docs: added permissions page and updated folder docs

17c1e7ba · Torkel Ödegaard · b1a93607 · 17c1e7ba · 17c1e7ba · 17c1e7ba
Commit 17c1e7ba authored Jan 31, 2018 by Torkel Ödegaard
5 changed files
--- a/docs/sources/administration/permissions.md
+++ b/docs/sources/administration/permissions.md
+++
+title = "Permissions"
+description = "Grafana user permissions"
+keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
+type = "docs"
+aliases = ["/reference/admin"]
+[menu.docs]
+name = "Permissions"
+parent = "admin"
+weight = 3
+++
+# Permissions
+Grafana users have permissions that are determined by their:
+- **Organization Role** (Admin, Editor, Viewer)
+- Via **Team** memberships where the **Team** has been assigned specific permissions.
+- Via permissions assigned directly to user (on folders or dashboards)
+- The Grafana Admin (i.e. Super Admin) user flag.
+## Organization Roles
+Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
+in that organization.
+### Admin Role
+Can do everything scoped to the organization. For example:
+- Add & Edit data data sources.
+- Add & Edit organization users & teams.
+- Configure App plugins & set org settings.
+### Editor Role
+- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
+- **Cannot** create or edit data sources nor invite new users.
+### Viewer Role
+- View any dashboard. This can be disabled on specific folders and dashboards.
+- **Cannot** create or edit dashboards nor data sources.
+This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
+with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
+Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
+## Grafana Admin
+This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
+### Dashboard & Folder Permissions
+{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
+For dashboards and dashboard folders there is a **Permissions** page that make it possible to
+remove the default role based permssions for Editors and Viewers. It's here you can add and assign permissions to specific **Users** and **Teams**.
+You can assign & remove permissions for **Organization Roles**, **Users** and **Teams**.
+Permission levels:
+- **Admin**: Can edit & create dashboards and edit permissions.
+- **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
+- **View**: Can only view existing dashboars/folders.
+#### Restricting access
+The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the
+Access Control List (ACL).
+- You cannot override permissions for users with **Org Admin Role**
+- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
--- a/docs/sources/guides/whats-new-in-v5.md
+++ b/docs/sources/guides/whats-new-in-v5.md
@@ -30,7 +30,7 @@ This is the most substantial update that Grafana has ever seen. This article wil
 ## New Dashboard Layout Engine
-{{< docs-imagebox img="/img/docs/v50/new_grid.png" max-width="700px" class="docs-image--right">}}
+{{< docs-imagebox img="/img/docs/v50/new_grid.png" max-width="1000px" class="docs-image--right">}}
 The new dashboard layout engine allows for much easier movement & sizing of panels as other panels now move out of the way in
 a very intuitive way. No longer do you need to use rows to create layouts as panels are sized independently. This opens
@@ -43,7 +43,7 @@ with older versions of Grafana.
 ## New UX
-{{< docs-imagebox img="/img/docs/v50/new_ux_nav.png" max-width="700px" class="docs-image--right" >}}
+{{< docs-imagebox img="/img/docs/v50/new_ux_nav.png" max-width="1000px" class="docs-image--right" >}}
 Almost every page has been seen significant UX improvements. All pages (except dashboard) has new tab-based layout that improves navigation between pages. The side menu has also changed quite a bit. You can still hide the side menu completely if you click on the Grafana logo.
@@ -51,7 +51,7 @@ Almost every page has been seen significant UX improvements. All pages (except d
 ### Dashboard Settings
-{{< docs-imagebox img="/img/docs/v50/dashboard_settings.png" max-width="700px" class="docs-image--right" >}}
+{{< docs-imagebox img="/img/docs/v50/dashboard_settings.png" max-width="1000px" class="docs-image--right" >}}
 Dashboard has new header toolbar look where buttons and actions are now all moved to the right. All the dashboard
 settings views has been combined with a side nav which allows you to easily move between different setting categories.
@@ -59,7 +59,7 @@ settings views has been combined with a side nav which allows you to easily move
 ## New Light Theme
-{{< docs-imagebox img="/img/docs/v50/new_white_theme.png" max-width="700px" class="docs-image--right" >}}
+{{< docs-imagebox img="/img/docs/v50/new_white_theme.png" max-width="1000px" class="docs-image--right" >}}
 This theme has not seen a lot of love in recent years and we felt it was time to rework it and give it a major overhaul. We are very happy with the result.
@@ -67,7 +67,7 @@ This theme has not seen a lot of love in recent years and we felt it was time to
 ## Dashboard Folders
-{{< docs-imagebox img="/img/docs/v50/new_search.png" max-width="700px" class="docs-image--right" >}}
+{{< docs-imagebox img="/img/docs/v50/new_search.png" max-width="1000px" class="docs-image--right" >}}
 The big new feature that comes with Grafana v5.0 is dashboard folders. Now you can organize your dashboards in folders
 which is very useful if you have a lot of dashboards or multiple teams.
@@ -83,7 +83,7 @@ We hope to do more with teams in future releases like integration with LDAP & a 
 ## Permissions
-{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="700px" class="docs-image--right" >}}
+{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="1000px" class="docs-image--right" >}}
 You can assign permissions to folders and dashboards. The default user role-based permissions can be removed and replaced with specific teams or users enabling more control over what a user can see & edit.

--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -296,7 +296,7 @@ options are `Admin` and `Editor`. e.g. :
 `auto_assign_org_role = Viewer`
-### viewers can edit
+### viewers_can_edit
 Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
 Defaults to `false`.

--- a/docs/sources/reference/admin.md
+++ b/docs/sources/reference/admin.md
-+++
-title = "Admin Roles"
-description = "Users & Organization permission and administration"
-keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
-type = "docs"
-[menu.docs]
-name = "Admin Roles"
-parent = "admin"
-weight = 3
-+++
-# Administration
-Grafana has two levels of administrators:
-* Organizational administrators: These admins can manage users within specific organizations in a particular Grafana installation
-* Grafana administrators: These super admins can manage users across all organizations in a Grafana installation. They can also change and access system-wide settings.
-## Organizational Administrators
-As an Organizational administrator, you can add `Data Sources`, add Users to your Organization and
-modify Organization details and options.
-> *Note*: If Grafana is configured with `users.allow_org_create = true`, any User of any Organization will be able to
-> start their own Organization and become the administrator of that Organization.
-## Grafana Administrators
-<img src="/img/v2/admin_sidenav.png" class="pull-right" style="margin-left: 15px">
-As a Grafana Administrator, you have complete access to any Organization or User in that instance of Grafana.
-When performing actions as a Grafana admin, the sidebar will change it's appearance as below to indicate you are performing global server administration.
-From the Grafana Server Admin page, you can access the System Info page which summarizes all of the backend configuration settings of the Grafana server.
-## Why would I have multiple Organizations?
-Organizations in Grafana are best suited for a **multi-tenant deployment**. In a multi-tenant deployment,
-Organizations can be used to provide a full Grafana experience to different sets of users from a single Grafana instance,
-at the convenience of the Grafana Administrator.
-In most cases, a Grafana installation will only have **one** Organization. Since dashboards, data sources and other configuration items are not shared between organizations, there's no need to create multiple Organizations if you want all your users to have access to the same set of dashboards and data.
--- a/docs/sources/reference/dashboard_folders.md
+++ b/docs/sources/reference/dashboard_folders.md
@@ -14,20 +14,16 @@ Folders are a way to organize and group dashboards - very useful if you have a l
 ## How To Create A Folder
- Create a folder by using the Create Folder link in the side menu.
+- Create a folder by using the Create Folder link in the side menu (under the create menu (+ icon))
-    ![](/img/docs/v50/create_folder_menu.png)
 - Use the create Folder button on the Manage Dashboards page.
+- When saving a dashboard, you can either choose a folder for the dashboard to be saved in or create a new folder
- When saving a dashboard, you can either choose a folder for the dashboard to be saved in or create a new folder (coming in 5.0 beta)
 On the Create Folder page, fill in a unique name for the folder and press Create.
-![](/img/docs/v50/create_folder_page.png)
 ## Manage Dashboards
+{{< docs-imagebox img="/img/docs/v50/manage_dashboard_menu.png" max-width="300px" class="docs-image--right" >}}
 There is a new Manage Dashboards page where you can carry out a variety of tasks:
 - create a folder
@@ -36,62 +32,21 @@ There is a new Manage Dashboards page where you can carry out a variety of tasks
 - delete multiple dashboards
 - navigate to a folder page (where you can set permissions for a folder and/or its dashboards)
-There is a new option in the Dashboards menu for the Manage Dashboards page:
-  ![](/img/docs/v50/manage_dashboard_menu.png)
-Here you can manage your dashboards:
-![](/img/docs/v50/manage_dashboards_page.png)
-Or you can go directly to a Dashboard Folder page via Dashboard Search by clicking on the cog icon:
-![](/img/docs/v50/go_to_dashboard_folder_page.png)
 ## Dashboard Folder Page
-The Dashboard Folder Page is similar to the Manage Dashboards page and is where you can carry out the following tasks:
+You reach the dashboard folder page by clicking on the cog icon that appears when you hover
+over a folder in the dashboard list in the search result or on the Manage dashboards page.
- allows you to move or delete dashboards in a folder.
- rename a folder (under the Settings tab).
- set permissions on the whole folder.
- set permissions on a single dashboard.
-## Dashboard Permissions (Not enabled in Grafana 5.0 alpha)
-An Access Control List (ACL) model is used for permissions on Dashboard Folders. An individual user can be assigned permissions on a folder or a Team.
-The permissions that can be assigned for a folder are: View, Edit, Admin.
-The default is that:
- everyone has access to a folder and that their permissions depend on their user role (Viewer, Editor or Admin).
- An Admin or Editor can remove the default access for everyone and can then assign a user or team to a Dashboard Folder.
- Teams make it easier to assign permissions for multiple users to multiple dashboards.
-Other Dashboard Folder rules:
+The Dashboard Folder Page is similar to the Manage Dashboards page and is where you can carry out the following tasks:
- Users with the Admin and Editor role are allowed to create new Dashboard Folders.
- Users with the Viewer role are not allowed to create new Dashboard Folders.
- Editors who are owners and Admins can assign permissions to users or teams for Dashboard Folders.
- Default permissions can be removed except for the Admin permissions (View, Edit). 
-### Limiting Permissions on a Folder
-To limit permissions on a folder or dashboard:
-1. go to the permissions tab on the Dashboard Folder page
-2. remove the default permissions (Everyone with Editor Role / Everyone with Viewer Role)
-3. Give a team or user specific permissions. For example: `frontend-team can edit` and `ops-team can view`.
-Remember that users with the Admin role will always have permission to all folders and dashboards.
-## Teams (Not enabled in Grafana 5.0 alpha)
+- Allows you to move or delete dashboards in a folder.
+- Rename a folder (under the Settings tab).
+- Set permissions for the folder (inherited by dashboards in the folder).
-Teams is a new concept for Grafana 5.0. A team is a group of users that can be assigned permissions on a dashboard folder or a dashboard.
+## Permissions
-How Teams Work:
+Permissions can assigned to a folder and inherited by the containing dashboards. An Access Control List (ACL) is used where
+**Organization Role**, **Team** and Individual **User** can be assigned permissions. Read the
+ [Dashboard & Folder Permissions]({{< relref "administration/permissions.md#dashboard-folder-permissions" >}}) docs for more detail
+ on the permission system.
- Admins can create teams.
- No hierarchies. Teams cannot contain teams.
- If a user belongs to multiple teams, their permissions are merged to give them the highest permission possible for a dashboard folder or dashboard.