Commit 621525d1 by Marcus Efraimsson

restructure administration/permissions page into a section with sub pages

parent a8e2840f
...@@ -22,9 +22,9 @@ that can only be found in the Enterprise edition. ...@@ -22,9 +22,9 @@ that can only be found in the Enterprise edition.
With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link). With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link).
### Data source permissions ### Datasource Permissions
Assign and restrict query permissions on Data Sources to specific teams or users. [Learn More](link). Datasource permissions allows you to restrict access for users to query a datasource. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}).
## Try Grafana Enterprise ## Try Grafana Enterprise
......
+++ +++
title = "Permissions" title = "Dashboard & Folder Permissions"
description = "Grafana user permissions" description = "Grafana Dashboard & Folder Permissions Guide "
keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"] keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
type = "docs" type = "docs"
aliases = ["/reference/admin"]
[menu.docs] [menu.docs]
name = "Permissions" name = "Dashboard & Folder Permissions"
parent = "admin" identifier = "dashboard-folder-permissions"
parent = "permissions"
weight = 3 weight = 3
+++ +++
# Permissions # Dashboard & Folder Permissions
Grafana users have permissions that are determined by their:
- **Organization Role** (Admin, Editor, Viewer)
- Via **Team** memberships where the **Team** has been assigned specific permissions.
- Via permissions assigned directly to user (on folders or dashboards)
- The Grafana Admin (i.e. Super Admin) user flag.
## Organization Roles
Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
in that organization.
### Admin Role
Can do everything scoped to the organization. For example:
- Add & Edit data sources.
- Add & Edit organization users & teams.
- Configure App plugins & set org settings.
### Editor Role
- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit data sources nor invite new users.
### Viewer Role
- View any dashboard. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit dashboards nor data sources.
This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
## Grafana Admin
This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
### Dashboard & Folder Permissions
{{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}} {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}
...@@ -65,16 +25,16 @@ Permission levels: ...@@ -65,16 +25,16 @@ Permission levels:
- **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions. - **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
- **View**: Can only view existing dashboards/folders. - **View**: Can only view existing dashboards/folders.
#### Restricting Access ## Restricting Access
The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL). The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).
- You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything. - You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything.
- A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule. - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.
#### How Grafana Resolves Multiple Permissions - Examples ### How Grafana Resolves Multiple Permissions - Examples
##### Example 1 (`user1` has the Editor Role) #### Example 1 (`user1` has the Editor Role)
Permissions for a dashboard: Permissions for a dashboard:
...@@ -83,7 +43,7 @@ Permissions for a dashboard: ...@@ -83,7 +43,7 @@ Permissions for a dashboard:
Result: `user1` has Edit permission as the highest permission always wins. Result: `user1` has Edit permission as the highest permission always wins.
##### Example 2 (`user1` has the Viewer Role and is a member of `team1`) #### Example 2 (`user1` has the Viewer Role and is a member of `team1`)
Permissions for a dashboard: Permissions for a dashboard:
...@@ -93,7 +53,7 @@ Permissions for a dashboard: ...@@ -93,7 +53,7 @@ Permissions for a dashboard:
Result: `user1` has Admin permission as the highest permission always wins. Result: `user1` has Admin permission as the highest permission always wins.
##### Example 3 #### Example 3
Permissions for a dashboard: Permissions for a dashboard:
...@@ -105,12 +65,3 @@ Result: You cannot override to a lower permission. `user1` has Admin permission ...@@ -105,12 +65,3 @@ Result: You cannot override to a lower permission. `user1` has Admin permission
- **View**: Can only view existing dashboards/folders. - **View**: Can only view existing dashboards/folders.
- You cannot override permissions for users with **Org Admin Role** - You cannot override permissions for users with **Org Admin Role**
- A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule. - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
### Data source permissions
Permissions on dashboards and folders **do not** include permissions on data sources. A user with `Viewer` role
can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
We hope to add permissions on data sources in a future release. Until then **do not** view dashboard permissions as a secure
way to restrict user data access. Dashboard permissions only limits what dashboards & folders a user can view & edit not which
data sources a user can access nor what queries a user can issue.
+++
title = "Datasource Permissions"
description = "Grafana Datasource Permissions Guide "
keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams"]
type = "docs"
[menu.docs]
name = "Datasource Permissions"
identifier = "datasource-permissions"
parent = "permissions"
weight = 4
+++
# Datasource Permissions
> Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}).
Datasource permissions allows you to restrict access for users to query a datasource. For each datasource there is
a permission page that makes it possible to enable permissions and add restrict query permissions to specific
**Users** and **Teams**.
## Restricting Access - Enable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}}
By default, permissions are disabled for datasources and a datasource in an organization can be queried by any user in
that organization. For example a user with `Viewer` role can still issue any possible query to a datasource, not just
those queries that exist on dashboards he/she has access to.
When permissions are enabled for a datasource in an organization you will restrict admin and query access for that
datasource to [admin users](/permissions/organization_roles/#admin-role) in that organization.
**To enable permissions for a datasource:**
1. Navigate to Configuration / Data Sources.
2. Select the datasource you want to enable permissions for.
3. Select the Permissions tab and click on the `Enable` button.
<div class="clearfix"></div>
## Allow users and teams to query a datasource
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}}
After you have [enabled permissions](#restricting-access-enable-permissions) for a datasource you can assign query
permissions to users and teams which will allow access to query the datasource.
**Assign query permission to users and teams:**
1. Navigate to Configuration / Data Sources.
2. Select the datasource you want to assign query permissions for.
3. Select the Permissions tab.
4. click on the `Add Permission` button.
5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button.
<div class="clearfix"></div>
## Restore Default Access - Disable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}}
If you have enabled permissions for a datasource and want to revoke datasource permissions to the default, i.e.
datasource can be queried by any user in that organization, you can disable permissions with a click of a button.
Note that all existing permissions created for datasource will be deleted.
**To disable permissions for a datasource:**
1. Navigate to Configuration / Data Sources.
2. Select the datasource you want to disable permissions for.
3. Select the Permissions tab and click on the `Disable Permissions` button.
<div class="clearfix"></div>
+++
title = "Permissions"
description = "Permissions"
type = "docs"
[menu.docs]
name = "Permissions"
identifier = "permissions"
parent = "admin"
weight = 3
+++
+++
title = "Organization Roles"
description = "Grafana Organization Roles Guide "
keywords = ["grafana", "configuration", "documentation", "organization", "roles", "permissions"]
type = "docs"
[menu.docs]
name = "Organization Roles"
identifier = "organization-roles"
parent = "permissions"
weight = 2
+++
# Organization Roles
Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
in that organization.
## Admin Role
Can do everything scoped to the organization. For example:
- Add & Edit data sources.
- Add & Edit organization users & teams.
- Configure App plugins & set org settings.
## Editor Role
- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit data sources nor invite new users.
## Viewer Role
- View any dashboard. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit dashboards nor data sources.
This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
+++
title = "Overview"
description = "Overview for permissions"
keywords = ["grafana", "configuration", "documentation", "admin", "users", "datasources", "permissions"]
type = "docs"
aliases = ["/reference/admin", "/administration/permissions/"]
[menu.docs]
name = "Overview"
identifier = "overview-permissions"
parent = "permissions"
weight = 1
+++
# Permissions Overview
Grafana users have permissions that are determined by their:
- **Organization Role** (Admin, Editor, Viewer)
- Via **Team** memberships where the **Team** has been assigned specific permissions.
- Via permissions assigned directly to user (on folders, dashboards, datasources)
- The Grafana Admin (i.e. Super Admin) user flag.
## Grafana Admin
This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
## Organization Roles
Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
in that organization. Learn more about [Organization Roles]({{< relref "permissions/organization_roles.md" >}}).
## Dashboard & Folder Permissions
Dashboard and folder permissions allows you to remove the default role based permissions for Editors and Viewers and assign permissions to specific **Users** and **Teams**. Learn more about [Dashboard & Folder Permissions]({{< relref "permissions/dashboard_folder_permissions.md" >}}).
## Datasource Permissions
Per default, a datasource in an organization can be queried by any user in that organization. For example a user with `Viewer` role can still
issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
Datasource permissions allows you to change the default permissions for datasources and restrict query permissions to specific **Users** and **Teams**. Read more about [Datasource Permissions]({{< relref "permissions/datasource_permissions.md" >}}).
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment