Torkel Ödegaard
3.2 KiB
3.2 KiB
+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++
Fine-grained access control references
The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).
Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
|---|---|---|
| fixed:permissions:admin:read | roles:read roles:list roles.builtin:list |
Allows to list and get available roles and built-in role assignments. |
| fixed:permissions:admin:edit | All permissions from fixed:permissions:admin:read and roles:write roles:delete roles.builtin:add roles.builtin:remove |
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| fixed:reporting:admin:read | reports:read reports:send reports.settings:read |
Allows to read reports and report settings. |
| fixed:reporting:admin:edit | All permissions from fixed:reporting:admin:read and reports.admin:write reports:delete reports.settings:write |
Allows every read action for reports and in addition allows to administer reports. |
| fixed:users:admin:read | users.authtoken:list users.quotas:list users:read users.teams:read |
Allows to list and get users and related information. |
| fixed:users:admin:edit | All permissions from fixed:users:admin:read and users.password:update users:write users:create users:delete users:enable users:disable users.permissions:update users:logout users.authtoken:update users.quotas:update |
Allows every read action for users and in addition allows to administer users. |
| fixed:users:org:read | org.users:read | Allows to get user organizations. |
| fixed:users:org:edit | All permissions from fixed:users:org:read and org.users:add org.users:remove org.users.role:update |
Allows every read action for user organizations and in addition allows to administer user organizations. |
| fixed:ldap:admin:read | ldap.user:read ldap.status:read |
Allows to read LDAP information and status. |
| fixed:ldap:admin:edit | All permissions from fixed:ldap:admin:read and ldap.user:sync |
Allows every read action for LDAP and in addition allows to administer LDAP. |
Default built-in role assignments
| Built-in roles | Associated roles | Descriptions |
|---|---|---|
| Grafana Admin | fixed:permissions:admin:edit fixed:permissions:admin:read fixed:reporting:admin:edit fixed:reporting:admin:read fixed:users:admin:edit fixed:users:admin:read fixed:users:org:edit fixed:users:org:read fixed:ldap:admin:edit fixed:ldap:admin:read |
Allows access to resources which [Grafana Server Admin]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has permissions by default. |
| Admin | fixed:users:org:edit fixed:users:org:read fixed:reporting:admin:edit fixed:reporting:admin:read |
Allows access to resource which [Admin]({{< relref "../../permissions/organization_roles.md" >}}) has permissions by default. |