Grafana―Knowing the Basics of User Permissions

Grafana is an open source visualization tool that can be used on top of a variety of data stores (e.g., Graphite, InfluxDB, Elasticsearch and Logz.io).

Based on permissions (or privileges), Grafana users are allowed to do various tasks and view different objects in the environment.  User permissions in Grafana are determined by the following configurations:

• Organization Role
• Admin, Editor, or Viewer
• Grafana Admin
• Via the Grafana Admin (i.e. Super Admin) user flag
• Team Memberships
• Via Team memberships where the Team has been assigned specific permissions.
• Directly Assigned User Permissions
• Via permissions assigned directly to user (on folders, dashboards, data sources)

In this article, we'll cover the details of user permissions in Grafana.

User Permissions

Organization Roles

Users can belong to one or more organizations. A user’s organization membership is tied to a role that defines what the user is allowed to do in that organization. There are three organization roles supported in Grafana:

• Admin Role
• Can do everything scoped to the organization. For example:
• Add & Edit data sources
• Add & Edit organization users & teams
• Configure App plugins & set org settings
• Editor Role
• Can create and modify dashboards & alert rules
• This can be disabled on specific folders and dashboards.
• Cannot create or edit data sources nor invite new users
• Viewer Role
• View any dashboard
• This can be disabled on specific folders and dashboards.
• Cannot create or edit dashboards nor data sources.
• This role can be tweaked via Grafana server setting viewers_can_edit. 
• If you set this to true users with Viewer can also make transient dashboard edits, meaning they can modify panels & queries but not save the changes (nor create new dashboards). 
• Useful for public Grafana installations where you want anonymous users to be able to edit panels & queries but not save or create new dashboards.

Grafana Admin

The admin flag makes a user a Super Admin. This means they can access the Server Admin views where all users and organizations can be administrated.

Dashboard & Folder Permissions

Dashboard and folder permissions allows you to remove the default role based permissions for Editors and Viewers and assign permissions to specific Users and Teams. Learn more about Dashboard & Folder Permissions.

Datasource Permissions

Per default, a datasource in an organization can be queried by any user in that organization. For example a user with Viewer role can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.

Datasource permissions allows you to change the default permissions for datasources and restrict query permissions to specific Users and Teams. Read more about Datasource Permissions.

Figure 1.  (Left) Admin Role vs. (Right) Viewer Role

UI Differences (Admin Role vs. Viewer Role)

Compared to Admin Role, users with a Viewer Role have limited configuration capabilities.  So, that's why their UIs also look different.  

In Figure 1, the left side shows the UI of a user with Admin Role and the right side shows the UI of a user with Viewer Role.  You can see that user with an Admin Role has the following extra menu buttons:

• Create (i.e., + icon)
• Alerting (i.e., bell icon)
• Configuration (i.e., tools icon)

For example, Grafana uses data sources to fetch information used for graphs. There are a variety of types of data sources supported out of the box.   As a user of Admin Role, you can add new data source by clicking on the Configuration button (Figure 2) and then clicking on "+ Add data source" button on the next page (Figure 3).

Figure 2.  Data Source Configuration Menu

Figure 3.  Add data source

References

1. Grafana Documentation
2. Permissions Overview (Grafana)
3. Organization Roles (Grafana)
4. Oracle Cloud Infrastructure (redthunder.blog)