These are the essential building blocks that define user management and access control within Grafana:

• Users: Individual accounts that can log in to Grafana. Each user is granted specific roles and permissions, controlling what they can view or modify.
• Teams: Groups of users organized to simplify permission management. Teams can be given access to resources (like dashboards and folders), streamlining collaborative workflows.
• Roles: Predefined sets of permissions (such as Admin, Editor, or Viewer) assigned to users or teams. Roles control the level of access to data sources, dashboards, and administrative settings.
• Permission Scopes: Permission assignments can be set at different levels: organization-wide, per team, folder, or dashboard. This allows for fine-grained control over who can view or edit specific resources.
• External Authentication (Optional): Integration with external identity providers (such as SAML, LDAP, or OAuth) enables centralized authentication and simplifies user onboarding and group management.

Grafana provides a flexible structure to manage users based on their roles and responsibilities. The platform categorizes users into different types for easier access control and collaboration:

• Viewer: This is the most basic user type. Viewers can access and explore dashboards but cannot make any changes. Ideal for users who need to monitor data without modifying configurations.
• Editor: Editors have permission to create and edit dashboards, panels, and saved queries. They cannot manage users or settings but play a key role in building and maintaining visualizations.
• Admin: Organization-level administrators have full access to all settings, data sources, and user management within their Grafana organization. They are responsible for configuring permissions and managing team structures.
• Server Admin: Exclusive to self-hosted Grafana deployments, server admins can manage all organizations, configure global settings, and oversee all user accounts across the entire Grafana instance.
• Team Member: Users grouped under a team inherit team-based permissions, which help simplify access control across dashboards, folders, and other resources. Team assignments do not change a user's base role but complement it.

Grafana uses a role-based access control (RBAC) system to define what users can see and do. These roles are assigned at different scopes such as organization, folder, and dashboard levels to provide flexible and secure access management:

• Viewer: Viewers can read and explore dashboards but cannot make any edits or changes. This role is commonly assigned to stakeholders or team members who only need access to metrics and reports.
• Editor: Editors can create, modify, and delete dashboards, panels, alerts, and folders. However, they don’t have access to user management or administrative settings. This role is ideal for content creators and dashboard developers.
• Admin: Admins have full control within their assigned organization. They can manage data sources, users, teams, plugins, and folder-level permissions. This role is typically assigned to platform owners and team leads.
• No Basic Role: When a user is assigned "No Basic Role", they don’t inherit any default permissions. Instead, access must be explicitly granted via teams or custom role assignments. This is useful for advanced access control strategies.

In addition to these default roles, Grafana Enterprise and Grafana Cloud include support for custom roles, allowing for granular permissions tailored to specific operational needs.

Permission levels vary based on the assigned role:

In Grafana, users are part of an organization, and each organization can have its own set of roles assigned to users. These roles define what users can do within the boundaries of that specific organization. This structure makes it possible to assign different responsibilities to users depending on the organizational context.

The primary organization roles in Grafana are:

• Viewer: Can view dashboards and use Explore to inspect metrics and logs, but cannot make any changes to content or settings.
• Editor: Can create and edit dashboards, panels, and folders. Editors can also explore and query data sources but cannot manage users or change configuration settings.
• Admin: Has full administrative privileges within the organization. This includes managing users, teams, data sources, plugins, folders, and dashboards. Admins also set folder-level and team-based permissions.
• No Basic Role: This role removes default permissions from the user within an organization. Specific access must be explicitly granted at the folder, team, or dashboard level. It’s useful for security-focused or minimal-access workflows.

The following table highlights what each organization role can generally do:

Each Grafana user can be part of multiple organizations and may have different roles across each one. This makes multi-team or multi-project environments easier to manage while ensuring users only have appropriate access.

Grafana Enterprise and Grafana Cloud offer advanced role-based access control (RBAC) features that go beyond the basic permissions of standard roles. RBAC empowers organizations to create custom roles to fine-tune user and team access to every aspect of their Grafana environment.

• Custom Roles: Administrators can design custom roles with tailored combinations of permissions, actions, and scopes. This allows for precise control over what each user, team, or service account can do, such as allowing edits to dashboards but blocking deletion, or granting API key management privileges.
• RBAC Actions & Scopes: An action defines what operation is permitted (e.g., view, edit, delete), while a scope specifies which resource or set of data the action applies to—for example, restricting permissions to dashboards in a specific folder or managing only users in a certain organization.
• Role Assignment: Custom roles can be assigned to individual users or groups (teams) through the Grafana UI, YAML-based provisioning, or the HTTP API. Teams assigned a custom role will have all valid permissions distributed to its members.
• Provisioning & Automation: RBAC roles and assignments can be declared in YAML configuration files for rapid provisioning, bulk updates, and version control. No server restart is needed to apply changes; simply reload provisioning.
• Use Cases: Typical scenarios include delegating limited admin privileges, restricting editing rights to only certain resources, or setting up operational boundaries for contractor teams and external partners.

Example: Configuring a Custom Role

apiVersion: 2
roles:
  - name: custom:dashboards:creator
    description: 'Create and edit dashboards, but cannot delete'
    version: 1
    orgId: 1
    permissions:
      - action: 'dashboards:create'
        scope: 'org.dashboards:*'
      - action: 'dashboards:edit'
        scope: 'org.dashboards:*'
      # 'dashboards:delete' intentionally omitted for restricted ability

By leveraging custom roles and RBAC, Grafana Enterprise and Cloud customers can align access controls with their internal security policies, compliance requirements, and organizational workflows more precisely than ever before.

In Grafana, permission scopes define where a user or team's access applies within the system. Scopes work alongside actions (what a user can do) to create highly targeted permissions for dashboards, folders, data sources, and other resources.

• Action: This determines what task is allowed, such as viewing, editing, or deleting a resource.
• Scope: This defines where the action is permitted—limiting permissions to specific organizations, users, dashboards, plugins, teams, reports, or folders.

Permission scopes become especially powerful in Grafana Enterprise and Grafana Cloud, where administrators can create custom roles or adjust existing roles. For example, you might create a role that allows a user to:

• View only dashboards in a particular folder (folders:id:123).
• Edit a specific user's profile (users:42).
• Manage only a certain plugin (plugins:id:grafana-oncall-app).
• Read or write to data sources across an entire organization (datasources:* or orgs:id:1).

These fine-grained controls help you comply with security policies and enable least-privilege access—users get only the permissions they need, exactly where they need them.

Examples of Scope Usage:

By combining actions and scopes, Grafana administrators can build precise permission models tailored to their organizational needs.

Grafana includes built-in support for organizing users into teams, providing a simplified way to manage permissions and collaborate efficiently across dashboards and folders. Instead of assigning permissions individually to each user, teams enable role-based, scalable access control.

Why use Teams?

• Simplifies Permission Management: Assigning permissions to a team automatically applies those permissions to all members, reducing manual setup and human error.
• Enhances Collaboration: Teams enable multiple users to work together on the same set of dashboards and folders with appropriate levels of access.
• Supports Role Inheritance: Team members continue to have their base user role (e.g., Editor or Viewer) but also receive additional access based on team-level permissions.

Creating and Managing Teams:

1. Navigate to the Users section in the Grafana sidebar and select Teams.
2. Click Create Team, enter a name and optional email or group info for identification.
3. Add users to the team from your existing user base.
4. Assign permissions to the team at the folder or dashboard level as needed.

Team Permissions and Resource Access:

• Teams can be directly assigned access to folders and dashboards with specific roles—such as Viewer, Editor, or Admin—depending on the level of control needed.
• A user can belong to multiple teams. If different teams grant different levels of access to the same resource, the user will receive the highest level of access through permission aggregation.
• Permissions granted through a team are effective immediately and override the default “No Basic Role” behavior if the user had no direct access previously.

Integration with External Identity Providers:

• In Enterprise or Cloud environments, Grafana can integrate with external systems like LDAP, SAML, or OAuth to synchronize users and groups automatically.
• External groups can be mapped to teams, streamlining onboarding and offboarding workflows for large organizations.

By using Grafana’s team and group management features, administrators can efficiently scale access control, reduce configuration complexity, and support secure collaboration across departments or projects.

Effectively managing users in Grafana is essential for maintaining access control, accountability, and streamlined collaboration. Whether you're working in a self-hosted or cloud environment, Grafana provides intuitive tools to add, invite, organize, and modify user data.

Steps to Manage Users:

1. Navigate to the Configuration (gear icon) in the left-hand sidebar, then click on Users.
2. From the Users view, you can:
   • See a list of all users in the current organization
   • Add users manually
   • Invite users via email
   • Assign or change user roles
   • Remove users from the organization

Adding Users:

• Click Add User, fill in the user's name and email address, and assign an initial role (Viewer, Editor, or Admin).
• Alternatively, use the Invite function to send an email invitation allowing the user to set their own password and profile info.

Changing User Roles:

• In the user list, locate the user and click the dropdown under the Role column to assign a new role. Changes take effect immediately.
• You can also move a user to No Basic Role, which removes default access and requires explicitly defined folder or dashboard permissions.

Removing Users:

• Click the trash icon next to a user to remove them from the organization. This instantly revokes their access without deleting their Grafana account from the system.

Additional Capabilities:

• Users can exist in multiple organizations, each with its own assigned role. Role changes in one organization do not affect the other.
• Grafana Enterprise and Cloud editions support user synchronization from external identity providers (e.g., LDAP, Okta, Azure AD), enabling bulk user management and centralized access control.
• Admins can also disable user accounts or promote regular users to Admin or Server Admin roles (self-hosted only) if further privileges are needed.

Whether you're managing a few users or large teams, Grafana's user management tools make it easy to control who can do what, and where, within your monitoring environment.

As you work with Grafana's user and permission management features, there are a few special considerations and edge cases to keep in mind. These notes can help avoid confusion and ensure you're using Grafana to its fullest potential in different environments.

• Server Admin Role (Self-Hosted Only): In self-hosted Grafana instances, users can be assigned the Server Admin role. This role has elevated privileges across all organizations and can manage system-wide settings such as authentication, plugin installation, and user accounts across all orgs. This capability does not exist in Grafana Cloud.
• Users in Multiple Organizations: A single user can belong to more than one organization within the same Grafana instance. Their assigned role can differ in each organization. Access and permissions are scoped per organization, helping facilitate multi-tenant setups or departmental segmentation.
• Role Aggregation: If a user is part of multiple teams or receives varying permissions through custom roles, Grafana grants the user the highest level of access allowed by any of those assignments. For example, if one team grants Edit access and another grants View only, the user will have Edit rights.
• No Downgrade by Folder Permissions: Folder or dashboard-level permissions cannot restrict or downgrade the permissions a user already has from a higher-level role (such as Admin). You can grant more access at a lower level but not reduce it.
• SSO and External Identity Providers: When using systems like LDAP, SSO, SAML, or OAuth with Grafana Enterprise or Cloud, user roles and permissions may be set dynamically during login. Users are often mapped to teams automatically based on group membership in the external provider.
• Managed Grafana (Cloud Environments): In Grafana Cloud or managed environments such as AWS or Azure Managed Grafana, some features like server-wide settings or plugin installation may be restricted and managed by the service provider instead of by users or admins.

Being aware of these nuances helps administrators avoid permission conflicts, maintain security, and ensure proper delegation of responsibilities across users and teams.

Understanding how Grafana roles and permissions work in real-world situations helps clarify their practical application. Below are some common example scenarios that demonstrate how Grafana’s user and permission model behaves in different contexts.

Scenario 1: Team Permissions Override Individual Role

• A user is assigned the Viewer role in the organization.
• The same user is added to a Team that has Editor access to a specific dashboard folder.
• Result: The user can edit dashboards in that folder, despite their lower organization-wide Viewer role. Grafana applies the highest level of permission available to the user for the specific resource.

Scenario 2: No Basic Role But Access via Team

• A user is created in Grafana with No Basic Role assigned to them.
• The user is added to a team that has Viewer access to a shared folder called "Operations Metrics."
• Result: The user can view dashboards in the "Operations Metrics" folder even though they have no default access to the rest of the organization.

Scenario 3: Conflicting Role Levels

• A user is in two teams: one with Editor access to "Dev Dashboards" and another with Viewer access to the same folder.
• Result: Grafana grants the higher access level (Editor) for that folder. The system does not merge permissions but instead applies the most permissive access granted.

Scenario 4: Admin User with Folder Restrictions

• A user is assigned the Admin role in the organization.
• A folder has explicit Viewer-only permissions set.
• Result: The Admin user retains full access. Folder-level permissions cannot restrict higher-level administrative privileges.

Scenario 5: Multi-Organization User

• A single Grafana user is part of two organizations: "Engineering" and "Marketing."
• The user is an Editor in Engineering and a Viewer in Marketing.
• Result: The user's available permissions change depending on which organization they are currently operating within. Actions taken in the Engineering org are governed by Editor rights; in Marketing, only Viewer-level access is permitted.

These scenarios illustrate how combining roles, teams, and permission scopes in Grafana creates a powerful and flexible system, allowing administrators to tailor access according to real-world organizational needs.