Skip to content

N
nexpie-grafana-theme
Commit 17c1e7ba by Torkel Ödegaard
Options

docs: added permissions page and updated folder docs

parent b1a93607
Showing with 96 additions and 109 deletions
docs/sources/administration/permissions.md 0 → 100644
+++
title = "Permissions"
description = "Grafana user permissions"
keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
type = "docs"
aliases = ["/reference/admin"]
[menu.docs]
name = "Permissions"
parent = "admin"
weight = 3
+++
# Permissions
Grafana users have permissions that are determined by their:
- **Organization Role** (Admin, Editor, Viewer)
- Via **Team** memberships where the **Team** has been assigned specific permissions.
- Via permissions assigned directly to user (on folders or dashboards)
- The Grafana Admin (i.e. Super Admin) user flag.
## Organization Roles
Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
in that organization.
### Admin Role
Can do everything scoped to the organization. For example:
- Add & Edit data data sources.
- Add & Edit organization users & teams.
- Configure App plugins & set org settings.
### Editor Role
- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit data sources nor invite new users.
### Viewer Role
- View any dashboard. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit dashboards nor data sources.
This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
## Grafana Admin
This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
### Dashboard & Folder Permissions
{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
For dashboards and dashboard folders there is a **Permissions** page that make it possible to
remove the default role based permssions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**.
You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**.
Permission levels:
- **Admin**: Can edit & create dashboards and edit permissions.
- **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
- **View**: Can only view existing dashboars/folders.
#### Restricting access
The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the
Access Control List (ACL).
- You cannot override permissions for users with **Org Admin Role**
- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
docs/sources/guides/whats-new-in-v5.md
......@@ -30,7 +30,7 @@ This is the most substantial update that Grafana has ever seen. This article wil
## New Dashboard Layout Engine
{{< docs-imagebox img="/img/docs/v50/new_grid.png" max-width="700px" class="docs-image--right">}}
{{< docs-imagebox img="/img/docs/v50/new_grid.png" max-width="1000px" class="docs-image--right">}}
The new dashboard layout engine allows for much easier movement & sizing of panels as other panels now move out of the way in
a very intuitive way. No longer do you need to use rows to create layouts as panels are sized independently. This opens
......@@ -43,7 +43,7 @@ with older versions of Grafana.
## New UX
{{< docs-imagebox img="/img/docs/v50/new_ux_nav.png" max-width="700px" class="docs-image--right" >}}
{{< docs-imagebox img="/img/docs/v50/new_ux_nav.png" max-width="1000px" class="docs-image--right" >}}
Almost every page has been seen significant UX improvements. All pages (except dashboard) has new tab-based layout that improves navigation between pages. The side menu has also changed quite a bit. You can still hide the side menu completely if you click on the Grafana logo.
......@@ -51,7 +51,7 @@ Almost every page has been seen significant UX improvements. All pages (except d
### Dashboard Settings
{{< docs-imagebox img="/img/docs/v50/dashboard_settings.png" max-width="700px" class="docs-image--right" >}}
{{< docs-imagebox img="/img/docs/v50/dashboard_settings.png" max-width="1000px" class="docs-image--right" >}}
Dashboard has new header toolbar look where buttons and actions are now all moved to the right. All the dashboard
settings views has been combined with a side nav which allows you to easily move between different setting categories.
......@@ -59,7 +59,7 @@ settings views has been combined with a side nav which allows you to easily move
## New Light Theme
{{< docs-imagebox img="/img/docs/v50/new_white_theme.png" max-width="700px" class="docs-image--right" >}}
{{< docs-imagebox img="/img/docs/v50/new_white_theme.png" max-width="1000px" class="docs-image--right" >}}
This theme has not seen a lot of love in recent years and we felt it was time to rework it and give it a major overhaul. We are very happy with the result.
......@@ -67,7 +67,7 @@ This theme has not seen a lot of love in recent years and we felt it was time to
## Dashboard Folders
{{< docs-imagebox img="/img/docs/v50/new_search.png" max-width="700px" class="docs-image--right" >}}
{{< docs-imagebox img="/img/docs/v50/new_search.png" max-width="1000px" class="docs-image--right" >}}
The big new feature that comes with Grafana v5.0 is dashboard folders. Now you can organize your dashboards in folders
which is very useful if you have a lot of dashboards or multiple teams.
......@@ -83,7 +83,7 @@ We hope to do more with teams in future releases like integration with LDAP & a
## Permissions
{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="700px" class="docs-image--right" >}}
{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="1000px" class="docs-image--right" >}}
You can assign permissions to folders and dashboards. The default user role-based permissions can be removed and replaced with specific teams or users enabling more control over what a user can see & edit.
......
docs/sources/installation/configuration.md
......@@ -296,7 +296,7 @@ options are `Admin` and `Editor`. e.g. :
`auto_assign_org_role = Viewer`
### viewers can edit
### viewers_can_edit
Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
Defaults to `false`.
......
docs/sources/reference/admin.md deleted 100644 → 0
+++
title = "Admin Roles"
description = "Users & Organization permission and administration"
keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
type = "docs"
[menu.docs]
name = "Admin Roles"
parent = "admin"
weight = 3
+++
# Administration
Grafana has two levels of administrators:
* Organizational administrators: These admins can manage users within specific organizations in a particular Grafana installation
* Grafana administrators: These super admins can manage users across all organizations in a Grafana installation. They can also change and access system-wide settings.
## Organizational Administrators
As an Organizational administrator, you can add `Data Sources`, add Users to your Organization and
modify Organization details and options.
> *Note*: If Grafana is configured with `users.allow_org_create = true`, any User of any Organization will be able to
> start their own Organization and become the administrator of that Organization.
## Grafana Administrators
<img src="/img/v2/admin_sidenav.png" class="pull-right" style="margin-left: 15px">
As a Grafana Administrator, you have complete access to any Organization or User in that instance of Grafana.
When performing actions as a Grafana admin, the sidebar will change it's appearance as below to indicate you are performing global server administration.
From the Grafana Server Admin page, you can access the System Info page which summarizes all of the backend configuration settings of the Grafana server.
## Why would I have multiple Organizations?
Organizations in Grafana are best suited for a **multi-tenant deployment**. In a multi-tenant deployment,
Organizations can be used to provide a full Grafana experience to different sets of users from a single Grafana instance,
at the convenience of the Grafana Administrator.
In most cases, a Grafana installation will only have **one** Organization. Since dashboards, data sources and other configuration items are not shared between organizations, there's no need to create multiple Organizations if you want all your users to have access to the same set of dashboards and data.
docs/sources/reference/dashboard_folders.md
......@@ -14,20 +14,16 @@ Folders are a way to organize and group dashboards - very useful if you have a l
## How To Create A Folder
- Create a folder by using the Create Folder link in the side menu.
![](/img/docs/v50/create_folder_menu.png)
- Create a folder by using the Create Folder link in the side menu (under the create menu (+ icon))
- Use the create Folder button on the Manage Dashboards page.
- When saving a dashboard, you can either choose a folder for the dashboard to be saved in or create a new folder (coming in 5.0 beta)
- When saving a dashboard, you can either choose a folder for the dashboard to be saved in or create a new folder
On the Create Folder page, fill in a unique name for the folder and press Create.
![](/img/docs/v50/create_folder_page.png)
## Manage Dashboards
{{< docs-imagebox img="/img/docs/v50/manage_dashboard_menu.png" max-width="300px" class="docs-image--right" >}}
There is a new Manage Dashboards page where you can carry out a variety of tasks:
- create a folder
......@@ -36,62 +32,21 @@ There is a new Manage Dashboards page where you can carry out a variety of tasks
- delete multiple dashboards
- navigate to a folder page (where you can set permissions for a folder and/or its dashboards)
There is a new option in the Dashboards menu for the Manage Dashboards page:
![](/img/docs/v50/manage_dashboard_menu.png)
Here you can manage your dashboards:
![](/img/docs/v50/manage_dashboards_page.png)
Or you can go directly to a Dashboard Folder page via Dashboard Search by clicking on the cog icon:
![](/img/docs/v50/go_to_dashboard_folder_page.png)
## Dashboard Folder Page
The Dashboard Folder Page is similar to the Manage Dashboards page and is where you can carry out the following tasks:
- allows you to move or delete dashboards in a folder.
- rename a folder (under the Settings tab).
- set permissions on the whole folder.
- set permissions on a single dashboard.
## Dashboard Permissions (Not enabled in Grafana 5.0 alpha)
An Access Control List (ACL) model is used for permissions on Dashboard Folders. An individual user can be assigned permissions on a folder or a Team.
The permissions that can be assigned for a folder are: View, Edit, Admin.
The default is that:
- everyone has access to a folder and that their permissions depend on their user role (Viewer, Editor or Admin).
- An Admin or Editor can remove the default access for everyone and can then assign a user or team to a Dashboard Folder.
- Teams make it easier to assign permissions for multiple users to multiple dashboards.
You reach the dashboard folder page by clicking on the cog icon that appears when you hover
over a folder in the dashboard list in the search result or on the Manage dashboards page.
Other Dashboard Folder rules:
- Users with the Admin and Editor role are allowed to create new Dashboard Folders.
- Users with the Viewer role are not allowed to create new Dashboard Folders.
- Editors who are owners and Admins can assign permissions to users or teams for Dashboard Folders.
- Default permissions can be removed except for the Admin permissions (View, Edit).
### Limiting Permissions on a Folder
To limit permissions on a folder or dashboard:
1. go to the permissions tab on the Dashboard Folder page
2. remove the default permissions (Everyone with Editor Role / Everyone with Viewer Role)
3. Give a team or user specific permissions. For example: `frontend-team can edit` and `ops-team can view`.
Remember that users with the Admin role will always have permission to all folders and dashboards.
The Dashboard Folder Page is similar to the Manage Dashboards page and is where you can carry out the following tasks:
## Teams (Not enabled in Grafana 5.0 alpha)
- Allows you to move or delete dashboards in a folder.
- Rename a folder (under the Settings tab).
- Set permissions for the folder (inherited by dashboards in the folder).
Teams is a new concept for Grafana 5.0. A team is a group of users that can be assigned permissions on a dashboard folder or a dashboard.
## Permissions
How Teams Work:
Permissions can assigned to a folder and inherited by the containing dashboards. An Access Control List (ACL) is used where
**Organization Role**, **Team** and Individual **User** can be assigned permissions. Read the
[Dashboard & Folder Permissions]({{< relref "administration/permissions.md#dashboard-folder-permissions" >}}) docs for more detail
on the permission system.
- Admins can create teams.
- No hierarchies. Teams cannot contain teams.
- If a user belongs to multiple teams, their permissions are merged to give them the highest permission possible for a dashboard folder or dashboard.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment