafana, you can change your names and emails associated with groups or accounts in the Settings or Preferences. This topic provides instructions for each task.

-{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
+Some tasks require certain permissions. For more information about roles, refer to [Roles and permissions]({{< relref "../roles-and-permissions/" >}}).

 ### Change organization name

@@ -39,24 +39,20 @@ Grafana server administrators and organization administrators can change organiz

 Follow these instructions if you are a Grafana Server Admin.

-{{< docs/list >}}
-{{< docs/shared "manage-users/view-server-org-list.md" >}}
-
+1. Hover your cursor over the **Server Admin** (shield) icon until a menu appears.
+1. Click **Orgs**.
 1. In the organization list, click the name of the organization that you want to change.
 1. In **Name**, enter the new organization name.
 1. Click **Update**.
-   {{< /docs/list >}}

 #### Organization Admin change organization name

 If you are an Organization Admin, follow these steps:

-{{< docs/list >}}
-{{< docs/shared "preferences/org-preferences-list.md" >}}
-
+1. Hover your cursor over the **Configuration** (gear) icon.
+1. Click **Preferences**.
 1. In **Organization name**, enter the new name.
 1. Click **Update organization name**.
-   {{< /docs/list >}}

 ### Change team name or email

@@ -80,7 +76,7 @@ To learn how to edit your user information, refer to [Edit your profile]({{< rel

 In Grafana, you can modify the UI theme configured in the Settings or Preferences. Set the UI theme for the server, an organization, a team, or your personal user account using the instructions in this topic.

-{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
+Some tasks require certain permissions. For more information about roles, refer to [Roles and permissions]({{< relref "../roles-and-permissions/" >}}).

 ### Theme options

@@ -112,36 +108,34 @@ To see what the current settings are, refer to [View server settings]({{< relref

 Organization administrators can change the UI theme for all users in an organization.

-{{< docs/list >}}
-{{< docs/shared "preferences/org-preferences-list.md" >}}
-{{< docs/shared "preferences/select-ui-theme-list.md" >}}
-{{< /docs/list >}}
+1. Hover your cursor over the **Configuration** (gear) icon.
+1. Click **Preferences**.
+1. In the Preferences section, select the **UI theme**.
+1. Click **Save**.

 ### Change team UI theme

 Organization and team administrators can change the UI theme for all users in a team.

-{{< docs/list >}}
-{{< docs/shared "manage-users/view-team-list.md" >}}
-
+1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
+1. Click **Teams**. Grafana displays the team list.
 1. Click on the team that you want to change the UI theme for and then navigate to the **Settings** tab.
-   {{< docs/shared "preferences/select-ui-theme-list.md" >}}
-   {{< /docs/list >}}
+1. In the Preferences section, select the **UI theme**.
+1. Click **Save**.

 ### Change your personal UI theme

 You can change the UI theme for your user account. This setting overrides UI theme settings at higher levels.

-{{< docs/list >}}
-{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
-{{< docs/shared "preferences/select-ui-theme-list.md" >}}
-{{< /docs/list >}}
+1. On the left menu, hover your cursor over your avatar and then click **Preferences**.
+1. In the Preferences section, select the **UI theme**.
+1. Click **Save**.

 ## Change the Grafana default timezone

 By default, Grafana uses the timezone in your web browser. However, you can override this setting at the server, organization, team, or individual user level. This topic provides instructions for each task.

-{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
+Some tasks require certain permissions. For more information about roles, refer to [Roles and permissions]({{< relref "../roles-and-permissions/" >}}).

 ### Set server timezone

@@ -151,36 +145,34 @@ Grafana server administrators can choose a default timezone for all users on the

 Organization administrators can choose a default timezone for their organization.

-{{< docs/list >}}
-{{< docs/shared "preferences/org-preferences-list.md" >}}
-{{< docs/shared "preferences/select-timezone-list.md" >}}
-{{< /docs/list >}}
+1. Hover your cursor over the **Configuration** (gear) icon.
+1. Click **Preferences**.
+1. Click to select an option in the **Timezone** list. **Default** is either the browser local timezone or the timezone selected at a higher level. Refer to [Time range controls]({{< relref "../../dashboards/time-range-controls/" >}}) for more information about Grafana time settings.
+1. Click **Save**.

 ### Set team timezone

 Organization administrators and team administrators can choose a default timezone for all users in a team.

-{{< docs/list >}}
-{{< docs/shared "manage-users/view-team-list.md" >}}
-
+1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
+1. Click **Teams**. Grafana displays the team list.
 1. Click on the team you that you want to change the timezone for and then navigate to the **Settings** tab.
-   {{< docs/shared "preferences/select-timezone-list.md" >}}
-   {{< /docs/list >}}
+1. Click to select an option in the **Timezone** list. **Default** is either the browser local timezone or the timezone selected at a higher level. Refer to [Time range controls]({{< relref "../../dashboards/time-range-controls/" >}}) for more information about Grafana time settings.
+1. Click **Save**.

 ### Set your personal timezone

 You can change the timezone for your user account. This setting overrides timezone settings at higher levels.

-{{< docs/list >}}
-{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
-{{< docs/shared "preferences/select-timezone-list.md" >}}
-{{< /docs/list >}}
+1. On the left menu, hover your cursor over your avatar and then click **Preferences**.
+1. Click to select an option in the **Timezone** list. **Default** is either the browser local timezone or the timezone selected at a higher level. Refer to [Time range controls]({{< relref "../../dashboards/time-range-controls/" >}}) for more information about Grafana time settings.
+1. Click **Save**.

 ## Change the default home dashboard

 The home dashboard you set is the one all users will see by default when they log in. You can set the home dashboard for the server, an organization, a team, or your personal user account. This topic provides instructions for each task.

-{{< docs/shared "preferences/some-tasks-require-permissions.md" >}}
+Some tasks require certain permissions. For more information about roles, refer to [Roles and permissions]({{< relref "../roles-and-permissions/" >}}).

 ### Navigate to the home dashboard

@@ -216,30 +208,31 @@ default_home_dashboard_path = data/main-dashboard.json

 Organization administrators can choose a home dashboard for their organization.

-{{< docs/list >}}
-{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
-{{< docs/shared "preferences/org-preferences-list.md" >}}
-{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
-{{< /docs/list >}}
+1. Navigate to the dashboard you want to set as the home dashboard.
+1. Click the star next to the dashboard title to mark the dashboard as a favorite if it is not already.
+1. Hover your cursor over the **Configuration** (gear) icon.
+1. Click **Preferences**.
+1. In the **Home Dashboard** field, select the dashboard that you want to use for your home dashboard. Options include all starred dashboards.
+1. Click **Save**.

 ### Set home dashboard for your team

 Organization administrators and Team Admins can choose a home dashboard for a team.

-{{< docs/list >}}
-{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
-{{< docs/shared "manage-users/view-team-list.md" >}}
-
+1. Navigate to the dashboard you want to set as the home dashboard.
+1. Click the star next to the dashboard title to mark the dashboard as a favorite if it is not already.
+1. Hover your cursor over the **Configuration** (gear) icon in the side menu.
+1. Click **Teams**. Grafana displays the team list.
 1. Click on the team that you want to change the home dashboard for and then navigate to the **Settings** tab.
-   {{< docs/shared "preferences/select-home-dashboard-list.md" >}}
-   {{< /docs/list >}}
+1. In the **Home Dashboard** field, select the dashboard that you want to use for your home dashboard. Options include all starred dashboards.
+1. Click **Save**.

 ### Set your personal home dashboard

 You can choose your own personal home dashboard. This setting overrides all home dashboards set at higher levels.

-{{< docs/list >}}
-{{< docs/shared "preferences/navigate-to-the-dashboard-list.md" >}}
-{{< docs/shared "preferences/navigate-user-preferences-list.md" >}}
-{{< docs/shared "preferences/select-home-dashboard-list.md" >}}
-{{< /docs/list >}}
+1. Navigate to the dashboard you want to set as the home dashboard.
+1. Click the star next to the dashboard title to mark the dashboard as a favorite if it is not already.
+1. On the left menu, hover your cursor over your avatar and then click **Preferences**.
+1. In the **Home Dashboard** field, select the dashboard that you want to use for your home dashboard. Options include all starred dashboards.
+1. Click **Save**.
@@ -43,6 +43,16 @@ Apps can also add custom pages for things like control panels.

 Use app plugins when you want to create an custom out-of-the-box monitoring experience.

+### Managing app plugins access
+
+With [RBAC]({{< relref "../roles-and-permissions/access-control/#about-rbac" >}}), it is now possible to customize access to app plugins.
+
+By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access, thanks to the `fixed:plugins.app:reader` role.
+
+> **Note:** Revoking this RBAC role from some users, will prevent them from accessing app plugins. But granting this RBAC role to users will only allow them to see app plugins their organization role allows them to see.
+
+To prevent users from seeing an app plugin, refer to [this permissions scenarios]({{< relref "../roles-and-permissions/access-control/plan-rbac-rollout-strategy#prevent-viewers-from-accessing-an-app-plugin" >}}).
+
 ## Plugin catalog

 The Plugin catalog allows you to browse and manage plugins from within Grafana. Only Grafana server administrators and organization administrators can access and use the plugin catalog. The following access rules apply depending on the user role:
@@ -233,7 +233,10 @@ datasources:

 > This feature is available from v7.1

-You can manage plugins in Grafana by adding one or more YAML config files in the [`provisioning/plugins`]({{< relref "../../setup-grafana/configure-grafana/#provisioning" >}}) directory. Each config file can contain a list of `apps` that will be updated during start up. Grafana updates each app to match the configuration file.
+You can manage plugin applications in Grafana by adding one or more YAML config files in the [`provisioning/plugins`]({{< relref "../../setup-grafana/configure-grafana/#provisioning" >}}) directory. Each config file can contain a list of `apps` that will be updated during start up. Grafana updates each app to match the configuration file.
+
+> **Note:** This feature enables you to provision plugin configurations, not the plugins themselves.
+> The plugins must already be installed on the grafana instance

 ### Example plugin configuration file

@@ -12,7 +12,7 @@ weight: 300

 # Roles and permissions

-A _user_ is defined as any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.
+A _user_ is any individual who can log in to Grafana. Each user is associated with a _role_ that includes _permissions_. Permissions determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions for an administrator to create and delete users.

 You can assign a user one of three types of permissions:

@@ -92,16 +92,18 @@ The following table lists permissions for each role.

 ## Dashboard permissions

-When you want to extend a viewer's ability to edit and save dashboard changes or limit an editor's permission to modify a dashboard, you can assign permissions to dashboards and dashboard folders. For example, you might want a certain viewer to be able to to edit a dashboard. While that user can _see_ all dashboards, you can grant them access to _update_ only one of them.
+When you want to extend a viewer's ability to edit and save dashboard changes or limit an editor's permission to modify a dashboard, you can assign permissions to dashboards and dashboard folders. For example, you might want a certain viewer to be able to edit a dashboard. While that user can _see_ all dashboards, you can grant them access to _update_ only one of them.

 > Important: The dashboard permissions you specify override the organization permissions you assign to the user for the selected entity.

 You can specify the following permissions to dashboards and folders.

- **Admin**: Can create, edit, or delete a dashboard or folder. Administrators can also change dashboard and folder permissions.
- **Edit**: Can create and edit dashboards. Editors _cannot_ change folder or dashboard permissions, or add, edit, or delete folders.
+- **Admin**: Can create, edit, or delete a dashboard. Can edit or delete a folder. Administrators can also change dashboard and folder permissions.
+- **Edit**: Can create, edit, or delete a dashboard. Can edit or delete a folder. Editors _cannot_ change folder or dashboard permissions.
 - **View**: Can only view dashboards and folders.

+> Important: When a user creates a dashboard or a folder, he is set as **Admin** of it.
+
 For more information about assigning dashboard folder permissions, refer to [Grant dashboard folder permissions]({{< relref "../user-management/manage-dashboard-permissions/#grant-dashboard-folder-permissions" >}}).

 For more information about assigning dashboard permissions, refer to [Grant dashboard permissions]({{< relref "../user-management/manage-dashboard-permissions/#grant-dashboard-permissions" >}}).
@@ -14,6 +14,8 @@ weight: 120

 # Role-based access control (RBAC)

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 RBAC provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as dashboards, reports, and administrative settings.

 {{< section >}}
@@ -11,45 +11,45 @@ weight: 40

 # Assign RBAC roles

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 In this topic you'll learn how to use the role picker, provisioning, and the HTTP API to assign fixed and custom roles to users and teams.

 ## Assign fixed roles in the UI using the role picker

 This section describes how to:

- Assign a fixed role to a user or team as an organization administrator.
+- Assign a fixed role to a user, team or service account as an organization administrator.
 - Assign a fixed role to a user as a server administrator. This approach enables you to assign a fixed role to a user in multiple organizations, without needing to switch organizations.

-In both cases, the assignment applies only to the user or team within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
-
-> **Note:** After you apply your changes, user and team permissions update immediately, and the UI reflects the new permissions the next time they reload their browser or visit another page.
+In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.

 <br/>

 **Before you begin:**

 - [Plan your RBAC rollout strategy]({{< relref "./plan-rbac-rollout-strategy/" >}}).
- Identify the fixed roles that you want to assign to the user or team.
+- Identify the fixed roles that you want to assign to the user, team or service account.

  For more information about available fixed roles, refer to [RBAC role definitions]({{< relref "./rbac-fixed-basic-role-definitions/" >}}).

 - Ensure that your own user account has the correct permissions:
-  - If you are assigning permissions to a user or team within an organization, you must have organization administrator or server administrator permissions.
+  - If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions.
  - If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions.
  - Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions.
  - Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.

 <br/>

-**To assign a fixed role to a user or team:**
+**To assign a fixed role to a user, team or service account:**

 1. Sign in to Grafana.
-2. Switch to the organization that contains the user or team.
+2. Switch to the organization that contains the user, team or service account.

   For more information about switching organizations, refer to [Switch organizations]({{< relref "../../user-management/user-preferences/_index.md#switch-organizations" >}}).

-3. Hover your cursor over **Configuration** (the gear icon) in the left navigation menu, and click **Users** or **Teams**.
-4. In the **Role** column, select the fixed role that you want to assign to the user or team.
+3. Hover your cursor over **Configuration** (the gear icon) in the left navigation menu, and click **Users** or **Teams** or **Service Accounts**.
+4. In the **Role** column, select the fixed role that you want to assign to the user, team or service account.
 5. Click **Update**.

 ![User role picker in an organization](/static/img/docs/enterprise/user_role_picker_in_org.png)
@@ -9,6 +9,8 @@ weight: 30

 # Configure RBAC in Grafana

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 The table below describes all RBAC configuration options. Like any other Grafana configuration, you can apply these options as [environment variables]({{< relref "../../../setup-grafana/configure-grafana/#configure-with-environment-variables" >}}).

 | Setting            | Required | Description                                                                  | Default |
@@ -10,6 +10,8 @@ weight: 80

 # RBAC permissions, actions, and scopes

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 A permission is comprised of an action and a scope. When creating a custom role, consider the actions the user can perform and the resource(s) on which they can perform those actions.

 To learn more about the Grafana resources to which you can apply RBAC, refer to [Resources with RBAC permissions]({{< relref "../#fixed-roles" >}}).
@@ -77,7 +79,7 @@ The following list contains role-based access control actions.
 | `licensing:read`                     | n/a                                                                                     | Read licensing information.                                                                                                                                                                      |
 | `licensing:write`                    | n/a                                                                                     | Update the license token.                                                                                                                                                                        |
 | `org.users:write`                    | `users:*` <br> `users:id:*`                                                             | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user.                                                                                                                         |
-| `org.users:add`                      | `users:*`                                                                               | Add a user to an organization.                                                                                                                                                                   |
+| `org.users:add`                      | `users:*`                                                                               | Add a user to an organization or invite a new user to an organization.                                                                                                                           |
 | `org.users:read`                     | `users:*` <br> `users:id:*`                                                             | Get user profiles within an organization.                                                                                                                                                        |
 | `org.users:remove`                   | `users:*` <br> `users:id:*`                                                             | Remove a user from an organization.                                                                                                                                                              |
 | `org:create`                         | n/a                                                                                     | Create an organization.                                                                                                                                                                          |
@@ -88,6 +90,7 @@ The following list contains role-based access control actions.
 | `orgs:delete`                        | `orgs:*` <br> `orgs:id:*`                                                               | Delete one or more organizations.                                                                                                                                                                |
 | `orgs:read`                          | `orgs:*` <br> `orgs:id:*`                                                               | Read one or more organizations.                                                                                                                                                                  |
 | `orgs:write`                         | `orgs:*` <br> `orgs:id:*`                                                               | Update one or more organizations.                                                                                                                                                                |
+| `plugins.app:access`                 | `plugins:*` <br> `plugins:id:*`                                                         | Access one or more application plugins (still enforcing the organization role)                                                                                                                   |
 | `provisioning:reload`                | `provisioners:*`                                                                        | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "#scope-definitions" >}}).                                                       |
 | `reports:create`                     | n/a                                                                                     | Create reports.                                                                                                                                                                                  |
 | `reports:write`                      | `reports:*` <br> `reports:id:*`                                                         | Update reports.                                                                                                                                                                                  |
@@ -101,6 +104,12 @@ The following list contains role-based access control actions.
 | `roles:write`                        | `permissions:type:delegate`                                                             | Create or update a custom role.                                                                                                                                                                  |
 | `roles:write`                        | `permissions:type:escalate`                                                             | Reset basic roles to their default permissions.                                                                                                                                                  |
 | `server.stats:read`                  | n/a                                                                                     | Read Grafana instance statistics.                                                                                                                                                                |
+| `serviceaccounts:write`              | `serviceaccounts:*`                                                                     | Create Grafana service accounts.                                                                                                                                                                 |
+| `serviceaccounts:create`             | n/a                                                                                     | Update Grafana service accounts.                                                                                                                                                                 |
+| `serviceaccounts:delete`             | `serviceaccounts:*`                                                                     | Delete Grafana service accounts.                                                                                                                                                                 |
+| `serviceaccounts:read`               | `serviceaccounts:*`                                                                     | Read Grafana service accounts.                                                                                                                                                                   |
+| `serviceaccounts.permissions:write`  | `serviceaccounts:*`                                                                     | Update Grafana service account permissions to control who can do what with the service account.                                                                                                  |
+| `serviceaccounts.permissions:read`   | `serviceaccounts:*`                                                                     | Read Grafana service account permissions to see who can do what with the service account.                                                                                                        |
 | `settings:read`                      | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../setup-grafana/configure-grafana/" >}})                                                                                            |
 | `settings:write`                     | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../enterprise/settings-updates/" >}}).                                                              |
 | `status:accesscontrol`               | `services:accesscontrol`                                                                | Get access-control enabled status.                                                                                                                                                               |
@@ -120,9 +129,9 @@ The following list contains role-based access control actions.
 | `users.permissions:write`            | `global.users:*` <br> `global.users:id:*`                                               | Update a user’s organization-level permissions.                                                                                                                                                  |
 | `users.quotas:read`                  | `global.users:*` <br> `global.users:id:*`                                               | List a user’s quotas.                                                                                                                                                                            |
 | `users.quotas:write`                 | `global.users:*` <br> `global.users:id:*`                                               | Update a user’s quotas.                                                                                                                                                                          |
-| `users.roles:add`                    | `permissions:type:delegate`                                                             | Assign a role to a user.                                                                                                                                                                         |
-| `users.roles:read`                   | `users:*`                                                                               | List roles assigned directly to a user.                                                                                                                                                          |
-| `users.roles:remove`                 | `permissions:type:delegate`                                                             | Unassign a role from a user.                                                                                                                                                                     |
+| `users.roles:add`                    | `permissions:type:delegate`                                                             | Assign a role to a user or a service account.                                                                                                                                                    |
+| `users.roles:read`                   | `users:*`                                                                               | List roles assigned directly to a user or a service account.                                                                                                                                     |
+| `users.roles:remove`                 | `permissions:type:delegate`                                                             | Unassign a role from a user or a service account.                                                                                                                                                |
 | `users:create`                       | n/a                                                                                     | Create a user.                                                                                                                                                                                   |
 | `users:delete`                       | `global.users:*` <br> `global.users:id:*`                                               | Delete a user.                                                                                                                                                                                   |
 | `users:disable`                      | `global.users:*` <br> `global.users:id:*`                                               | Disable a user.                                                                                                                                                                                  |
@@ -135,21 +144,22 @@ The following list contains role-based access control actions.

 The following list contains role-based access control scopes.

-| Scopes                                    | Descriptions                                                                                                                                                                                                                                       |
-| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `annotations:*`<br>`annotations:type:*`   | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
-| `apikeys:*`<br>`apikeys:id:*`             | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`.                                                                                                          |
-| `dashboards:*`<br>`dashboards:uid:*`      | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`.                                                                                       |
-| `datasources:*`<br>`datasources:uid:*`    | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`.                                                                               |
-| `folders:*`<br>`folders:uid:*`            | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`.                                                                                                      |
-| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`.                                                                                              |
-| `orgs:*` <br> `orgs:id:*`                 | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`.                                                                                             |
-| `permissions:type:delegate`               | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.                                     |
-| `permissions:type:escalate`               | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.                                                                                  |
-| `provisioners:*`                          | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./rbac-provisioning/" >}}).                   |
-| `reports:*` <br> `reports:id:*`           | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`.                                                                                                         |
-| `roles:*` <br> `roles:uid:*`              | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`.                                                                                            |
-| `services:accesscontrol`                  | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions.                                                                                                  |
-| `settings:*`                              | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings.                   |
-| `teams:*` <br> `teams:id:*`               | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`.                                                                                              |
-| `users:*` <br> `users:id:*`               | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`.                                                                                              |
+| Scopes                                          | Descriptions                                                                                                                                                                                                                                       |
+| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `annotations:*`<br>`annotations:type:*`         | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
+| `apikeys:*`<br>`apikeys:id:*`                   | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`.                                                                                                          |
+| `dashboards:*`<br>`dashboards:uid:*`            | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`.                                                                                       |
+| `datasources:*`<br>`datasources:uid:*`          | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`.                                                                               |
+| `folders:*`<br>`folders:uid:*`                  | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`.                                                                                                      |
+| `global.users:*` <br> `global.users:id:*`       | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`.                                                                                              |
+| `orgs:*` <br> `orgs:id:*`                       | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`.                                                                                             |
+| `permissions:type:delegate`                     | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.                                     |
+| `permissions:type:escalate`                     | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have.                                                                                  |
+| `provisioners:*`                                | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./rbac-provisioning/" >}}).                   |
+| `reports:*` <br> `reports:id:*`                 | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`.                                                                                                         |
+| `roles:*` <br> `roles:uid:*`                    | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`.                                                                                            |
+| `services:accesscontrol`                        | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions.                                                                                                  |
+| `serviceaccounts:*` <br> `serviceaccounts:id:*` | Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`.                                           |
+| `settings:*`                                    | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings.                   |
+| `teams:*` <br> `teams:id:*`                     | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`.                                                                                              |
+| `users:*` <br> `users:id:*`                     | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`.                                                                                              |
@@ -12,6 +12,8 @@ weight: 50

 # Manage RBAC roles

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 This section includes instructions for how to view permissions associated with roles, create custom roles, and update and delete roles.

 The following example includes the base64 username:password Basic Authorization. You cannot use authorization tokens in the request.
@@ -11,6 +11,8 @@ weight: 20

 # Plan your RBAC rollout strategy

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 An RBAC rollout strategy helps you determine _how_ you want to implement RBAC prior to assigning RBAC roles to users and teams.

 Your rollout strategy should help you answer the following questions:
@@ -239,3 +241,53 @@ roles:
 ```

 - Or use [RBAC HTTP API]({{< relref "../../../developers/http_api/access_control/#update-a-role" >}}).
+
+### Prevent Viewers from accessing an App Plugin
+
+By default, Viewers, Editors and Admins have access to all App Plugins that their organization role allows them to access.
+To change this default behavior and prevent Viewers from accessing an App plugin, you must [update a basic role's permissions]({{< relref "./manage-rbac-roles/#update-basic-role-permissions" >}}).
+
+In this example, three App plugins have been installed and enabled:
+| Name | ID | Required Org role |
+|--------------------|-----------------------------|-------------------|
+| On Call | grafana-oncall-app | Viewer |
+| Kentik Connect Pro | kentik-connect-app | Viewer |
+| Enterprise logs | grafana-enterprise-logs-app | Admin |
+
+By default, Viewers will hence be able to see both, On Call and Kentik Connect Pro App plugins.
+If you want to revoke their access to the On Call App plugin, you need to:
+
+1. Remove the permission to access all application plugins:
+   | Action | Scope |
+   |----------------------|-------------|
+   | `plugins.app:access` | `plugins:*` |
+1. Grant the permission to access the Kentik Connect Pro App plugin only:
+   | Action | Scope |
+   |----------------------|---------------------------------|
+   | `plugins.app:access` | `plugins:id:kentik-connect-app` |
+
+Here are two ways to achieve this:
+
+- Use the `role > from` list and `permission > state` option of your provisioning file:
+
+```yaml
+---
+apiVersion: 2
+
+roles:
+  - name: 'basic:viewer'
+    version: 8
+    global: true
+    from:
+      - name: 'basic:viewer'
+        global: true
+    permissions:
+      - action: 'plugins.app:access'
+        scope: 'plugins:*'
+        state: 'absent'
+      - action: 'plugins.app:access'
+        scope: 'plugins:id:kentik-connect-app'
+        state: 'present'
+```
+
+- Or use [RBAC HTTP API]({{< relref "../../../developers/http_api/access_control/#update-a-role" >}}).
@@ -11,6 +11,8 @@ weight: 70

 # RBAC role definitions

+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).
+
 The following tables list permissions associated with basic and fixed roles.

 ## Basic role assignments
@@ -20,7 +22,7 @@ The following tables list permissions associated with basic and fixed roles.
 | Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer`                                                                                                                                                                                                                  | Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments.            |
 | Admin         | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:reader`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:reader`<br>`fixed:dashboards.permissions:writer`<br>`fixed:folders:reader`<br>`fixes:folders:writer`<br>`fixed:folders.permissions:reader`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:apikeys:reader`<br>`fixed:apikeys:writer`<br>`fixed:alerting.provisioning:writer` | Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
 | Editor        | `fixed:datasources:explorer`<br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled<br>`fixed:alerting:writer`                                                                                                                                                                                                                                                                                                                                                                                                                           | Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments.                             |
-| Viewer        | `fixed:datasources:id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments.                             |
+| Viewer        | `fixed:datasources:id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments.                             |

 ## Fixed role definitions

@@ -61,16 +63,20 @@ The following tables list permissions associated with basic and fixed roles.
 | `fixed:licensing:reader`               | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                         | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
 | `fixed:licensing:writer`               | All permissions from `fixed:licensing:viewer` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                        | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
 | `fixed:org.users:reader`               | `org.users:read`                                                                                                                                                                                                                                                     | Read users within a single organization.                                                                                                                                                                                                                                              |
-| `fixed:org.users:writer`               | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                     | Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                            |
+| `fixed:org.users:writer`               | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                     | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
 | `fixed:organization:maintainer`        | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                      | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
 | `fixed:organization:reader`            | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                    | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
 | `fixed:organization:writer`            | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                        | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
+| `fixed:plugins.app:reader`             | `plugins.app:access`                                                                                                                                                                                                                                                 | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
 | `fixed:provisioning:writer`            | `provisioning:reload`                                                                                                                                                                                                                                                | Reload provisioning.                                                                                                                                                                                                                                                                  |
 | `fixed:reports:reader`                 | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                          | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
 | `fixed:reports:writer`                 | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                              | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
 | `fixed:roles:reader`                   | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                 | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
 | `fixed:roles:writer`                   | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                          | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
 | `fixed:roles:resetter`                 | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                 | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
+| `fixed:serviceaccounts:reader`         | `serviceaccounts:read`                                                                                                                                                                                                                                               | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
+| `fixed:serviceaccounts:creator`        | `serviceaccounts:create`                                                                                                                                                                                                                                             | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
+| `fixed:serviceaccounts:writer`         | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                               | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
 | `fixed:settings:reader`                | `settings:read`                                                                                                                                                                                                                                                      | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
 | `fixed:settings:writer`                | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                 | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
 | `fixed:stats:reader`                   | `server.stats:read`                                                                                                                                                                                                                                                  | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
@@ -10,9 +10,9 @@ weight: 60

 # Grafana RBAC provisioning

-You can create, change or remove [Custom roles]({{< relref "./manage-rbac-roles/#create-custom-roles-using-provisioning" >}}) and create or remove [basic role assignments]({{< relref "./assign-rbac-roles/#assign-a-fixed-role-to-a-basic-role-using-provisioning" >}}), by adding one or more YAML configuration files in the `provisioning/access-control/` directory.
+> **Note:** Available in [Grafana Enterprise]({{< relref "../../enterprise/" >}}) and [Grafana Cloud Advanced]({{< ref "/docs/grafana-cloud" >}}).

-If you choose to use provisioning to assign and manage role, you must first enable it.
+You can create, change or remove [Custom roles]({{< relref "./manage-rbac-roles/#create-custom-roles-using-provisioning" >}}) and create or remove [basic role assignments]({{< relref "./assign-rbac-roles/#assign-a-fixed-role-to-a-basic-role-using-provisioning" >}}), by adding one or more YAML configuration files in the `provisioning/access-control/` directory.

 Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.

@@ -16,15 +16,9 @@ weight: 800

 # Service accounts

-You can use service accounts to run automated or compute workloads.
+You can use a service account to run automated workloads in Grafana, such as dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications, such as Terraform, with the Grafana API.

-{{< section >}}
-
-## About service accounts
-
-A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications like Terraform with the Grafana API.
-
-> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature. To enable service accounts, refer to the [Enable service accounts]({{< ref "#enable-service-accounts" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana.
+> **Note:** Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana.

 A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:

@@ -59,47 +53,16 @@ The added benefits of service accounts to API keys include:
 - Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted.
 - You can grant granular permissions to service accounts by leveraging [role-based access control]({{< relref "../roles-and-permissions/access-control/" >}}). For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/" >}}).

-## Enable service accounts in Grafana
-
-Service accounts are available behind the `serviceAccounts` feature toggle, available in Grafana 8.5+.
-
-You can enable service accounts by:
-
- modifying the Grafana configuration file, or
- configuring an environment variable
-
-### Enable service accounts in the Grafana configuration file
-
-This topic shows you how to enable service accounts by modifying the Grafana configuration file.
-
-1. Sign in to the Grafana server and locate the configuration file. For more information about finding the configuration file, refer to LINK.
-2. Open the configuration file and locate the [feature toggles section]({{< relref "../../setup-grafana/configure-grafana/#feature_toggles" >}}). Add `serviceAccounts` as a [feature_toggle]({{< relref "../../setup-grafana/configure-grafana/#feature_toggle" >}}).
-
-```
-[feature_toggles]
-# enable features, separated by spaces
-enable = serviceAccounts
-```
-
-1. Save your changes, Grafana should recognize your changes; in case of any issues we recommend restarting the Grafana server.
-
-### Enable service accounts with an environment variable
-
-This topic shows you how to enable service accounts by setting environment variables before starting Grafana.
-
-Follow the instructions to [override configuration with environment variables]({{< relref "../../setup-grafana/configure-grafana/#override-configuration-with-environment-variables" >}}). Set the following environment variable: `GF_FEATURE_TOGGLES_ENABLE = serviceAccounts`.
-
-> **Note:** Environment variables override configuration file settings.
-
 ## Create a service account in Grafana

 A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. For more information about how you can use service accounts, refer to [About service accounts]({{< ref "#about-service-accounts" >}}).

 For more information about creating service accounts via the API, refer to [Create a service account in the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account" >}}).

+Note that the user who created a service account will also be able to read, update and delete the service account that they created, as well as permissions associated with that service account.
+
 ### Before you begin

- Ensure you have added the feature toggle for service accounts `serviceAccounts`. For more information about adding the feature toggle, refer to [Enable service accounts]({{< ref "#enable-service-accounts" >}}).
 - Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).

 ### To create a service account
@@ -121,7 +84,6 @@ You can create a service account token using the Grafana UI or via the API. For

 ### Before you begin

- Ensure you have added the `serviceAccounts` feature toggle to Grafana. For more information about adding the feature toggle, refer to [Enable service accounts]({{< ref "#enable-service-accounts" >}}).
 - Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).

 ### To add a token to a service account
@@ -135,3 +97,56 @@ You can create a service account token using the Grafana UI or via the API. For
   - The expiry date specifies how long you want the key to be valid.
   - If you are unsure of an expiration date, we recommend that you set the token to expire after a short time, such as a few hours or less. This limits the risk associated with a token that is valid for a long time.
 1. Click **Generate service account token**.
+
+## Assign roles to a service account in Grafana
+
+You can assign roles to a Grafana service account to control access for the associated service account tokens.
+You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#update-service-account" >}}).
+
+In [Grafana Enterprise]({{< relref "../../enterprise/" >}}), you can also [assign RBAC roles]({{< relref "../roles-and-permissions/access-control/assign-rbac-roles" >}}) to grant very specific permissions to applications that interact with Grafana.
+
+### Before you begin
+
+- Ensure you have permission to update service accounts roles. By default, the organization administrator role is required to update service accounts permissions. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
+
+### To assign a role to a service account
+
+1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar.
+1. Click **Service accounts**.
+1. Click the service account to which you want to assign a role. As an alternative, find the service account in the list view.
+1. Assign a role using the role picker.
+1. Click **Update**.
+
+## Manage users and teams permissions for a service account in Grafana
+
+To control what and who can do with the service account you can assign permissions directly to users and teams. You can assign permissions using the Grafana UI.
+
+### Before you begin
+
+- Ensure you have permission to update user and team permissions of a service accounts. By default, the organization administrator role is required to update user and teams permissions for a service account. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}).
+- Ensure you have permission to read teams.
+
+### User and team permissions for a service account
+
+You can assign on of the following permissions to a specific user or a team:
+
+1. **Edit**: A user or a team with this permission can view, edit, enable and disable a service account, and add or delete service account tokens.
+1. **Admin**: User or a team with this permission will be able to everything from **Edit** permission, as well as manage user and team permissions for a service account.
+
+### To update team permissions for a service account
+
+1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar.
+1. Click **Service accounts**.
+1. Click the service account for which you want to update team permissions a role.
+1. In the **Permissions** section at the bottom, click **Add permission**.
+1. Choose **Team** in the dropdown and select your desired team.
+1. Choose **View**, **Edit** or **Admin** role in the dropdown and click **Save**.
+
+### To update user permissions for a service account
+
+1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar.
+1. Click **Service accounts**.
+1. Click the service account for which you want to update team permissions a role.
+1. In the **Permissions** section at the bottom, click **Add permission**.
+1. Choose **User** in the dropdown and select your desired user.
+1. Choose **View**, **Edit** or **Admin** role in the dropdown and click **Save**.
@@ -51,7 +51,8 @@ Add a team member to an existing team whenever you want to provide access to tea
 1. Sign in to Grafana as an organization administrator.
 1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
 1. Click the name of the team to which you want to add members, and click **Add member**.
-1. In the **Add team member** field, locate and select a user.
+1. Locate and select a user.
+1. Choose if you want to add the user as a team Member or an Admin.
 1. Click **Add to team**.

 ![Add team member](/static/img/docs/manage-users/add-team-member-7-3.png)
@@ -69,14 +70,14 @@ Complete this task when you want to add or modify team member permissions.
 1. Sign in to Grafana as an organization administrator or a team administrator.
 1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**.
 1. Click the name of the team for which you want to add or modify team member permissions.
-1. In the team member list, find and click the user account that you want to change. You can use the search field to filter the list if necessary.
+1. In the team member list, find and click the user that you want to change. You can use the search field to filter the list if necessary.
 1. Click the **Permission** list, and then click the new user permission level.

 ![Change team member permissions](/static/img/docs/manage-users/change-team-permissions-7-3.png)

 ## Remove a team member

-You can remove a team member when you no longer want to apply team permissions to the user.
+You can remove a team member when you no longer want to apply team permissions to the user

 ### Before you begin

@@ -11,7 +11,7 @@ weight: 114

 Grafana Alerting allows you to learn about problems in your systems moments after they occur. Create, manage, and take action on your alerts in a single, consolidated view, and improve your team’s ability to identify and resolve issues quickly.

-Grafana Alerting is available for for Grafana OSS, Grafana Enterprise, or Grafana Cloud. With Mimir and Loki alert rules you can run alert expressions closer to your data and at massive scale, all managed by the Grafana UI you are already familiar with.
+Grafana Alerting is available for Grafana OSS, Grafana Enterprise, or Grafana Cloud. With Mimir and Loki alert rules you can run alert expressions closer to your data and at massive scale, all managed by the Grafana UI you are already familiar with.

 Watch this video to learn more about Grafana Alerting: {{< vimeo 720001629 >}}

@@ -69,4 +69,4 @@ With mute timings, you can specify a time interval when you don’t want new not

 - [Role-based access control]({{< relref "../administration/roles-and-permissions/access-control/" >}}) in Grafana Enterprise.

- [Alertmanager]({{< relref "fundamentals/alertmanager/" >}}) and [High availability]({{< relref "high-availability/_index/" >}})
+- [Alertmanager]({{< relref "fundamentals/alertmanager/" >}}) and [High availability]({{< relref "./high-availability/" >}})
@@ -21,7 +21,7 @@ As an example, if the current Prometheus version is `2.31.1`, we support >= `2.2

 ## Grafana is not an alert receiver

-Grafana is not an alert receiver; is it an alert generator. This means that Grafana cannot receive alerts from anything other than its internal alert generator.
+Grafana is not an alert receiver; it is an alert generator. This means that Grafana cannot receive alerts from anything other than its internal alert generator.

 Receiving alerts from Prometheus (or anything else) is not supported at the time.

@@ -15,7 +15,7 @@ weight: 400

 # Create a Grafana managed alerting rule

-Grafana allows you to create alerting rules that query one or more data sources, reduce or transform the results and compare them to each other or to fix thresholds. When these are executed, Grafana sends notifications to the contact point. For information on Grafana Alerting, see [About Grafana Alerting]({{< relref "../about-alerting/" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.
+Grafana allows you to create alerting rules that query one or more data sources, reduce or transform the results and compare them to each other or to fix thresholds. When these are executed, Grafana sends notifications to the contact point. For information on Grafana Alerting, see [About Grafana Alerting]({{< relref "../" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.

 Watch this video to learn more about creating alerts: {{< vimeo 720001934 >}}

@@ -27,7 +27,7 @@ You can create and manage recording rules for an external Grafana Mimir or Loki

  - **Loki** - The `local` rule storage type, default for the Loki data source, supports only viewing of rules. To edit rules, configure one of the other rule storage types.

-  - **Grafana Mimir** - use the [legacy `/api/prom` prefix](https://grafana.com/docs/mimir/latest/operators-guide/reference-http-api/#path-prefixes), not `/prometheus`. The Prometheus data source supports both Grafana Mimir and Prometheus, and Grafana expects that both the [Query API](https://grafana.com/docs/mimir/latest/operators-guide/reference-http-api/#querier--query-frontend) and [Ruler API](https://grafana.com/docs/mimir/latest/operators-guide/reference-http-api/#ruler) are under the same URL. You cannot provide a separate URL for the Ruler API.
+  - **Grafana Mimir** - use the `/prometheus` prefix. The Prometheus data source supports both Grafana Mimir and Prometheus, and Grafana expects that both the [Query API](https://grafana.com/docs/mimir/latest/operators-guide/reference-http-api/#querier--query-frontend) and [Ruler API](https://grafana.com/docs/mimir/latest/operators-guide/reference-http-api/#ruler) are under the same URL. You cannot provide a separate URL for the Ruler API.

 > **Note:** If you do not want to manage alerting rules for a particular Loki or Prometheus data source, go to its settings and clear the **Manage alerts via Alerting UI** checkbox.

@@ -17,7 +17,7 @@ weight: 400

 # Create a Grafana Mimir or Loki managed alerting rule

-Grafana allows you to create alerting rules for an external Grafana Mimir or Loki instance that has ruler API enabled. For information on Grafana Alerting, see [About Grafana Alerting]({{< relref "../about-alerting/" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.
+Grafana allows you to create alerting rules for an external Grafana Mimir or Loki instance that has ruler API enabled. For information on Grafana Alerting, see [About Grafana Alerting]({{< relref "../" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.

 ## Before you begin

@@ -20,7 +20,7 @@ Use contact points to define how your contacts are notified when an alert fires.

 You can configure Grafana managed contact points as well as contact points for an [external Alertmanager data source]({{< relref "../../datasources/alertmanager/" >}}). For more information, see [Alertmanager]({{< relref "../fundamentals/alertmanager/" >}}).

-Before you begin, see [About Grafana Alerting]({{< relref "../about-alerting/" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.
+Before you begin, see [Grafana Alerting]({{< relref "../../alerting/" >}}) which explains the various components of Grafana Alerting. We also recommend that you familiarize yourself with some of the [fundamental concepts]({{< relref "../fundamentals/" >}}) of Grafana Alerting.

 - [Create contact point]({{< relref "create-contact-point/" >}})
 - [Edit contact point]({{< relref "edit-contact-point/" >}})
@@ -10,33 +10,33 @@ keywords:
  - guide
  - contact point
  - templating
-title: List of notifiers
+title: List of contact point types
 weight: 130
 ---

-# List of supported notifiers
+# List of supported contact point types

-The following table lists the notifiers (contact point types) supported by Grafana.
+The following table lists the contact point types supported by Grafana.

-| Name                                          | Type                      | Grafana Alertmanager | Other Alertmanagers                                                                                      |
-| --------------------------------------------- | ------------------------- | -------------------- | -------------------------------------------------------------------------------------------------------- |
-| [DingDing](#dingdingdingtalk)                 | `dingding`                | Supported            | N/A                                                                                                      |
-| [Discord](#discord)                           | `discord`                 | Supported            | N/A                                                                                                      |
-| [Email](#email)                               | `email`                   | Supported            | Supported                                                                                                |
-| [Google Hangouts Chat](#google-hangouts-chat) | `googlechat`              | Supported            | N/A                                                                                                      |
-| [Kafka](#kafka)                               | `kafka`                   | Supported            | N/A                                                                                                      |
-| Line                                          | `line`                    | Supported            | N/A                                                                                                      |
-| Microsoft Teams                               | `teams`                   | Supported            | N/A                                                                                                      |
-| [Opsgenie](#opsgenie)                         | `opsgenie`                | Supported            | Supported                                                                                                |
-| [Pagerduty](#pagerduty)                       | `pagerduty`               | Supported            | Supported                                                                                                |
-| Prometheus Alertmanager                       | `prometheus-alertmanager` | Supported            | N/A                                                                                                      |
-| [Pushover](#pushover)                         | `pushover`                | Supported            | Supported                                                                                                |
-| Sensu                                         | `sensu`                   | Supported            | N/A                                                                                                      |
-| [Sensu Go](#sensu-go)                         | `sensugo`                 | Supported            | N/A                                                                                                      |
-| [Slack](#slack)                               | `slack`                   | Supported            | Supported                                                                                                |
-| Telegram                                      | `telegram`                | Supported            | N/A                                                                                                      |
-| Threema                                       | `threema`                 | Supported            | N/A                                                                                                      |
-| VictorOps                                     | `victorops`               | Supported            | Supported                                                                                                |
-| [Webhook](#webhook)                           | `webhook`                 | Supported            | Supported ([different format](https://prometheus.io/docs/alerting/latest/configuration/#webhook_config)) |
-| [WeCom](#wecom)                               | `wecom`                   | Supported            | N/A                                                                                                      |
-| [Zenduty](#zenduty)                           | `webhook`                 | Supported            | N/A                                                                                                      |
+| Name                                             | Type                      | Grafana Alertmanager | Other Alertmanagers                                                                                      |
+| ------------------------------------------------ | ------------------------- | -------------------- | -------------------------------------------------------------------------------------------------------- |
+| [DingDing](https://www.dingtalk.com/en)          | `dingding`                | Supported            | N/A                                                                                                      |
+| [Discord](https://discord.com/)                  | `discord`                 | Supported            | N/A                                                                                                      |
+| [Email](#email)                                  | `email`                   | Supported            | Supported                                                                                                |
+| [Google Hangouts](https://hangouts.google.com/)  | `googlechat`              | Supported            | N/A                                                                                                      |
+| [Kafka](https://kafka.apache.org/)               | `kafka`                   | Supported            | N/A                                                                                                      |
+| [Line](https://line.me/en/)                      | `line`                    | Supported            | N/A                                                                                                      |
+| [Microsoft Teams](https://teams.microsoft.com/)  | `teams`                   | Supported            | N/A                                                                                                      |
+| [Opsgenie](https://atlassian.com/opsgenie/)      | `opsgenie`                | Supported            | Supported                                                                                                |
+| [Pagerduty](https://www.pagerduty.com/)          | `pagerduty`               | Supported            | Supported                                                                                                |
+| [Prometheus Alertmanager](https://prometheus.io) | `prometheus-alertmanager` | Supported            | N/A                                                                                                      |
+| [Pushover](https://pushover.net/)                | `pushover`                | Supported            | Supported                                                                                                |
+| [Sensu](https://sensu.io/)                       | `sensu`                   | Supported            | N/A                                                                                                      |
+| [Sensu Go](https://docs.sensu.io/sensu-go/)      | `sensugo`                 | Supported            | N/A                                                                                                      |
+| [Slack](https://slack.com/)                      | `slack`                   | Supported            | Supported                                                                                                |
+| [Telegram](https://telegram.org/)                | `telegram`                | Supported            | N/A                                                                                                      |
+| [Threema](https://threema.ch/)                   | `threema`                 | Supported            | N/A                                                                                                      |
+| [VictorOps](https://help.victorops.com/)         | `victorops`               | Supported            | Supported                                                                                                |
+| [Webhook](#webhook)                              | `webhook`                 | Supported            | Supported ([different format](https://prometheus.io/docs/alerting/latest/configuration/#webhook_config)) |
+| [WeCom](#wecom)                                  | `wecom`                   | Supported            | N/A                                                                                                      |
+| [Zenduty](https://www.zenduty.com/)              | `webhook`                 | Supported            | N/A                                                                                                      |
@@ -16,7 +16,7 @@ weight: 401

 # Annotations and labels for alerting rules

-Annotations and labels are key value pairs associated with alerts originating from the alerting rule, datasource response, and as a result of alerting rule evaluation. They can be used in alert notifications directly or in [templates]({{< relref "../../contact-points/message-templating/" >}}) and [template functions]({{< relref "../../contact-points/message-templating/template-functions/" >}}) to create notification contact dynamically.
+Annotations and labels are key value pairs associated with alerts originating from the alerting rule, datasource response, and as a result of alerting rule evaluation. They can be used in alert notifications directly or in [templates]({{< relref "../../contact-points/message-templating/" >}}) and [template functions]({{< relref "../../contact-points/fundamentals/annotation-label/template-functions/" >}}) to create notification contact dynamically.

 ## Annotations

@@ -1,9 +1,7 @@
 ---
 aliases:
  - /docs/grafana/latest/alerting/contact-points/message-templating/example-template-functions/
-  - /docs/grafana/latest/alerting/contact-points/message-templating/template-functions/
-  - /docs/grafana/latest/alerting/message-templating/template-functions/
-  - /docs/grafana/latest/alerting/unified-alerting/message-templating/template-functions/
+  - /docs/grafana/latest/alerting/fundamentals/annotation-label/example-template-functions/
 keywords:
  - grafana
  - alerting
@@ -26,6 +26,7 @@ This topic explains why labels are a fundamental component of alerting.
 # Grafana reserved labels

 > **Note:** Labels prefixed with `grafana_` are reserved by Grafana for special use. If a manually configured label is added beginning with `grafana_` it may be overwritten in case of collision.
+> To stop the Grafana Alerting engine from adding a reserved label, you can disable it via the `disabled_labels` option in [unified_alerting.reserved_labels]({{< relref "../../../setup-grafana/configure-grafana/#unified_alertingreserved_labels" >}}) configuration.

 Grafana reserved labels can be used in the same way as manually configured labels. The current list of available reserved labels are:

@@ -3,6 +3,8 @@ aliases:
  - /docs/grafana/latest/alerting/contact-points/message-templating/template-functions/
  - /docs/grafana/latest/alerting/message-templating/template-functions/
  - /docs/grafana/latest/alerting/unified-alerting/message-templating/template-functions/
+  - /docs/grafana/latest/alerting/fundamentals/annotation-label/template-functions/
+  - /docs/grafana/latest/alerting/unified-alerting/fundamentals/annotation-label/template-functions/
 keywords:
  - grafana
  - alerting
@@ -15,7 +17,7 @@ weight: 125

 # Template Functions

-Template functions allow you to process labels and annotations to generate dynamic notifications.
+Template functions allow you to process alert evaluation results to generate dynamic notifications.

 | Name                                      | Argument type                                                | Return type            | Description                                                                                                                                 |
 | ----------------------------------------- | ------------------------------------------------------------ | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -0,0 +1,39 @@
+---
+aliases:
+  - /docs/grafana/latest/alerting/fundamentals/data-source-alerting/
+description: Data sources in Grafana Alerting
+title: Data sources
+weight: 100
+---
+
+# Data sources
+
+There are a number of data sources that are compatible with Grafana Alerting. Each data source is supported by a plugin. You can use one of the built-in data sources listed below, use [external data source plugins](https://grafana.com/grafana/plugins/?type=datasource), or create your own data source plugin.
+
+If you are creating your own data source plugin, make sure it is a backend plugin as Grafana Alerting requires this in order to be able to evaluate rules using the data source. Frontend data sources are not supported, because the evaluation engine runs on the backend.
+
+Specifying { "alerting": true, “backend”: true } in the plugin.json file indicates that the data source plugin is compatible with Grafana Alerting and includes the backend data-fetching code. For more information, refer to [Build a data source backend plugin](https://grafana.com/tutorials/build-a-data-source-backend-plugin/).
+
+These are the data sources that are compatible with and supported by Grafana Alerting.
+
+- [AWS CloudWatch]({{< relref "../../datasources/aws-cloudwatch/" >}})
+- [Azure Monitor]({{< relref "../../datasources/azuremonitor/" >}})
+- [Elasticsearch]({{< relref "../../datasources/elasticsearch/" >}})
+- [Google Cloud Monitoring]({{< relref "../../datasources/google-cloud-monitoring/" >}})
+- [Graphite]({{< relref "../../datasources/graphite/" >}})
+- [InfluxDB]({{< relref "../../datasources/influxdb/" >}})
+- [Loki]({{< relref "../../datasources/loki/" >}})
+- [Microsoft SQL Server MSSQL]({{< relref "../../datasources/mssql/" >}})
+- [MySQL]({{< relref "../../datasources/mysql/" >}})
+- [Open TSDB]({{< relref "../../datasources/opentsdb/" >}})
+- [PostgreSQL]({{< relref "../../datasources/postgres/" >}})
+- [Prometheus]({{< relref "../../datasources/prometheus/" >}})
+- [Jaeger]({{< relref "../../datasources/jaeger/" >}})
+- [Zipkin]({{< relref "../../datasources/zipkin/" >}})
+- [Tempo]({{< relref "../../datasources/tempo/" >}})
+- [Testdata]({{< relref "../../datasources/testdata/" >}})
+
+## Useful links
+
+- [Grafana data sources]({{< relref "../../datasources/" >}})
+- [Add a data source]({{< relref "../../datasources/add-a-data-source/" >}})
@@ -11,7 +11,7 @@ title: Images in notifications

 # Images in notifications

-Images in notifications helps recipients of alert notifications better understand why an alert has fired or resolved by including an image of the panel for the Grafana managed alert rule.
+Images in notifications helps recipients of alert notifications better understand why an alert has fired or resolved by including an image of the panel associated with the Grafana managed alert rule.

 > **Note**: Images in notifications are not available for Grafana Mimir and Loki managed alert rules, or when Grafana is set up to send alert notifications to an external Alertmanager.

@@ -20,6 +20,8 @@ If Grafana is set up to send images in notifications, it takes a screenshot of t
 1. The alert rule transitions from pending to firing
 2. The alert rule transitions from firing to OK

+Grafana does not support images for alert rules that are not associated with a panel. An alert rule is associated with a panel when it has both Dashboard UID and Panel ID annotations.
+
 Images are stored in the [data]({{< relref "../setup-grafana/configure-grafana/#paths" >}}) path and so Grafana must have write-access to this path. If Grafana cannot write to this path then screenshots cannot be saved to disk and an error will be logged for each failed screenshot attempt. In addition to storing images on disk, Grafana can also store the image in an external image store such as Amazon S3, Azure Blob Storage, Google Cloud Storage and even Grafana where screenshots are stored in `public/img/attachments`. Screenshots older than `temp_data_lifetime` are deleted from disk but not the external image store. If Grafana is the external image store then screenshots are deleted from `data` but not from `public/img/attachments`.

 > **Note**: It is recommended that you use an external image store, as not all contact points support uploading images from disk. It is also possible that the image on disk is deleted before an alert notification is sent if `temp_data_lifetime` is less than the `group_wait` and `group_interval` options used in Alertmanager.
@@ -32,8 +34,8 @@ To use images in notifications, Grafana must be set up to use [image rendering](

 If Grafana has been set up to use [image rendering]({{< relref "../setup-grafana/image-rendering/" >}}) images in notifications can be turned on via the `capture` option in `[unified_alerting.screenshots]`:

-    # Enable screenshots in notifications. This option requires a remote HTTP image rendering service. Please
-    # see [rendering] for further configuration options.
+    # Enable screenshots in notifications. This option requires the Grafana Image Renderer plugin.
+    # For more information on configuration options, refer to [rendering].
    capture = true

 It is recommended that `max_concurrent_screenshots` is set to a value that is less than or equal to `concurrent_render_request_limit`. The default value for both `max_concurrent_screenshots` and `concurrent_render_request_limit` is `5`:
@@ -69,7 +71,7 @@ Images in notifications are supported in the following notifiers and additional
 | Opsgenie                | No                      | Yes                     |
 | Pagerduty               | No                      | Yes                     |
 | Prometheus Alertmanager | No                      | No                      |
-| Pushover                | No                      | No                      |
+| Pushover                | Yes                     | No                      |
 | Sensu Go                | No                      | No                      |
 | Slack                   | No                      | Yes                     |
 | Telegram                | No                      | No                      |
@@ -3,6 +3,7 @@ aliases:
  - /docs/grafana/latest/alerting/migrating-alerts/
  - /docs/grafana/latest/alerting/unified-alerting/
  - /docs/grafana/latest/alerting/unified-alerting/difference-old-new/
+  - /docs/grafana/latest/alerting/difference-old-new/
 description: Upgrade Grafana alerts
 title: Upgrade to Grafana Alerting
 weight: 101
@@ -12,7 +13,7 @@ weight: 101

 Grafana Alerting is enabled by default for new installations or existing installations whether or not legacy alerting is configured.

-> **Note**: We recommend that Grafana Enterprise customers with more than a dozen Grafana dashboard alert rules do not upgrade and remain on legacy alerting for now by [opting out]({{< relref "opt-out/" >}}). If you do want to upgrade to Grafana Alerting, contact customer support.
+> **Note**: When upgrading, your dashboard alerts are migrated to a new format. This migration can be rolled back easily by [opting out]({{< relref "opt-out/" >}}). If you have any questions regarding this migration, please contact us.

 Existing installations that do not use legacy alerting will have Grafana Alerting enabled by default unless alerting is disabled in the configuration.

@@ -1,5 +1,6 @@
 ---
 aliases:
+  - /docs/grafana/latest/alerting/migrating-alerts/differences-and-limitations/
  - /docs/grafana/latest/alerting/migrating-alerts/migrating-legacy-alerts/
  - /docs/grafana/latest/alerting/migrating-legacy-alerts/
  - /docs/grafana/latest/alerting/unified-alerting/opt-in/
@@ -10,22 +11,27 @@ weight: 106

 # Differences and limitations

-When Grafana Alerting is enabled or upgraded to Grafana 9.0 or later, existing legacy dashboard alerts migrate in a format compatible with the Grafana Alerting. In the Alerting page of your Grafana instance, you can view the migrated alerts alongside any new alerts.
-This topic explains how legacy dashboard alerts are migrated and some limitations of the migration.
+There are some differences between Grafana Alerting and legacy dashboard alerts, and a number of features that are no
+longer supported. We refer to these as [Differences]({{< relref "#differences" >}}) and [Limitations]({{< relref "#limitations" >}}).

-> **Note:** This topic is only relevant for OSS and Enterprise customers. Contact customer support to enable or disable Grafana Alerting for your Cloud stack.
+## Differences

-Read and write access to legacy dashboard alerts and Grafana alerts are governed by the permissions of the folders storing them. During migration, legacy dashboard alert permissions are matched to the new rules permissions as follows:
+1. When Grafana Alerting is enabled or upgraded to Grafana 9.0 or later, existing legacy dashboard alerts migrate in a format compatible with the Grafana Alerting. In the Alerting page of your Grafana instance, you can view the migrated alerts alongside any new alerts.
+   This topic explains how legacy dashboard alerts are migrated and some limitations of the migration.
+
+2. Read and write access to legacy dashboard alerts and Grafana alerts are governed by the permissions of the folders storing them. During migration, legacy dashboard alert permissions are matched to the new rules permissions as follows:

 - If alert's dashboard has permissions, it will create a folder named like `Migrated {"dashboardUid": "UID", "panelId": 1, "alertId": 1}` to match permissions of the dashboard (including the inherited permissions from the folder).
 - If there are no dashboard permissions and the dashboard is under a folder, then the rule is linked to this folder and inherits its permissions.
 - If there are no dashboard permissions and the dashboard is under the General folder, then the rule is linked to the `General Alerting` folder, and the rule inherits the default permissions.

-> **Note:** Since there is no `Keep Last State` option for [`No Data`]({{< relref "../alerting-rules/create-grafana-managed-rule/#no-data--error-handling" >}}) in Grafana Alerting, this option becomes `NoData` during the legacy rules migration. Option "Keep Last State" for [`Error handling`]({{< relref "../alerting-rules/create-grafana-managed-rule/#no-data--error-handling" >}}) is migrated to a new option `Error`. To match the behavior of the `Keep Last State`, in both cases, during the migration Grafana automatically creates a [silence]({{< relref "../silences/" >}}) for each alert rule with a duration of 1 year.
+3. Since there is no `Keep Last State` option for [`No Data`]({{< relref "../alerting-rules/create-grafana-managed-rule/#no-data--error-handling" >}}) in Grafana Alerting, this option becomes `NoData` during the legacy rules migration. Option "Keep Last State" for [`Error handling`]({{< relref "../alerting-rules/create-grafana-managed-rule/#no-data--error-handling" >}}) is migrated to a new option `Error`. To match the behavior of the `Keep Last State`, in both cases, during the migration Grafana automatically creates a [silence]({{< relref "../silences/" >}}) for each alert rule with a duration of 1 year.

-Notification channels are migrated to an Alertmanager configuration with the appropriate routes and receivers. Default notification channels are added as contact points to the default route. Notification channels not associated with any Dashboard alert go to the `autogen-unlinked-channel-recv` route.
+4. Notification channels are migrated to an Alertmanager configuration with the appropriate routes and receivers. Default notification channels are added as contact points to the default route. Notification channels not associated with any Dashboard alert go to the `autogen-unlinked-channel-recv` route.
+
+5. Unlike legacy dashboard alerts where images in notifications are enabled per contact point, images in notifications for Grafana Alerting must be enabled in the Grafana configuration, either in the configuration file or environment variables, and are enabled for either all or no contact points. Please refer to the [documentation for images in notifications]({{< relref "../images-in-notifications" >}}).

 ## Limitations

-Since `Hipchat` and `Sensu` notification channels are no longer supported, legacy alerts associated with these channels are not automatically migrated to Grafana Alerting. Assign the legacy alerts to a supported notification channel so that you continue to receive notifications for those alerts.
-Silences (expiring after one year) are created for all paused dashboard alerts.
+1. Since `Hipchat` and `Sensu` notification channels are no longer supported, legacy alerts associated with these channels are not automatically migrated to Grafana Alerting. Assign the legacy alerts to a supported notification channel so that you continue to receive notifications for those alerts.
+   Silences (expiring after one year) are created for all paused dashboard alerts.
@@ -14,8 +14,8 @@ weight: 451

 # Create a URL to link to a silence form

-When linking to a silence form, provide the default matching labels and comment via `matchers` and `comment` query parameters. The `matchers` parameter requires one more matching labels of the type `[label][operator][value]` joined by a comma while the `operator` parameter can be one of the following: `=` (equals, not regex), `!=` (not equals, not regex), `=~` (equals, regex), `!~` (not equals, regex).
-
-For example, to link to silence form with matching labels `severity=critical` & `cluster!~europe-.*` and comment `Silence critical EU alerts`, create a URL `https://mygrafana/alerting/silence/new?matchers=severity%3Dcritical%2Ccluster!~europe-*&comment=Silence%20critical%20EU%20alert`.
+When linking to a silence form, provide the default matching labels and comment via `matcher` and `comment` query parameters. The `matcher` parameter should be in the following format `[label][operator][value]` where the `operator` parameter can be one of the following: `=` (equals, not regex), `!=` (not equals, not regex), `=~` (equals, regex), `!~` (not equals, regex).
+The URL can contain many query parameters with the key `matcher`.
+For example, to link to silence form with matching labels `severity=critical` & `cluster!~europe-.*` and comment `Silence critical EU alerts`, create a URL `https://mygrafana/alerting/silence/new?matcher=severity%3Dcritical&matcher=cluster!~europe-*&comment=Silence%20critical%20EU%20alert`.

 To link to a new silence page for an [external Alertmanager]({{< relref "../../datasources/alertmanager/" >}}), add a `alertmanager` query parameter with the Alertmanager data source name.
@@ -51,6 +51,6 @@ Once you have a strategy or design guidelines, write them down to help maintain
 - Use the left and right Y-axes when displaying time series with different units or ranges.
 - Add documentation to dashboards and panels.
  - To add documentation to a dashboard, add a [Text panel visualization]({{< relref "../visualizations/text-panel/" >}}) to the dashboard. Record things like the purpose of the dashboard, useful resource links, and any instructions users might need to interact with the dashboard. Check out this [Wikimedia example](https://grafana.wikimedia.org/d/000000066/resourceloader?orgId=1).
-  - To add documentation to a panel, [edit the panel settings]({{< relref "../panels/working-with-panels/add-panel/" >}}) and add a description. Any text you add will appear if you hover your cursor over the small `i` in the top left corner of the panel.
+  - To add documentation to a panel, edit the panel settings and add a description. Any text you add will appear if you hover your cursor over the small `i` in the top left corner of the panel.
 - Reuse your dashboards and enforce consistency by using [templates and variables]({{< relref "../variables/" >}}).
 - Be careful with stacking graph data. The visualizations can be misleading, and hide important data. We recommend turning it off in most cases.
@@ -31,9 +31,9 @@ What is your dashboard maturity level? Analyze your current dashboard setup and
  - If you create a temporary dashboard, perhaps to test something, prefix the name with `TEST: `. Delete the dashboard when you are finished.
 - Copying dashboards with no significant changes is not a good idea.
  - You miss out on updates to the original dashboard, such as documentation changes, bug fixes, or additions to metrics.
-  - In many cases copies are being made to simply customize the view by setting template parameters. This should instead be done by maintaining a link to the master dashboard and customizing the view with [URL parameters]({{< relref "../linking/data-link-variables/" >}}).
+  - In many cases copies are being made to simply customize the view by setting template parameters. This should instead be done by maintaining a link to the master dashboard and customizing the view with [URL parameters]({{< relref "../panels/configure-data-links/#data-link-variables" >}}).
 - When you must copy a dashboard, clearly rename it and _do not_ copy the dashboard tags. Tags are important metadata for dashboards that are used during search. Copying tags can result in false matches.
 - Maintain a dashboard of dashboards or cross-reference dashboards. This can be done in several ways:
-  - Create dashboard links, panel, or data links. Links can go to other dashboards or to external systems. For more information, refer to [Linking]({{< relref "../linking/" >}}).
+  - Create dashboard links, panel, or data links. Links can go to other dashboards or to external systems. For more information, refer to [Manage dashboard links]({{< relref "../dashboards/manage-dashboard-links/" >}}).
  - Add a [Dashboard list panel]({{< relref "../visualizations/dashboard-list-panel/" >}}). You can then customize what you see by doing tag or folder searches.
  - Add a [Text panel]({{< relref "../visualizations/text-panel/" >}}) and use markdown to customize the display.
@@ -53,7 +53,7 @@ How can you tell you are here?
 - Directed browsing cuts down on "guessing."
  - Template variables make it harder to “just browse” randomly or aimlessly.
  - Most dashboards should be linked to by alerts.
-  - Browsing is directed with links. For more information, refer to [Linking]({{< relref "../linking/" >}}).
+  - Browsing is directed with links. For more information, refer to [Manage dashboard links]({{< relref "../dashboards/manage-dashboard-links/" >}}).
 - Version-controlled dashboard JSON.

 ## High - optimized use
@@ -16,8 +16,9 @@ Before you begin, ensure that you have configured a data source. See also:

 - [Use dashboards]({{< relref "use-dashboards/" >}})
 - [Dashboard folders]({{< relref "dashboard-folders/" >}})
- [Create dashboard]({{< relref "dashboard-create/" >}})
+- [Add and organize panels]({{< relref "add-organize-panels/" >}})
 - [Manage dashboards]({{< relref "dashboard-manage/" >}})
+- [Public dashboards]({{< relref "dashboard-public/" >}})
 - [Annotations]({{< relref "annotations/" >}})
 - [Playlist]({{< relref "playlist/" >}})
 - [Reporting]({{< relref "reporting/" >}})
@@ -0,0 +1,104 @@
+---
+aliases:
+  - /docs/grafana/latest/panels/working-with-panels/navigate-panel-editor/
+  - /docs/grafana/latest/panels/working-with-panels/navigate-inspector-panel/
+  - /docs/grafana/latest/dashboards/dashboard-create/
+  - /docs/grafana/latest/features/dashboard/dashboards/
+  - /docs/grafana/latest/panels/working-with-panels/add-panel/
+  - /docs/grafana/latest/dashboards/add-organize-panels/
+title: Add and organize panels
+menuTitle: Add and organize panels
+weight: 2
+---
+
+# Add and organize panels
+
+This section describes the areas of the Grafana panel editor.
+
+1. Panel header: The header section lists the dashboard in which the panel appears and the following controls:
+
+   - **Dashboard settings (gear) icon -** Click to access the dashboard settings.
+   - **Discard -** Discards changes you have made to the panel since you last saved the dashboard.
+   - **Save -** Saves changes you made to the panel.
+   - **Apply -** Applies changes you made and closes the panel editor, returning you to the dashboard. You will have to save the dashboard to persist the applied changes.
+
+1. Visualization preview: The visualization preview section contains the following options:
+
+   - **Table view -** Convert any visualization to a table so that you can see the data. Table views are useful for troubleshooting.
+   - **Fill -** The visualization preview fills the available space. If you change the width of the side pane or height of the bottom pane the visualization changes to fill the available space.
+   - **Actual -** The visualization preview will have the exact size as the size on the dashboard. If not enough space is available, the visualization will scale down preserving the aspect ratio.
+   - **Time range controls -** For more information, refer to [Time range controls]({{< relref "time-range-controls/" >}}).
+
+1. Data section: The data section contains tabs where you enter queries, transform your data, and create alert rules (if applicable).
+
+   - **Query tab -** Select your data source and enter queries here. For more information, refer to [Add a query]({{< relref "../panels/query-a-data-source/add-a-query/" >}}).
+   - **Transform tab -** Apply data transformations. For more information, refer to [Transform data]({{< relref "../panels/transform-data/" >}}).
+   - **Alert tab -** Write alert rules. For more information, refer to [Overview of Grafana 8 alerting]({{< relref "../alerting/" >}}).
+
+1. Panel display options: The display options section contains tabs where you configure almost every aspect of your data visualization.
+
+> Not all options are available for each visualization.
+
+{{< figure src="/static/img/docs/panel-editor/panel-editor-8-0.png" class="docs-image--no-shadow" max-width="1500px" >}}
+
+## Open the panel inspect drawer
+
+The inspect drawer helps you understand and troubleshoot your panels. You can view the raw data for any panel, export that data to a comma-separated values (CSV) file, view query requests, and export panel and data JSON.
+
+> **Note:** Not all panel types include all tabs. For example, dashboard list panels do not have raw data to inspect, so they do not display the Stats, Data, or Query tabs.
+
+The panel inspector consists of the following options:
+
+1. The panel inspect drawer displays opens a drawer on the right side. Click the arrow in the upper right corner to expand or reduce the drawer pane.
+
+1. **Data tab -** Shows the raw data returned by the query with transformations applied. Field options such as overrides and value mappings are not applied by default.
+
+1. **Stats tab -** Shows how long your query takes and how much it returns.
+
+1. **JSON tab -** Allows you to view and copy the panel JSON, panel data JSON, and data frame structure JSON. This is useful if you are provisioning or administering Grafana.
+
+1. **Query tab -** Shows you the requests to the server sent when Grafana queries the data source.
+
+1. **Error tab -** Shows the error. Only visible when query returns error.
+
+## Create a dashboard and add a panel
+
+Dashboards and panels allow you to show your data in visual form. Each panel needs at least one query to display a visualization.
+
+**Before you begin:**
+
+- Ensure that you have the proper permissions. For more information about permissions, refer to [About users and permissions]({{< relref "../administration/roles-and-permissions/" >}}).
+- Identify the dashboard to which you want to add the panel.
+- Understand the query language of the target data source.
+- Ensure that data source for which you are writing a query has been added. For more information about adding a data source, refer to [Add a data source]({{< relref "../datasources/add-a-data-source/" >}}) if you need instructions.
+
+**To create a dashboard and add a panel**:
+
+1. Sign in to Grafana, hover your cursor over **Dashboard**, and click **+ New Dashboard**.
+1. Click **Add a new panel**.
+1. In the first line of the **Query** tab, click the drop-down list and select a data source.
+1. Write or construct a query in the query language of your data source.
+
+   For more information about data sources, refer to [Data sources]({{< relref "../datasources/" >}}) for specific guidelines.
+
+1. In the Visualization list, select a visualization type.
+
+   Grafana displays a preview of your query results with the visualization applied.
+
+   ![](/static/img/docs/panel-editor/select-visualization-8-0.png)
+
+   For more information about individual visualizations, refer to [Visualizations options]({{< relref "../visualizations/" >}}).
+
+1. Refer to the following documentation for ways you can adjust panel settings.
+
+   While not required, most visualizations need some adjustment before they properly display the information that you need.
+
+   - [Format data using value mapping]({{< relref "../panels/format-data/about-value-mapping/" >}})
+   - [Visualization-specific options]({{< relref "../visualizations/" >}})
+   - [Override field values]({{< relref "../panels/override-field-values/about-field-overrides/" >}})
+   - [Configure thresholds]({{< relref "../panels/configure-thresholds/" >}})
+   - [Configure standard options]({{< relref "../panels/configure-standard-options/" >}})
+
+1. Add a note to describe the visualization (or describe your changes) and then click **Save** in the upper-right corner of the page.
+
+   Notes can be helpful if you need to revert the dashboard to a previous version.
@@ -1,13 +0,0 @@
---
-aliases:
-  - /docs/grafana/latest/dashboards/dashboard-create/
-  - /docs/grafana/latest/features/dashboard/dashboards/
-title: Create dashboards
-weight: 7
---
-
-## Create dashboard
-
-To create a new dashboard:
-
-Click the new dashboard link on the right side of the time picker. A blank dashboard is created.
@@ -0,0 +1,55 @@
+---
+aliases:
+  - /docs/grafana/latest/dashboards/dashboard-manage/
+  - /docs/grafana/latest/features/dashboard/dashboards/
+title: Public dashboards
+weight: 8
+---
+
+## Public dashboards
+
+> **Note:** This is an opt-in alpha feature.
+
+> **Caution:** Making your dashboard public could result in a large number of queries to the datasources used by your dashboard.
+> This can be mitigated by utilizing the enterprise [caching](https://grafana.com/docs/grafana/latest/enterprise/query-caching/) and/or rate limiting features.
+
+Public dashboards allow you to share your Grafana dashboard with anyone. This is useful when you want to expose your
+dashboard to the world.
+
+#### Security implications of making your dashboard public
+
+- Anyone with the URL can access the dashboard.
+- Public dashboards are read-only.
+- Arbitrary queries **cannot** be run against your datasources through public dashboards. Public dashboards can only execute the
+  queries stored on the original dashboard.
+
+#### Enable the feature
+
+Add the `publicDashboards` feature toggle to your `custom.ini` file.
+
+> **Note:** For Grafana Cloud, you will need to contact support to have the feature enabled.
+
+#### Make a dashboard public
+
+- Click on the sharing icon to the right of the dashboard title.
+- Click on the Public Dashboard tab.
+- Acknowledge the implications of making the dashboard public by checking all the checkboxes.
+- Turn on the Enabled toggle.
+- Click `Save Sharing Configuration` to make the dashboard public and make your link live.
+- Copy the public dashboard link if you'd like to share it. You can always come back later for it.
+
+#### Revoke access
+
+- Click on the sharing icon to the right of the dashboard title.
+- Click on the Public Dashboard tab.
+- Turn off the Enabled toggle.
+- Click `Save Sharing Configuration` to save your changes.
+- Anyone with the link will not be able to access the dashboard publicly anymore.
+
+#### Limitations
+
+- Panels that use frontend datasources will fail to fetch data.
+- Template variables are currently not supported, but are planned to be in the future.
+- The time range is permanently set to the default time range on the dashboard. If you update the default time range for a dashboard, it will be reflected in the public dashboard.
+
+We are excited to share this enhancement with you and we’d love your feedback! Please check out the [Github](https://github.com/grafana/grafana/discussions/49253) discussion and join the conversation.
@@ -1,20 +1,53 @@
 ---
 aliases:
+  - /docs/grafana/latest/linking/
+  - /docs/grafana/latest/features/navigation-links/
+  - /docs/grafana/latest/linking/linking-overview/
  - /docs/grafana/latest/linking/dashboard-links/
-description: ''
+  - /docs/grafana/latest/dashboards/manage-dashboard-links/
+  - /docs/grafana/latest/panels/working-with-panels/add-link-to-panel/
+description: How to link Grafana dashboards.
 keywords:
+  - link
+  - dashboard
  - grafana
  - linking
  - create links
  - link dashboards
  - navigate
-title: Dashboard links
-weight: 200
+title: Manage dashboard links
+menuTitle: Manage dashboard links
+weight: 400
 ---

-# Dashboard links
+# Manage dasboard links

-When you create a dashboard link, you can include the time range and current template variables to directly jump to the same context in another dashboard. This way, you don’t have to worry whether the person you send the link to is looking at the right data. For other types of links, refer to [Data link variables]({{< relref "data-link-variables/" >}}).
+You can use links to navigate between commonly-used dashboards or to connect others to your visualizations. Links let you create shortcuts to other dashboards, panels, and even external websites.
+
+Grafana supports dashboard links, panel links, and data links. Dashboard links are displayed at the top of the dashboard. Panel links are accessible by clicking an icon on the top left corner of the panel.
+
+## Which link should you use?
+
+Start by figuring out how you're currently navigating between dashboards. If you're often jumping between a set of dashboards and struggling to find the same context in each, links can help optimize your workflow.
+
+The next step is to figure out which link type is right for your workflow. Even though all the link types in Grafana are used to create shortcuts to other dashboards or external websites, they work in different contexts.
+
+- If the link relates to most if not all of the panels in the dashboard, use [dashboard links]({{< relref "#dashboard-links" >}}).
+- If you want to drill down into specific panels, use [panel links]({{< relref "#panel-links" >}}).
+- If you want to link to an external site, you can use either a dashboard link or a panel link.
+- If you want to drill down into a specific series, or even a single measurement, use [data links]({{< relref "../../panels/configure-data-links/#data-links" >}}).
+
+## Controlling time range using the URL
+
+You can control the time range of a panel or dashboard by providing following query parameters in dashboard URL:
+
+- `from` - defines lower limit of the time range, specified in ms epoch
+- `to` - defines upper limit of the time range, specified in ms epoch
+- `time` and `time.window` - defines a time range from `time-time.window/2` to `time+time.window/2`. Both params should be specified in ms. For example `?time=1500000000000&time.window=10000` will result in 10s time range from 1499999995000 to 1500000005000
+
+## Dashboard links
+
+When you create a dashboard link, you can include the time range and current template variables to directly jump to the same context in another dashboard. This way, you don’t have to worry whether the person you send the link to is looking at the right data. For other types of links, refer to [Data link variables]({{< relref "../../panels/configure-data-links/#data-link-variables/" >}}).

 Dashboard links can also be used as shortcuts to external systems, such as submitting [a GitHub issue with the current dashboard name](https://github.com/grafana/grafana/issues/new?title=Dashboard%3A%20HTTP%20Requests).

@@ -25,7 +58,7 @@ To see an example of dashboard links in action, check out:

 Once you've added a dashboard link, it appears in the upper right corner of your dashboard.

-## Add links to dashboards
+### Add links to dashboards

 Add links to other dashboards at the top of your current dashboard.

@@ -40,7 +73,7 @@ Add links to other dashboards at the top of your current dashboard.
   - **Open in new tab** – Select this option if you want the dashboard link to open in a new tab or window.
 1. Click **Add**.

-## Add a URL link to a dashboard
+### Add a URL link to a dashboard

 Add a link to a URL at the top of your current dashboard. You can link to any available URL, including dashboards, panels, or external sites. You can even control the time range to ensure the user is zoomed in on the right data in Grafana.

@@ -60,7 +93,7 @@ Add a link to a URL at the top of your current dashboard. You can link to any av
   - **Open in new tab** – Select this option if you want the dashboard link to open in a new tab or window.
 1. Click **Add**.

-## Update a dashboard link
+### Update a dashboard link

 To change or update an existing dashboard link, follow this procedure.

@@ -71,6 +104,43 @@ To change or update an existing dashboard link, follow this procedure.

 To duplicate an existing dashboard link, click the duplicate icon next to the existing link that you want to duplicate.

-## Delete a dashboard link
+### Delete a dashboard link

 To delete an existing dashboard link, click the trash icon next to the duplicate icon that you want to delete.
+
+## Panel links
+
+Each panel can have its own set of links that are shown in the upper left corner of the panel. You can link to any available URL, including dashboards, panels, or external sites. You can even control the time range to ensure the user is zoomed in on the right data in Grafana.
+
+Click the icon on the top left corner of a panel to see available panel links.
+
+{{< figure src="/static/img/docs/linking/panel-links.png" width="200px" >}}
+
+### Add a panel link
+
+1. Hover your cursor over the panel that you want to add a link to and then press `e`. Or click the dropdown arrow next to the panel title and then click **Edit**.
+1. On the Panel tab, scroll down to the Links section.
+1. Expand Links and then click **Add link**.
+1. Enter a **Title**. **Title** is a human-readable label for the link that will be displayed in the UI.
+1. Enter the **URL** you want to link to.
+   You can even add one of the template variables defined in the dashboard. Press Ctrl+Space or Cmd+Space and click in the **URL** field to see the available variables. By adding template variables to your panel link, the link sends the user to the right context, with the relevant variables already set. You can also use time variables:
+   - `from` - Defines the lower limit of the time range, specified in ms epoch.
+   - `to` - Defines the upper limit of the time range, specified in ms epoch.
+   - `time` and `time.window` - Define a time range from `time-time.window/2` to `time+time.window/2`. Both params should be specified in ms. For example `?time=1500000000000&time.window=10000` will result in 10s time range from 1499999995000 to 1500000005000.
+1. If you want the link to open in a new tab, then select **Open in a new tab**.
+1. Click **Save** to save changes and close the window.
+1. Click **Save** in the upper right to save your changes to the dashboard.
+
+### Update a panel link
+
+1. On the Panel tab, find the link that you want to make changes to.
+1. Click the Edit (pencil) icon to open the Edit link window.
+1. Make any necessary changes.
+1. Click **Save** to save changes and close the window.
+1. Click **Save** in the upper right to save your changes to the dashboard.
+
+### Delete a panel link
+
+1. On the Panel tab, find the link that you want to delete.
+1. Click the **X** icon next to the link you want to delete.
+1. Click **Save** in the upper right to save your changes to the dashboard.
@@ -0,0 +1,87 @@
+---
+aliases:
+  - /docs/grafana/latest/panels/panel-library/
+  - /docs/grafana/latest/panels/library-panels/
+  - /docs/grafana/latest/panels/library-panels/create-library-panel/
+  - /docs/grafana/latest/panels/library-panels/add-library-panel/
+  - /docs/grafana/latest/panels/library-panels/unlink-library-panel/
+  - /docs/grafana/latest/panels/library-panels/manage-library-panel/
+  - /docs/grafana/latest/panels/library-panels/delete-library-panel/
+  - /docs/grafana/latest/dashboards/manage-library-panels/
+title: Manage Grafana library panels
+menuTitle: Manage library panels
+weight: 3
+---
+
+# Manage Grafana library panels
+
+A library panel is a reusable panel that you can use in any dashboard. When you make a change to a library panel, that change propagates to all instances of where the panel is used. Library panels streamline reuse of panels across multiple dashboards.
+
+You can save a library panel in a folder alongside saved dashboards.
+
+## Create a library panel
+
+When you create a library panel, the panel on the source dashboard is converted to a library panel as well. You need to save the original dashboard once a panel is converted.
+
+1. Open a panel in edit mode.
+1. In the panel display options, click the down arrow option to bring changes to the visualization.
+   {{< figure src="/static/img/docs/library-panels/create-lib-panel-from-edit-8-0.png" class="docs-image--no-shadow" max-width= "800px" caption="Screenshot of the edit panel" >}}
+1. Click the **Library panels** option, and then click **Create library panel** to open the create dialog.
+   {{< figure src="/static/img/docs/library-panels/create-lib-panel-8-0.png" class="docs-image--no-shadow" max-width= "500px" caption="Screenshot of the create library panel dialog" >}}
+1. In **Library panel name**, enter the name.
+1. In **Save in folder**, select the folder to save the library panel.
+1. Click **Create library panel** to save your changes.
+1. Save the dashboard.
+
+Once created, you can modify the library panel using any dashboard on which it appears. After you save the changes, all instances of the library panel reflect these modifications.
+
+{{< figure src="/static/img/docs/library-panels/create-from-more-8-0.png" class="docs-image--no-shadow" max-width= "900px" caption="Screenshot of the edit panel" >}}
+
+## Add a library panel to a dashboard
+
+Add a Grafana library panel to a dashboard when you want to provide visualizations to other dashboard users.
+
+1. Hover over the **Dashboards** option on the left menu, then select **New dashboard** from the drop-down options.
+
+   The **Add** panel dialog opens.
+   {{< figure src="/static/img/docs/library-panels/add-library-panel-8-0.png" class="docs-image--no-shadow" max-width= "900px" caption="Screenshot of the edit panel" >}}
+
+1. Click the **Add a panel from the panel library** option.
+
+   You will see a list of your library panels.
+
+1. Filter the list or search to find the panel you want to add.
+1. Click a panel to add it to the dashboard.
+
+## Unlink a library panel
+
+Unlink a library panel when you want to make a change to the panel and not affect other instances of the library panel.
+
+1. Hover over **Dashboard** on the left menu, and then click **Library panels**.
+1. Select a library panel that is being used in different dashboards.
+1. Select the panel you want to unlink.
+1. Click the title of the panel and then click **Edit**. The panel opens in edit mode.
+1. Click the **Unlink** option on the top right corner of the page.
+
+## View a list of library panels
+
+You can view a list of available library panels and search for a library panel.
+
+1. Hover over the **Dashboard** option on the left menu, then click **Library panels**.
+
+   You can see a list of previously defined library panels.
+   {{< figure src="/static/img/docs/library-panels/library-panel-list-8-0.png" class="docs-image--no-shadow" max-width= "900px" caption="Screenshot of the edit panel" >}}
+
+1. Search for a specific library panel if you know its name.
+
+   You can also filter the panels by folder or type.
+
+## Delete a library panel
+
+Delete a library panel when you no longer need it.
+
+1. Hover over **Dashboard** on the left menu, and select **Library panels**.
+
+1. Select the panel you want to delete.
+
+1. Click the delete icon next to the library panel name.
@@ -10,7 +10,7 @@ aliases:
  - /docs/grafana/latest/reference/search/
 title: 'Use dashboards'
 menuTitle: Use dashboards
-weight: 2
+weight: 1
 keywords:
  - dashboard
  - search
@@ -39,7 +39,7 @@ The dashboard header has the following sections.

 - **Dashboard title** (2): This also opens the dashboard search when clicked.
 - **Add panel** (3): Use this option to add a new panel or row to the current dashboard.
- **Star dashboard** (4): Use this option to star (or unstar) the current dashboard. Starred dashboards show up on your own home dashboard by default. It is a convenient way to mark Dashboards that you're interested in.
+- **Star dashboard** (4): Use this option to star (or unstar) the current dashboard. Starred dashboards show up on your own home dashboard and in the navigation bar by default. It is a convenient way to mark Dashboards that you're interested in.
 - **Share dashboard** (5): Use this option to share the current dashboard by link or snapshot. You can also export the dashboard definition from the share modal.
 - **Save dashboard** (6): Use this option to save the current dashboard using its current name.
 - **Settings** (7): Use this option to open dashboard settings. Here you change dashboard name, folder, tags as well as manage variables and annotation queries.
@@ -8,7 +8,7 @@ weight: 60

 # Data sources

-Grafana supports many different storage backends for your time series data (data source). Refer to [Add a data source]({{< relref "../../administration/datasources/add-a-data-source/" >}}) for instructions on how to add a data source to Grafana. Only users with the organization admin role can add data sources.
+Grafana supports many different storage backends for your time series data (data source). Refer to [Add a data source]({{< relref "../administration/data-source-management/#add-a-data-source/" >}}) for instructions on how to add a data source to Grafana. Only users with the organization admin role can add data sources.

 ## Querying

@@ -18,23 +18,23 @@ Each data source has a specific Query Editor that is customized for the features

 The following data sources are officially supported:

- [Alertmanager]({{< relref "../../datasources/alertmanager/" >}})
- [AWS CloudWatch]({{< relref "aws-cloudwatch/" >}})
- [Azure Monitor]({{< relref "azuremonitor/" >}})
- [Elasticsearch]({{< relref "../../datasources/elasticsearch/" >}})
- [Google Cloud Monitoring]({{< relref "google-cloud-monitoring/" >}})
- [Graphite]({{< relref "../../datasources/graphite/" >}})
- [InfluxDB]({{< relref "influxdb/" >}})
- [Loki]({{< relref "../../datasources/loki/" >}})
- [Microsoft SQL Server (MSSQL)]({{< relref "../../datasources/mssql/" >}})
- [MySQL]({{< relref "../../datasources/mysql/" >}})
- [OpenTSDB]({{< relref "../../datasources/opentsdb/" >}})
- [PostgreSQL]({{< relref "../../datasources/postgres/" >}})
- [Prometheus]({{< relref "../../datasources/prometheus/" >}})
- [Jaeger]({{< relref "../../datasources/jaeger/" >}})
- [Zipkin]({{< relref "../../datasources/zipkin/" >}})
- [Tempo]({{< relref "../../datasources/tempo/" >}})
- [Testdata]({{< relref "../../datasources/testdata/" >}})
+- [Alertmanager]({{< relref "./alertmanager/" >}})
+- [AWS CloudWatch]({{< relref "./aws-cloudwatch/" >}})
+- [Azure Monitor]({{< relref "./azuremonitor/" >}})
+- [Elasticsearch]({{< relref "./elasticsearch/" >}})
+- [Google Cloud Monitoring]({{< relref "./google-cloud-monitoring/" >}})
+- [Graphite]({{< relref "./graphite/" >}})
+- [InfluxDB]({{< relref "./influxdb/" >}})
+- [Loki]({{< relref "./loki/" >}})
+- [Microsoft SQL Server (MSSQL)]({{< relref "./mssql/" >}})
+- [MySQL]({{< relref "./mysql/" >}})
+- [OpenTSDB]({{< relref "./opentsdb/" >}})
+- [PostgreSQL]({{< relref "./postgres/" >}})
+- [Prometheus]({{< relref "./prometheus/" >}})
+- [Jaeger]({{< relref "./jaeger/" >}})
+- [Zipkin]({{< relref "./zipkin/" >}})
+- [Tempo]({{< relref "./tempo/" >}})
+- [Testdata]({{< relref "./testdata/" >}})

 In addition to the data sources that you have configured in your Grafana, there are three special data sources available:

@@ -103,7 +103,7 @@ Further documentation on multi-dimensional metrics is available [here](https://d

 #### Supported Azure Monitor metrics

-Not all metrics returned by the Azure Monitor Metrics API have values. To make it easier for you when building a query, the Grafana data source has a list of supported metrics and ignores metrics which will never have values. This list is updated regularly as new services and metrics are added to the Azure cloud. For more information about the list of metrics, refer to [current supported namespaces](https://github.com/grafana/grafana/blob/main/public/app/plugins/datasource/grafana-azure-monitor-datasource/azure_monitor/supported_namespaces.ts).
+Not all metrics returned by the Azure Monitor Metrics API have values. To make it easier for you when building a query, the Grafana data source has a list of supported metrics and ignores metrics which will never have values. This list is updated regularly as new services and metrics are added to the Azure cloud. For more information about the list of metrics, refer to [current supported namespaces](https://github.com/grafana/grafana/blob/main/public/app/plugins/datasource/grafana-azure-monitor-datasource/azureMetadata/metricNamespaces.ts).

 ### Querying Azure Monitor Logs

@@ -25,23 +25,15 @@ types of template variables.

 The Azure Monitor data source provides the following queries you can specify in the Query field in the Variable edit view

-| Name                                                                               | Description                                                                                            |
-| ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
-| `Subscriptions()`                                                                  | Returns subscriptions.                                                                                 |
-| `ResourceGroups()`                                                                 | Returns resource groups.                                                                               |
-| `ResourceGroups(subscriptionID)`                                                   | Returns resource groups for a specified subscription.                                                  |
-| `Namespaces(aResourceGroup)`                                                       | Returns namespaces for the default subscription and specified resource group.                          |
-| `Namespaces(subscriptionID, aResourceGroup)`                                       | Returns namespaces for the specified subscription and resource group.                                  |
-| `ResourceNames(aResourceGroup, aNamespace)`                                        | Returns a list of resource names.                                                                      |
-| `ResourceNames(subscriptionID, aResourceGroup, aNamespace)`                        | Returns a list of resource names for a specified subscription.                                         |
-| `MetricNamespace(aResourceGroup, aNamespace, aResourceName)`                       | Returns a list of metric namespaces.                                                                   |
-| `MetricNamespace(subscriptionID, aResourceGroup, aNamespace, aResourceName)`       | Returns a list of metric namespaces for a specified subscription.                                      |
-| `MetricNames(aResourceGroup, aMetricDefinition, aResourceName, aMetricNamespace)`  | Returns a list of metric names.                                                                        |
-| `MetricNames(aSubscriptionID, aMetricDefinition, aResourceName, aMetricNamespace)` | Returns a list of metric names for a specified subscription.                                           |
-| `workspaces()`                                                                     | Returns a list of workspaces for the default subscription.                                             |
-| `workspaces(subscriptionID)`                                                       | Returns a list of workspaces for the specified subscription (the parameter can be quoted or unquoted). |
-
-Where a subscription ID is not specified, a default subscription must be specified in the data source configuration, which will be used.
+| Name            | Description                                                                                  |
+| --------------- | -------------------------------------------------------------------------------------------- |
+| Subscriptions   | Returns subscriptions.                                                                       |
+| Resource Groups | Returns resource groups for a specified subscription.                                        |
+| Namespaces      | Returns metric namespaces for the specified subscription and resource group.                 |
+| Resource Names  | Returns a list of resource names for a specified subscription, resource group and namespace. |
+| Metric Names    | Returns a list of metric names for a resource.                                               |
+| Workspaces      | Returns a list of workspaces for the specified subscription.                                 |
+| Logs            | Use a KQL query to return values.                                                            |

 Any Log Analytics KQL query that returns a single list of values can also be used in the Query field. For example:

@@ -62,3 +54,67 @@ Perf
 | summarize avg(CounterValue) by bin(TimeGenerated, $__interval), Computer
 | order by TimeGenerated asc
 ```
+
+## Limitations
+
+As of Grafana 9.0, a resource URI is constructed to identify resources using the resource picker. On dashboards created prior to Grafana 9.0, Grafana automatically migrates any queries using the prior resource-picking mechanism to use this method.
+
+Some resource types use nested namespaces and resource names, such as `Microsoft.Storage/storageAccounts/tableServices` and `storageAccount/default`, or `Microsoft.Sql/servers/databases` and `serverName/databaseName`. Such template variables cannot be used because the result could be a malformed resource URI.
+
+### Supported cases
+
+#### Standard namespaces and resource names
+
+```kusto
+metricDefinition = $ns
+$ns = Microsoft.Compute/virtualMachines
+resourceName = $rs
+$rs = testvirtualmachine
+```
+
+#### Namespaces with a non-templated sub-namespace
+
+```kusto
+metricDefinition = $ns/tableServices
+$ns = Microsoft.Storage/storageAccounts
+resourceName = $rs/default
+$rs = storageaccount
+```
+
+#### Storage namespaces missing the `default` keyword
+
+```kusto
+metricDefinition = $ns/tableServices
+$ns = Microsoft.Storage/storageAccounts
+resourceName = $rs
+$rs = storageaccount
+```
+
+#### Namespaces with a templated sub-namespace
+
+```kusto
+metricDefinition = $ns/$sns
+$ns = Microsoft.Storage/storageAccounts
+$sns = tableServices
+resourceName = $rs
+$rs = storageaccount
+```
+
+### Unsupported case
+
+If a dashboard uses this unsupported case, migrate it to one of the [supported cases](#supported-cases).
+
+If a namespace or resource name template variable contains multiple segments, Grafana will construct the resource URI incorrectly because the template variable cannot be appropriately split.
+
+For example:
+
+```kusto
+metricDefinition = $ns
+resourceName = $rs
+$ns = 'Microsoft.Storage/storageAccounts/tableServices'
+$rs = 'storageaccount/default'
+```
+
+This would result in an incorrect resource URI containing `Microsoft.Storage/storageAccounts/tableServices/storageaccount/default`. However, the correct URI would have the format `Microsoft.Storage/storageAccounts/storageaccount/tableServices/default`.
+
+An appropriate fix would be to update the template variable that does not match a supported case. If the namespace variable `$ns` is of the form `Microsoft.Storage/storageAccounts/tableServices` this could be split into two variables: `$ns1 = Microsoft.Storage/storageAccounts` and `$ns2 = tableServices`. The metric definition would then take the form `$ns1/$ns2` which leads to a correctly formatted URI.
@@ -66,6 +66,16 @@ This is a configuration for the beta Node Graph visualization. The Node Graph is

 -- **Enable Node Graph -** Enables the Node Graph visualization.

+### Span bar label
+
+You can configure the span bar label. The span bar label allows you add additional information to the span bar row.
+
+Select one of the following four options. The default selection is Duration.
+
+- **None -** Do not show any additional information on the span bar row.
+- **Duration -** Show the span duration on the span bar row.
+- **Tag -** Show the span tag on the span bar row. Note: You will also need to specify the tag key to use to get the tag value. For example, `span.kind`.
+
 ## Query traces

 You can query and display traces from Jaeger via [Explore]({{< relref "../explore/" >}}).
@@ -123,6 +123,10 @@ Operation can have additional parameters under the operation header. See the ope

 Some operations make sense only in specific order, if adding an operation would result in nonsensical query, operation will be added to the correct place. To order operations manually drag operation box by the operation name and drop in appropriate place.

+##### Hints
+
+In same cases the query editor can detect which operations would be most appropriate for a selected log stream. In such cases it will show a hint next to the `+ Operations` button. Click on the hint to add the operations to your query.
+
 #### Raw query

 This section is shown only if the `Raw query` switch from the query editor top toolbar is set to `on`. It shows the raw query that will be created and executed by the query editor.
@@ -182,7 +182,7 @@ A time series query result is returned in a [wide data frame format]({{< relref

 > For backward compatibility, there's an exception to the above rule for queries that return three columns including a string column named metric. Instead of transforming the metric column into field labels, it becomes the field name, and then the series name is formatted as the value of the metric column. See the example with the metric column below.

-To optionally customize the default series name formatting, refer to [Standard field definitions]({{< relref "../panels/standard-field-definitions/#display-name" >}}).
+To optionally customize the default series name formatting, refer to [Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}).

 **Example with `metric` column:**

@@ -226,7 +226,7 @@ GROUP BY
 ORDER BY 1
 ```

-Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [Standard field definition]({{< relref "../panels/standard-field-definitions/#display-name" >}}) display name value of `${__field.labels.hostname}`.
+Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}) display name value of `${__field.labels.hostname}`.

 Data frame result:

@@ -191,7 +191,7 @@ A time series query result is returned in a [wide data frame format]({{< relref

 > For backward compatibility, there's an exception to the above rule for queries that return three columns including a string column named metric. Instead of transforming the metric column into field labels, it becomes the field name, and then the series name is formatted as the value of the metric column. See the example with the metric column below.

-To optionally customize the default series name formatting, refer to [Standard field definitions]({{< relref "../panels/standard-field-definitions/#display-name" >}}).
+To optionally customize the default series name formatting, refer to [Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}).

 **Example with `metric` column:**

@@ -233,7 +233,7 @@ GROUP BY time, hostname
 ORDER BY time
 ```

-Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [Standard field definition]({{< relref "../panels/standard-field-definitions/#display-name" >}}) display value of `${__field.labels.hostname}`.
+Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [[Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}) display value of `${__field.labels.hostname}`.

 Data frame result:

@@ -196,7 +196,7 @@ A time series query result is returned in a [wide data frame format]({{< relref

 > For backward compatibility, there's an exception to the above rule for queries that return three columns including a string column named metric. Instead of transforming the metric column into field labels, it becomes the field name, and then the series name is formatted as the value of the metric column. See the example with the metric column below.

-To optionally customize the default series name formatting, refer to [Standard field definitions]({{< relref "../panels/standard-field-definitions/#display-name" >}}).
+To optionally customize the default series name formatting, refer to [Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}).

 **Example with `metric` column:**

@@ -238,7 +238,7 @@ GROUP BY time, hostname
 ORDER BY time
 ```

-Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [Standard field definition]({{< relref "../panels/standard-field-definitions/#display-name" >}}) display value of `${__field.labels.hostname}`.
+Given the data frame result in the following example and using the graph panel, you will get two series named _value 10.0.1.1_ and _value 10.0.1.2_. To render the series with a name of _10.0.1.1_ and _10.0.1.2_ , use a [Standard options definitions]({{< relref "../panels/configure-standard-options/#display-name" >}}) display value of `${__field.labels.hostname}`.

 Data frame result:

@@ -462,7 +462,7 @@ datasources:
      timescaledb: false
 ```

-> **Note:** In the above code, the `postgresVersion` value of `10` refers to version PotgreSQL 10 and above.
+> **Note:** In the above code, the `postgresVersion` value of `10` refers to version PostgreSQL 10 and above.

 If you encounter metric request errors or other issues:

@@ -84,6 +84,16 @@ This is a configuration for the Loki search query type.

 -- **Data source -** The Loki instance in which you want to search traces. You must configure derived fields in the Loki instance.

+### Span bar label
+
+You can configure the span bar label. The span bar label allows you add additional information to the span bar row.
+
+Select one of the following four options. The default selection is Duration.
+
+- **None -** Do not show any additional information on the span bar row.
+- **Duration -** Show the span duration on the span bar row.
+- **Tag -** Show the span tag on the span bar row. Note: You will also need to specify the tag key to use to get the tag value. For example, `span.kind`.
+
 ## Query traces

 You can query and display traces from Tempo via [Explore]({{< relref "../explore/" >}}).
@@ -65,6 +65,16 @@ This is a configuration for the beta Node Graph visualization. The Node Graph is

 -- **Enable Node Graph -** Enables the Node Graph visualization.

+### Span bar label
+
+You can configure the span bar label. The span bar label allows you add additional information to the span bar row.
+
+Select one of the following four options. The default selection is Duration.
+
+- **None -** Do not show any additional information on the span bar row.
+- **Duration -** Show the span duration on the span bar row.
+- **Tag -** Show the span tag on the span bar row. Note: You will also need to specify the tag key to use to get the tag value. For example, `span.kind`.
+
 ## Query traces

 Querying and displaying traces from Zipkin is available via [Explore]({{< relref "../explore/" >}}).
@@ -25,6 +25,7 @@ dashboards, creating users, and updating data sources.
 - [Alerting Provisioning API]({{< relref "alerting_provisioning/" >}})
 - [Annotations API]({{< relref "annotations/" >}})
 - [Authentication API]({{< relref "auth/" >}})
+- [Correlations API]({{< relref "correlations/" >}})
 - [Dashboard API]({{< relref "dashboard/" >}})
 - [Dashboard Permissions API]({{< relref "dashboard_permissions/" >}})
 - [Dashboard Versions API]({{< relref "dashboard_versions/" >}})
@@ -21,7 +21,7 @@ title: RBAC HTTP API

 The API can be used to create, update, delete, get, and list roles.

-To check which basic or fixed roles have the required permissions, refer to [RBAC role definitions]({{< ref "../../enterprise/access-control/rbac-fixed-basic-role-definitions.md" >}}).
+To check which basic or fixed roles have the required permissions, refer to [RBAC role definitions]({{< ref "../../administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md" >}}).

 ## Get status

@@ -222,7 +222,7 @@ Content-Type: application/json; charset=UTF-8

 `POST /api/access-control/roles`

-Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as [Fixed roles]({{< relref "../../enterprise/access-control/about-rbac/#fixed-roles" >}}) can't be created.
+Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as [Fixed roles]({{< relref "../../administration/roles-and-permissions/access-control/#fixed-roles" >}}) can't be created.

 #### Required permissions

@@ -260,24 +260,24 @@ Content-Type: application/json

 #### JSON body schema

-| Field Name  | Date Type  | Required | Description                                                                                                                                                                                                                            |
-| ----------- | ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| uid         | string     | No       | UID of the role. If not present, the UID will be automatically created for you and returned in response. Refer to the [Custom roles]({{< relref "../../enterprise/access-control/about-rbac/#custom-roles" >}}) for more information.  |
-| global      | boolean    | No       | A flag indicating if the role is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request.                                                                                         |
-| version     | number     | No       | Version of the role. If not present, version 0 will be assigned to the role and returned in the response. Refer to the [Custom roles]({{< relref "../../enterprise/access-control/about-rbac/#custom-roles" >}}) for more information. |
-| name        | string     | Yes      | Name of the role. Refer to [Custom roles]({{< relref "../../enterprise/access-control/about-rbac/#custom-roles" >}}) for more information.                                                                                             |
-| description | string     | No       | Description of the role.                                                                                                                                                                                                               |
-| displayName | string     | No       | Display name of the role, visible in the UI.                                                                                                                                                                                           |
-| group       | string     | No       | The group name the role belongs to.                                                                                                                                                                                                    |
-| hidden      | boolean    | No       | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified.                                                       |
-| permissions | Permission | No       | If not present, the role will be created without any permissions.                                                                                                                                                                      |
+| Field Name  | Date Type  | Required | Description                                                                                                                                                                                                                                           |
+| ----------- | ---------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| uid         | string     | No       | UID of the role. If not present, the UID will be automatically created for you and returned in response. Refer to the [Custom roles]({{< relref "../../administration/roles-and-permissions/access-control/#custom-roles" >}}) for more information.  |
+| global      | boolean    | No       | A flag indicating if the role is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request.                                                                                                        |
+| version     | number     | No       | Version of the role. If not present, version 0 will be assigned to the role and returned in the response. Refer to the [Custom roles]({{< relref "../../administration/roles-and-permissions/access-control/#custom-roles" >}}) for more information. |
+| name        | string     | Yes      | Name of the role. Refer to [Custom roles]({{< relref "../../administration/roles-and-permissions/access-control/#custom-roles" >}}) for more information.                                                                                             |
+| description | string     | No       | Description of the role.                                                                                                                                                                                                                              |
+| displayName | string     | No       | Display name of the role, visible in the UI.                                                                                                                                                                                                          |
+| group       | string     | No       | The group name the role belongs to.                                                                                                                                                                                                                   |
+| hidden      | boolean    | No       | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified.                                                                      |
+| permissions | Permission | No       | If not present, the role will be created without any permissions.                                                                                                                                                                                     |

 **Permission**

-| Field Name | Data Type | Required | Description                                                                                                                                                                                                            |
-| ---------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| action     | string    | Yes      | Refer to [Custom role actions and scopes]({{< relref "../../enterprise/access-control/custom-role-actions-scopes/" >}}) for full list of available actions.                                                            |
-| scope      | string    | No       | If not present, no scope will be mapped to the permission. Refer to [[Custom role actions and scopes]({{< relref "../../enterprise/access-control/custom-role-actions-scopes/" >}}) for full list of available scopes. |
+| Field Name | Data Type | Required | Description                                                                                                                                                                                                                                     |
+| ---------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| action     | string    | Yes      | Refer to [Custom role actions and scopes]({{< relref "../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/" >}}) for full list of available actions.                                                           |
+| scope      | string    | No       | If not present, no scope will be mapped to the permission. Refer to [Custom role actions and scopes]({{< relref "../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/" >}}) for full list of available scopes. |

 #### Example response

@@ -375,10 +375,10 @@ Content-Type: application/json

 **Permission**

-| Field Name | Data Type | Required | Description                                                                                                                                                                                                           |
-| ---------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| action     | string    | Yes      | Refer to [Custom role actions and scopes]({{< relref "../../enterprise/access-control/custom-role-actions-scopes/" >}}) for full list of available actions.                                                           |
-| scope      | string    | No       | If not present, no scope will be mapped to the permission. Refer to [Custom role actions and scopes]({{< relref "../../enterprise/access-control/custom-role-actions-scopes/" >}}) for full list of available scopes. |
+| Field Name | Data Type | Required | Description                                                                                                                                                                                                                                     |
+| ---------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| action     | string    | Yes      | Refer to [Custom role actions and scopes]({{< relref "../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/" >}}) for full list of available actions.                                                           |
+| scope      | string    | No       | If not present, no scope will be mapped to the permission. Refer to [Custom role actions and scopes]({{< relref "../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/" >}}) for full list of available scopes. |

 #### Example response

@@ -448,10 +448,10 @@ Accept: application/json

 #### Query parameters

-| Param  | Type    | Required | Description                                                                                                                                                                                                                                                |
-| ------ | ------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| force  | boolean | No       | When set to `true`, the role will be deleted with all it's assignments.                                                                                                                                                                                    |
-| global | boolean | No       | A flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the [About RBAC]({{< relref "../../enterprise/access-control/about-rbac/" >}}) for more information. |
+| Param  | Type    | Required | Description                                                                                                                                                                                                                                                               |
+| ------ | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| force  | boolean | No       | When set to `true`, the role will be deleted with all it's assignments.                                                                                                                                                                                                   |
+| global | boolean | No       | A flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the [About RBAC]({{< relref "../../administration/roles-and-permissions/access-control/" >}}) for more information. |

 #### Example response

@@ -747,6 +747,280 @@ Content-Type: application/json; charset=UTF-8
 | 404  | Role not found.                                                      |
 | 500  | Unexpected error. Refer to body and/or server logs for more details. |

+## Create and remove service account role assignments
+
+### List roles assigned to a service account
+
+`GET /api/access-control/users/:serviceAccountId/roles`
+
+Lists the roles that have been directly assigned to a given service account. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin).
+
+Query Parameters:
+
+- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
+
+#### Required permissions
+
+| Action           | Scope                           |
+| ---------------- | ------------------------------- |
+| users.roles:read | users:id:`<service account ID>` |
+
+#### Example request
+
+```http
+GET /api/access-control/users/1/roles
+Accept: application/json
+```
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+[
+    {
+        "version": 4,
+        "uid": "6dNwJq57z",
+        "name": "fixed:reports:writer",
+        "displayName": "Report writer",
+        "description": "Create, read, update, or delete all reports and shared report settings.",
+        "group": "Reports",
+        "updated": "2021-11-19T10:48:00+01:00",
+        "created": "2021-11-19T10:48:00+01:00",
+        "global": false
+    }
+]
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Set of assigned roles is returned.                                   |
+| 403  | Access denied.                                                       |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
+### List permissions assigned to a service account
+
+`GET /api/access-control/users/:serviceAccountId/permissions`
+
+Lists the permissions that a given service account has.
+
+#### Required permissions
+
+| Action                 | Scope                           |
+| ---------------------- | ------------------------------- |
+| users.permissions:read | users:id:`<service account ID>` |
+
+#### Example request
+
+```http
+GET /api/access-control/users/1/permissions
+Accept: application/json
+```
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+[
+    {
+        "action": "ldap.status:read",
+        "scope": ""
+    },
+    {
+        "action": "ldap.user:read",
+        "scope": ""
+    }
+]
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Set of assigned permissions is returned.                             |
+| 403  | Access denied.                                                       |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
+### Add a service account role assignment
+
+`POST /api/access-control/users/:serviceAccountId/roles`
+
+Assign a role to a specific service account.
+
+For bulk updates consider
+[Set service account role assignments]({{< ref "#set-service-account-role-assignments" >}}).
+
+#### Required permissions
+
+`permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
+For example, if a user does not have required permissions for creating users, they won't be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.
+
+| Action          | Scope                     |
+| --------------- | ------------------------- |
+| users.roles:add | permissions:type:delegate |
+
+#### Example request
+
+```http
+POST /api/access-control/users/1/roles
+Accept: application/json
+Content-Type: application/json
+
+{
+    "global": false,
+    "roleUid": "XvHQJq57z"
+}
+```
+
+#### JSON body schema
+
+| Field Name | Data Type | Required | Description                                                                                                                                                                                  |
+| ---------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| roleUid    | string    | Yes      | UID of the role.                                                                                                                                                                             |
+| global     | boolean   | No       | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request to create organization local assignment. |
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+{
+    "message": "Role added to the user."
+}
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Role is assigned to a user.                                          |
+| 403  | Access denied.                                                       |
+| 404  | Role not found.                                                      |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
+## Remove a service account role assignment
+
+`DELETE /api/access-control/users/:serviceAccountId/roles/:roleUID`
+
+Revoke a role from a service account.
+
+For bulk updates consider
+[Set service account role assignments]({{< ref "#set-service-account-role-assignments" >}}).
+
+#### Required permissions
+
+`permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
+For example, if a user does not have required permissions for creating users, they won't be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.
+
+| Action             | Scope                     |
+| ------------------ | ------------------------- |
+| users.roles:remove | permissions:type:delegate |
+
+#### Query parameters
+
+| Param  | Type    | Required | Description                                                                                                                                                               |
+| ------ | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| global | boolean | No       | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request to remove assignment. |
+
+#### Example request
+
+```http
+DELETE /api/access-control/users/1/roles/AFUXBHKnk
+Accept: application/json
+```
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+{
+    "message": "Role removed from user."
+}
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Role is unassigned.                                                  |
+| 403  | Access denied.                                                       |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
+### Set service account role assignments
+
+`PUT /api/access-control/users/:serviceAccountId/roles`
+
+Update the service accounts's role assignments to match the provided set of UIDs.
+This will remove any assigned roles that aren't in the request and add
+roles that are in the set but are not already assigned to the service account.
+
+If you want to add or remove a single role, consider using
+[Add a service account role assignment]({{< ref "#add-a-service-account-role-assignment" >}}) or
+[Remove a service account role assignment]({{< ref "#remove-a-service-account-role-assignment" >}})
+instead.
+
+#### Required permissions
+
+`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
+For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.
+
+| Action             | Scope                     |
+| ------------------ | ------------------------- |
+| users.roles:add    | permissions:type:delegate |
+| users.roles:remove | permissions:type:delegate |
+
+#### Example request
+
+```http
+PUT /api/access-control/users/1/roles
+Accept: application/json
+Content-Type: application/json
+
+{
+    "global": false,
+    "roleUids": [
+        "ZiHQJq5nk",
+        "GzNQ1357k"
+    ]
+}
+```
+
+#### JSON body schema
+
+| Field Name    | Date Type | Required | Description                                                                                                                                          |
+| ------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| global        | boolean   | No       | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. |
+| roleUids      | list      | Yes      | List of role UIDs.                                                                                                                                   |
+| includeHidden | boolean   | No       | Specify whether the hidden role assignments should be updated.                                                                                       |
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+{
+    "message": "User roles have been updated."
+}
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Roles have been assigned.                                            |
+| 403  | Access denied.                                                       |
+| 404  | Role not found.                                                      |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
 ## Create and remove team role assignments

 ### List roles assigned to a team
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				{"keys":[{"kid":"On2FQuJ8Y-909uJGWQEDkbzG-GRNmMc43HslEgVv_VQ","kty":"RSA","alg":"RS256","use":"sig","n":"qDmQHfTcOQOzmNJbVvtvuS8p_EgmiscP7vA_PZNyKx9O7utyGuoAmJH8e2w8gLIDDWHl5_x8aAIl_-TTPTSiyX8I68ryIdR28ZSe5u4pRdpXCVvJpOefKNIxQCTH7rs4KuRj0HZ2u1mu1Vz5_CeCCoKwKSmheD3u1xTJ8-VxQmdqfGxhuKtnkof7977HWOWy4GLDFqxyYHgihP_MmSeTmXUhVeZI6IOCqHMpF8eFWVGKM6V8rIKf8QO2K_vDJBM_3C933vMY8mqSQXbI3G54x-0myAaQXr4JkxjvUGKg5YC3ZXw7AjfZv_W_fQOG0GYp2hQ0akR4KNKT3XPNmpMVlQ","e":"AQAB","x5c":["MIICnTCCAYUCBgF+u1ir8jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdncmFmYW5hMB4XDTIyMDIwMjE2NDkxN1oXDTMyMDIwMjE2NTA1N1owEjEQMA4GA1UEAwwHZ3JhZmFuYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKg5kB303DkDs5jSW1b7b7kvKfxIJorHD+7wPz2TcisfTu7rchrqAJiR/HtsPICyAw1h5ef8fGgCJf/k0z00osl/COvK8iHUdvGUnubuKUXaVwlbyaTnnyjSMUAkx+67OCrkY9B2drtZrtVc+fwnggqCsCkpoXg97tcUyfPlcUJnanxsYbirZ5KH+/e+x1jlsuBiwxascmB4IoT/zJknk5l1IVXmSOiDgqhzKRfHhVlRijOlfKyCn/EDtiv7wyQTP9wvd97zGPJqkkF2yNxueMftJsgGkF6+CZMY71BioOWAt2V8OwI32b/1v30DhtBmKdoUNGpEeCjSk91zzZqTFZUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABlW64QxuREB81VMGsyhj4Q5RykFaVuD5O8YlwUpmVfAVLzb0Drf54Kn4bnpnckKyYV+T+HsN4QXt81UE41xH0Aai2H3vrGH+PJf6aLPCDE+jpMqtN3n6IgImJXJPL8upMfhhWDv4nkM4uynEwWupzmrKi4oJuTETSMktJby4o6//XWnCzCVMoAGFJU4gtjBUzOMLW26zD+yc+BuUtfR3HzItVHSZKQSNSFO0kVS68RgrER8qJw07z3BOJ2bPpPM0PYyEngGMaowz/T6lI32ymGMWYMAnslthS1KAW9xcTBwnrW1nMhe5a0LPxIktys/wJtxIHZLc5sOddGT4xYklLg=="],"x5t":"prs-h1NBqOSJMH-tQWLTqguWets","x5t#S256":"YjK3HobZW8xbNL1IPDgFhCM41UC5c0hG2cxaF6v961Q"}]}