Grafana is an open source metric analysis and visualization suite that has been widely recognized and used for temporal monitoring of infrastructure, application data analysis and visualization, and other applications including weather, home automation, and process control. Grafana supports many data sources, including Mysql, Elasticsearch, Prometheus, and InfluxDB. Each data source has a specific query editor that allows you to write multiple expressions and draw multiple data presentation charts according to your business needs. But sometimes what if you’re creating a graph that’s sensitive and you don’t want everyone to see it?

Permissions overview

If your Grafana has access to login control, either with Grafana’s built-in permission control or with Ldap authentication enabled, Dashboard’s permissions are readable by default for everyone. To sum up, the user permissions of Grafana are affected by the following factors:

  • Organization Role(Admin, Editor, Viewer); The global organization role
  • Via Teammemberships where the Team has been assigned specific permissions. Group access
  • Via permissions assigned directly to user (on folders.dashboards.data sources). It is a permission specially assigned to a user for Folder, Dashboard, and Data Source
  • The Grafana Admin (i.e. Super Admin) user flag. Super administrator Rights

Configure independent Permission control for a single Dashboard. You can Add Permission for a user or group in “Dashboard Settings “–> “Permissions”–> “Add Permission”. In addition, Dashboard permissions are inherited from the Folder permissions, so you can see that some existing permissions have a small lock behind them, indicating that permissions cannot be changed. If you change permissions, you can only modify the permissions of the corresponding Folder. In other words, permissions for the so-called Grafana Dashboard are Folder permissions;

Dashboard and Folder permissions

Example of adding permission control for a Dashboard

As shown above, in the Manage configuration item of Folder, this is where you can remove the default role for the Folder and then customize permissions for a user or group;

Add Team

Configuration-> Teams–> Add Team, enter the Team name, you can create a new Team; Here I created a new Team called “TestReadOnly”;

Add Team User

Click “Add member” in “Team Members” to Add a user to the Team:

Configure Dashboard permissions for the Team

Go to Dashboard Settings or folder management, find Permissions configuration, Add Permission, Add Permission to ‘TestReadOnly’ group for ‘View’, delete other Permissions; After the TestReadyOnly group is configured, users in the TestReadyOnly group have the read-only permission, while users outside the group have no access permission (super administrator permissions cannot be deleted). Similarly, permissions such as “Edit” are configured.

Authority levels

Grafana has three main permission levels: Admin > Edit > View

** Note: **

  1. Unable to override withOrganization AdministratorUser rights of the role
  2. If a policy at a higher level exists, the rule at a lower level does not take effect

For example, there is a folder FolderX. If the folder is read-only and not editable to everyone, you can define a read-only Team named “ReadOnly”. You have added several users to the “ReadOnly” group, including “xujpxm”; At this point, you give the “ReadOnly” Team “FolderX folder” View “permission and delete the” Edit “/”Admin” permission; Users on the “ReadOnly” Team will be able to read, not edit, the FolderX folder; Normally, permission control for a single folder has been achieved at this point. However, it should be noted that user xujpxm also has the administrator permission, which is higher than user View. According to Note 1, user XUjpxm can edit and manage the FolderX folder. In the second case, if there is also an “EditGroup” Team, FolderX has given the “Edit” permission, but user xujpxm (not a super administrator) is also in the folder, then the user has both “Edit” and “View” permission. Note 2 The “xujpxm” user has the Edit permission for this folder.

reference

  • Grafana Dashboard and Folder Permissions
  • Grafana Permissions Overview