2025-08-02 21:52:43 +08:00 · 2022-07-20 14:32:04 +00:00
parent 01d561224c
commit 5c4aa4a7ac
8 changed files with 354 additions and 44 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/github.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/github.md
@ -101,6 +101,35 @@ allow_sign_up = true
 allowed_organizations = github google
 ```

+### Map roles
+
+You can use GitHub OAuth to map roles. During mapping, Grafana checks for the presence of a role using the [JMESPath](http://jmespath.org/examples.html) specified via the `role_attribute_path` configuration option.
+
+For the path lookup, Grafana uses JSON obtained from querying GitHub's API [`/api/user`](https://docs.github.com/en/rest/users/users#get-the-authenticated-user=) endpoint and a `groups` key containing all of the user's teams (retrieved from `/api/user/teams`).
+
+The result of evaluating the `role_attribute_path` JMESPath expression must be a valid Grafana role, for example, `Viewer`, `Editor` or `Admin`. For more information about roles and permissions in Grafana, refer to [Roles and permissions]({{< relref "../../../administration/roles-and-permissions/" >}}).
+
+An example Query could look like the following:
+
+```bash
+role_attribute_path = [login==octocat] && 'Admin' || 'Viewer'
+```
+
+This allows the user with login "octocat" to be mapped to the `Admin` role,
+but all other users to be mapped to the `Viewer` role.
+
+#### Map roles using teams
+
+Teams can also be used to map roles. For instance,
+if you have a team called 'example-group' you can use the following snippet to
+ensure those members inherit the role 'Editor'.
+
+```bash
+role_attribute_path = contains(groups[*], '@github/example-group') && 'Editor' || 'Viewer'
+```
+
+Note: If a match is found in other fields, teams will be ignored.
+
 ### Team Sync (Enterprise only)

 > Only available in Grafana Enterprise v6.3+