restructure administration/permissions page into a section with sub pages

621525d1 · Marcus Efraimsson · a8e2840f · 621525d1 · 621525d1 · 621525d1
Commit 621525d1 authored Oct 30, 2018 by Marcus Efraimsson
6 changed files
--- a/docs/sources/enterprise/index.md
+++ b/docs/sources/enterprise/index.md
@@ -22,9 +22,9 @@ that can only be found in the Enterprise edition.

 With Grafana Enterprise you can setup syncing between LDAP Groups and Teams. [Learn More](link).

-### Data source permissions
+### Datasource Permissions

-Assign and restrict query permissions on Data Sources to specific teams or users. [Learn More](link).
+Datasource permissions allows you to restrict access for users to query a datasource. [Learn More]({{< relref "permissions/datasource_permissions.md" >}}).

 ## Try Grafana Enterprise


--- a/docs/sources/administration/permissions.md
+++ b/docs/sources/administration/permissions.md
 +++
-title = "Permissions"
-description = "Grafana user permissions"
-keywords = ["grafana", "configuration", "documentation", "admin", "users", "permissions"]
+title = "Dashboard & Folder Permissions"
+description = "Grafana Dashboard & Folder Permissions Guide "
+keywords = ["grafana", "configuration", "documentation", "dashboard", "folder", "permissions", "teams"]
 type = "docs"
-aliases = ["/reference/admin"]
 [menu.docs]
-name = "Permissions"
-parent = "admin"
+name = "Dashboard & Folder Permissions"
+identifier = "dashboard-folder-permissions"
+parent = "permissions"
 weight = 3
 +++

-# Permissions
-
-Grafana users have permissions that are determined by their:
-
- **Organization Role** (Admin, Editor, Viewer)
- Via **Team** memberships where the **Team** has been assigned specific permissions.
- Via permissions assigned directly to user (on folders or dashboards)
- The Grafana Admin (i.e. Super Admin) user flag.
-
-## Organization Roles
-
-Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
-in that organization.
-
-### Admin Role
-
-Can do everything scoped to the organization. For example:
-
- Add & Edit data sources.
- Add & Edit organization users & teams.
- Configure App plugins & set org settings.
-
-### Editor Role
-
- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit data sources nor invite new users.
-
-### Viewer Role
-
- View any dashboard. This can be disabled on specific folders and dashboards.
- **Cannot** create or edit dashboards nor data sources.
-
-This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
-with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
-Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
-
-## Grafana Admin
-
-This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
-
-### Dashboard & Folder Permissions
+# Dashboard & Folder Permissions

 {{< docs-imagebox img="/img/docs/v50/folder_permissions.png" max-width="500px" class="docs-image--right" >}}

@@ -65,16 +25,16 @@ Permission levels:
 - **Edit**: Can edit & create dashboards. **Cannot** edit folder/dashboard permissions.
 - **View**: Can only view existing dashboards/folders.

-#### Restricting Access
+## Restricting Access

 The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the **Organization Role** based permission from the Access Control List (ACL).

 - You cannot override permissions for users with the **Org Admin Role**. Admins always have access to everything.
 - A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.

-#### How Grafana Resolves Multiple Permissions - Examples
+### How Grafana Resolves Multiple Permissions - Examples

-##### Example 1 (`user1` has the Editor Role)
+#### Example 1 (`user1` has the Editor Role)

 Permissions for a dashboard:

@@ -83,7 +43,7 @@ Permissions for a dashboard:

 Result: `user1` has Edit permission as the highest permission always wins.

-##### Example 2 (`user1` has the Viewer Role and is a member of `team1`)
+#### Example 2 (`user1` has the Viewer Role and is a member of `team1`)

 Permissions for a dashboard:

@@ -93,7 +53,7 @@ Permissions for a dashboard:

 Result: `user1` has Admin permission as the highest permission always wins.

-##### Example 3
+#### Example 3

 Permissions for a dashboard:

@@ -105,12 +65,3 @@ Result: You cannot override to a lower permission. `user1` has Admin permission 
 - **View**: Can only view existing dashboards/folders.
 - You cannot override permissions for users with **Org Admin Role**
 - A more specific permission with lower permission level will not have any effect if a more general rule exists with higher permission level. For example if "Everyone with Editor Role Can Edit" exists in the ACL list then **John Doe** will still have Edit permission even after you have specifically added a permission for this user with the permission set to **View**. You need to remove or lower the permission level of the more general rule.
-
-### Data source permissions
-
-Permissions on dashboards and folders **do not** include permissions on data sources. A user with `Viewer` role
-can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
-We hope to add permissions on data sources in a future release. Until then **do not** view dashboard permissions as a secure
-way to restrict user data access. Dashboard permissions only limits what dashboards & folders a user can view & edit not which
-data sources a user can access nor what queries a user can issue.
-
--- a/docs/sources/permissions/datasource_permissions.md
+++ b/docs/sources/permissions/datasource_permissions.md
+++
+title = "Datasource Permissions"
+description = "Grafana Datasource Permissions Guide "
+keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams"]
+type = "docs"
+[menu.docs]
+name = "Datasource Permissions"
+identifier = "datasource-permissions"
+parent = "permissions"
+weight = 4
+++
+
+# Datasource Permissions
+
+> Datasource Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "enterprise/index.md" >}}).
+
+Datasource permissions allows you to restrict access for users to query a datasource. For each datasource there is
+a permission page that makes it possible to enable permissions and add restrict query permissions to specific
+**Users** and **Teams**.
+
+## Restricting Access - Enable Permissions
+
+{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}}
+
+By default, permissions are disabled for datasources and a datasource in an organization can be queried by any user in
+that organization. For example a user with `Viewer` role can still issue any possible query to a datasource, not just
+those queries that exist on dashboards he/she has access to.
+
+When permissions are enabled for a datasource in an organization you will restrict admin and query access for that
+datasource to [admin users](/permissions/organization_roles/#admin-role) in that organization.
+
+**To enable permissions for a datasource:**
+
+1. Navigate to Configuration / Data Sources.
+2. Select the datasource you want to enable permissions for.
+3. Select the Permissions tab and click on the `Enable` button.
+
+<div class="clearfix"></div>
+
+## Allow users and teams to query a datasource
+
+{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}}
+
+After you have [enabled permissions](#restricting-access-enable-permissions) for a datasource you can assign query
+permissions to users and teams which will allow access to query the datasource.
+
+**Assign query permission to users and teams:**
+
+1. Navigate to Configuration / Data Sources.
+2. Select the datasource you want to assign query permissions for.
+3. Select the Permissions tab.
+4. click on the `Add Permission` button.
+5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button.
+
+<div class="clearfix"></div>
+
+## Restore Default Access - Disable Permissions
+
+{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}}
+
+If you have enabled permissions for a datasource and want to revoke datasource permissions to the default, i.e.
+datasource can be queried by any user in that organization, you can disable permissions with a click of a button.
+Note that all existing permissions created for datasource will be deleted.
+
+**To disable permissions for a datasource:**
+
+1. Navigate to Configuration / Data Sources.
+2. Select the datasource you want to disable permissions for.
+3. Select the Permissions tab and click on the `Disable Permissions` button.
+
+<div class="clearfix"></div>
--- a/docs/sources/permissions/index.md
+++ b/docs/sources/permissions/index.md
+++
+title = "Permissions"
+description = "Permissions"
+type = "docs"
+[menu.docs]
+name = "Permissions"
+identifier = "permissions"
+parent = "admin"
+weight = 3
+++
+
+
--- a/docs/sources/permissions/organization_roles.md
+++ b/docs/sources/permissions/organization_roles.md
+++
+title = "Organization Roles"
+description = "Grafana Organization Roles Guide "
+keywords = ["grafana", "configuration", "documentation", "organization", "roles", "permissions"]
+type = "docs"
+[menu.docs]
+name = "Organization Roles"
+identifier = "organization-roles"
+parent = "permissions"
+weight = 2
+++
+
+# Organization Roles
+
+Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
+in that organization.
+
+## Admin Role
+
+Can do everything scoped to the organization. For example:
+
+- Add & Edit data sources.
+- Add & Edit organization users & teams.
+- Configure App plugins & set org settings.
+
+## Editor Role
+
+- Can create and modify dashboards & alert rules. This can be disabled on specific folders and dashboards.
+- **Cannot** create or edit data sources nor invite new users.
+
+## Viewer Role
+
+- View any dashboard. This can be disabled on specific folders and dashboards.
+- **Cannot** create or edit dashboards nor data sources.
+
+This role can be tweaked via Grafana server setting [viewers_can_edit]({{< relref "installation/configuration.md#viewers-can-edit" >}}). If you set this to true users
+with **Viewer** can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards).
+Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.
--- a/docs/sources/permissions/overview.md
+++ b/docs/sources/permissions/overview.md
+++
+title = "Overview"
+description = "Overview for permissions"
+keywords = ["grafana", "configuration", "documentation", "admin", "users", "datasources", "permissions"]
+type = "docs"
+aliases = ["/reference/admin", "/administration/permissions/"]
+[menu.docs]
+name = "Overview"
+identifier = "overview-permissions"
+parent = "permissions"
+weight = 1
+++
+
+# Permissions Overview
+
+Grafana users have permissions that are determined by their:
+
+- **Organization Role** (Admin, Editor, Viewer)
+- Via **Team** memberships where the **Team** has been assigned specific permissions.
+- Via permissions assigned directly to user (on folders, dashboards, datasources)
+- The Grafana Admin (i.e. Super Admin) user flag.
+
+## Grafana Admin
+
+This admin flag makes a user a `Super Admin`. This means they can access the `Server Admin` views where all users and organizations can be administrated.
+
+## Organization Roles
+
+Users can be belong to one or more organizations. A user's organization membership is tied to a role that defines what the user is allowed to do
+in that organization. Learn more about [Organization Roles]({{< relref "permissions/organization_roles.md" >}}).
+
+
+## Dashboard & Folder Permissions
+
+Dashboard and folder permissions allows you to remove the default role based permissions for Editors and Viewers and assign permissions to specific **Users** and **Teams**. Learn more about [Dashboard & Folder Permissions]({{< relref "permissions/dashboard_folder_permissions.md" >}}).
+
+## Datasource Permissions
+
+Per default, a datasource in an organization can be queried by any user in that organization. For example a user with `Viewer` role can still
+issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
+
+Datasource permissions allows you to change the default permissions for datasources and restrict query permissions to specific **Users** and **Teams**. Read more about [Datasource Permissions]({{< relref "permissions/datasource_permissions.md" >}}).