diff --git a/docs/sources/enterprise/access-control/fine-grained-access-control-references.md b/docs/sources/enterprise/access-control/fine-grained-access-control-references.md
index 0a1b7d56b0e..b3a346d9c27 100644
--- a/docs/sources/enterprise/access-control/fine-grained-access-control-references.md
+++ b/docs/sources/enterprise/access-control/fine-grained-access-control-references.md
@@ -11,28 +11,32 @@ The reference information that follows complements conceptual information about
## Fine-grained access fixed roles
-| Fixed roles | Permissions | Descriptions |
-| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| `fixed:permissions:admin:read` | `roles:read`
`roles:list`
`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
-| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and
`roles:write`
`roles:delete`
`roles.builtin:add`
`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
-| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
-| `fixed:reporting:admin:read` | `reports:read`
`reports:send`
`reports.settings:read` | Allows to read reports and report settings. |
-| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and
`reports.admin:write`
`reports:delete`
`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
-| `fixed:users:admin:read` | `users.authtoken:list`
`users.quotas:list`
`users:read`
`users.teams:read` | Allows to list and get users and related information. |
-| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and
`users.password:update`
`users:write`
`users:create`
`users:delete`
`users:enable`
`users:disable`
`users.permissions:update`
`users:logout`
`users.authtoken:update`
`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
-| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
-| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and
`org.users:add`
`org.users:remove`
`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
-| `fixed:ldap:admin:read` | `ldap.user:read`
`ldap.status:read` | Allows to read LDAP information and status. |
-| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and
`ldap.user:sync`
`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
-| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
-| `fixed:settings:admin:read` | `settings:read` | Read settings |
-| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and
`settings:write` | Update settings |
-| `fixed:datasource:editor:read` | `datasources:explore` | Explore datasources |
+| Fixed roles | Permissions | Descriptions |
+| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| `fixed:permissions:admin:read` | `roles:read`
`roles:list`
`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
+| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and
`roles:write`
`roles:delete`
`roles.builtin:add`
`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
+| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
+| `fixed:reporting:admin:read` | `reports:read`
`reports:send`
`reports.settings:read` | Allows to read reports and report settings. |
+| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and
`reports.admin:write`
`reports:delete`
`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
+| `fixed:users:admin:read` | `users.authtoken:list`
`users.quotas:list`
`users:read`
`users.teams:read` | Allows to list and get users and related information. |
+| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and
`users.password:update`
`users:write`
`users:create`
`users:delete`
`users:enable`
`users:disable`
`users.permissions:update`
`users:logout`
`users.authtoken:update`
`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
+| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
+| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and
`org.users:add`
`org.users:remove`
`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
+| `fixed:ldap:admin:read` | `ldap.user:read`
`ldap.status:read` | Allows to read LDAP information and status. |
+| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and
`ldap.user:sync`
`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
+| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
+| `fixed:settings:admin:read` | `settings:read` | Read settings |
+| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and
`settings:write` | Update settings |
+| `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
+| `fixed:datasources:admin` | `datasources:read`
`datasources:create`
`datasources:write`
`datasources:delete` | Allows to create, read, update, delete data sources. |
+| `fixed:datasources:id:viewer` | `datasources:id:read` | Allows to read data source IDs. |
+| `fixed:datasources:permissions:admin` | `datasources.permissions:create`
`datasources.permissions:read`
`datasources.permissions:delete`
`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
## Default built-in role assignments
-| Built-in role | Associated role | Description |
-| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Grafana Admin | `fixed:permissions:admin:edit`
`fixed:permissions:admin:read`
`fixed:provisioning:admin`
`fixed:reporting:admin:edit`
`fixed:reporting:admin:read`
`fixed:users:admin:edit`
`fixed:users:admin:read`
`fixed:users:org:edit`
`fixed:users:org:read`
`fixed:ldap:admin:edit`
`fixed:ldap:admin:read`
`fixed:server:admin:read`
`fixed:settings:admin:read`
`fixed:settings:admin:edit` | Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default. |
-| Admin | `fixed:users:org:edit`
`fixed:users:org:read`
`fixed:reporting:admin:edit`
`fixed:reporting:admin:read` | Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default. |
-| Editor | `fixed:datasource:editor:read` |
+| Built-in role | Associated role | Description |
+| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| Grafana Admin | `fixed:permissions:admin:edit`
`fixed:permissions:admin:read`
`fixed:provisioning:admin`
`fixed:reporting:admin:edit`
`fixed:reporting:admin:read`
`fixed:users:admin:edit`
`fixed:users:admin:read`
`fixed:users:org:edit`
`fixed:users:org:read`
`fixed:ldap:admin:edit`
`fixed:ldap:admin:read`
`fixed:server:admin:read`
`fixed:settings:admin:read`
`fixed:settings:admin:edit` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
+| Admin | `fixed:users:org:edit`
`fixed:users:org:read`
`fixed:reporting:admin:edit`
`fixed:reporting:admin:read`
`fixed:datasources:admin`
`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
+| Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
+| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
diff --git a/docs/sources/enterprise/access-control/permissions.md b/docs/sources/enterprise/access-control/permissions.md
index 1436bf9e5fe..82deb89faec 100644
--- a/docs/sources/enterprise/access-control/permissions.md
+++ b/docs/sources/enterprise/access-control/permissions.md
@@ -23,62 +23,72 @@ scope
The following list contains fine-grained access control actions.
-| Action | Applicable scope | Description |
-| -------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `roles:list` | `roles:*` | List available roles without permissions. |
-| `roles:read` | `roles:*` | Read a specific role with its permissions. |
-| `roles:write` | `permissions:delegate` | Create or update a custom role. |
-| `roles:delete` | `permissions:delegate` | Delete a custom role. |
-| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
-| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
-| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
-| `reports.admin:create` | `reports:*` | Create reports. |
-| `reports.admin:write` | `reports:*` | Update reports. |
-| `reports:delete` | `reports:*` | Delete reports. |
-| `reports:read` | `reports:*` | List all available reports or get a specific report. |
-| `reports:send` | `reports:*` | Send a report email. |
-| `reports.settings:write` | n/a | Update report settings. |
-| `reports.settings:read` | n/a | Read report settings. |
-| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
-| `users:read` | `global:users:*` | Read or search user profiles. |
-| `users:write` | `global:users:*` | Update a user’s profile. |
-| `users.teams:read` | `global:users:*` | Read a user’s teams. |
-| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
-| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
-| `users.password:update` | `global:users:*` | Update a user’s password. |
-| `users:delete` | `global:users:*` | Delete a user. |
-| `users:create` | n/a | Create a user. |
-| `users:enable` | `global:users:*` | Enable a user. |
-| `users:disable` | `global:users:*` | Disable a user. |
-| `users.permissions:update` | `global:users:*` | Update a user’s organization-level permissions. |
-| `users:logout` | `global:users:*` | Sign out a user. |
-| `users.quotas:list` | `global:users:*` | List a user’s quotas. |
-| `users.quotas:update` | `global:users:*` | Update a user’s quotas. |
-| `org.users.read` | `users:*` | Get user profiles within an organization. |
-| `org.users.add` | `users:*` | Add a user to an organization. |
-| `org.users.remove` | `users:*` | Remove a user from an organization. |
-| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
-| `ldap.user:read` | n/a | Get a user via LDAP. |
-| `ldap.user:sync` | n/a | Sync a user via LDAP. |
-| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
-| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
-| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
-| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
-| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
-| `server.stats:read` | n/a | Read server stats |
-| `datasources:explore` | n/a | Enable explore |
+| Action | Applicable scope | Description |
+| -------------------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `roles:list` | `roles:*` | List available roles without permissions. |
+| `roles:read` | `roles:*` | Read a specific role with its permissions. |
+| `roles:write` | `permissions:delegate` | Create or update a custom role. |
+| `roles:delete` | `permissions:delegate` | Delete a custom role. |
+| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
+| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
+| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
+| `reports.admin:create` | `reports:*` | Create reports. |
+| `reports.admin:write` | `reports:*` | Update reports. |
+| `reports:delete` | `reports:*` | Delete reports. |
+| `reports:read` | `reports:*` | List all available reports or get a specific report. |
+| `reports:send` | `reports:*` | Send a report email. |
+| `reports.settings:write` | n/a | Update report settings. |
+| `reports.settings:read` | n/a | Read report settings. |
+| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
+| `users:read` | `global:users:*` | Read or search user profiles. |
+| `users:write` | `global:users:*` | Update a user’s profile. |
+| `users.teams:read` | `global:users:*` | Read a user’s teams. |
+| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
+| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
+| `users.password:update` | `global:users:*` | Update a user’s password. |
+| `users:delete` | `global:users:*` | Delete a user. |
+| `users:create` | n/a | Create a user. |
+| `users:enable` | `global:users:*` | Enable a user. |
+| `users:disable` | `global:users:*` | Disable a user. |
+| `users.permissions:update` | `global:users:*` | Update a user’s organization-level permissions. |
+| `users:logout` | `global:users:*` | Sign out a user. |
+| `users.quotas:list` | `global:users:*` | List a user’s quotas. |
+| `users.quotas:update` | `global:users:*` | Update a user’s quotas. |
+| `org.users:read` | `users:*` | Get user profiles within an organization. |
+| `org.users:add` | `users:*` | Add a user to an organization. |
+| `org.users:remove` | `users:*` | Remove a user from an organization. |
+| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
+| `ldap.user:read` | n/a | Get a user via LDAP. |
+| `ldap.user:sync` | n/a | Sync a user via LDAP. |
+| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
+| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
+| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
+| `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
+| `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
+| `server.stats:read` | n/a | Read server stats |
+| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
+| `datasources:read` | n/a
`datasources:*`
`datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | List data sources. |
+| `datasources:id:read` | `datasources:*`
`datasources:name:*` | Read data source IDs. |
+| `datasources:create` | n/a | Create data sources. |
+| `datasources:write` | `datasources:*`
`datasources:id:*` | Update data sources. |
+| `datasources:delete` | `datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | Delete data sources. |
+| `datasources.permissions:read` | `datasources:*`
`datasources:id:*` | List data source permissions. |
+| `datasources.permissions:create` | `datasources:*`
`datasources:id:*` | Create data source permissions. |
+| `datasources.permissions:delete` | `datasources:*`
`datasources:id:*` | Delete data source permissions. |
+| `datasources.permissions:toggle` | `datasources:*`
`datasources:id:*` | Enable or disable data source permissions. |
## Scope definitions
The following list contains fine-grained access control scopes.
-| Scopes | Descriptions |
-| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
-| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
-| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
-| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
-| `global:users:*` | Restrict an action to a set of global users. |
-| `users:*` | Restrict an action to a set of users from an organization. |
-| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
-| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
+| Scopes | Descriptions |
+| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
+| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
+| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
+| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
+| `global:users:*` | Restrict an action to a set of global users. |
+| `users:*` | Restrict an action to a set of users from an organization. |
+| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
+| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
+| `datasources:*`
`datasources:id:*`
`datasources:uid:*`
`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |
diff --git a/docs/sources/http_api/data_source.md b/docs/sources/http_api/data_source.md
index e9e7aff2366..80e595399be 100644
--- a/docs/sources/http_api/data_source.md
+++ b/docs/sources/http_api/data_source.md
@@ -7,10 +7,23 @@ aliases = ["/docs/grafana/latest/http_api/datasource/"]
# Data source API
+> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
+> Refer to specific resources to understand what permissions are required.
+
## Get all data sources
`GET /api/datasources`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ---------------- | -------------- |
+| datasources:read | datasources:\* |
+
+### Examples
+
**Example Request**:
```http
@@ -57,6 +70,16 @@ Content-Type: application/json
`GET /api/datasources/:datasourceId`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ---------------- | ---------------------------------------------------------------------------- |
+| datasources:read | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example Request**:
```http
@@ -103,6 +126,16 @@ Content-Type: application/json
`GET /api/datasources/uid/:uid`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ---------------- | -------------------------------------------------------------------------------------- |
+| datasources:read | datasources:\*
datasources:uid:\*
datasources:uid:kLtEtcRGk (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -149,6 +182,16 @@ Content-Type: application/json
`GET /api/datasources/name/:name`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ---------------- | ---------------------------------------------------------------------------------------------- |
+| datasources:read | datasources:\*
datasources:name:\*
datasources:name:test_datasource (single data source) |
+
+### Examples
+
**Example Request**:
```http
@@ -195,6 +238,16 @@ Content-Type: application/json
`GET /api/datasources/id/:name`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------- | ---------------------------------------------------------------------------------------------- |
+| datasources:id:read | datasources:\*
datasources:name:\*
datasources:name:test_datasource (single data source) |
+
+### Examples
+
**Example Request**:
```http
@@ -219,6 +272,16 @@ Content-Type: application/json
`POST /api/datasources`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------ | ----- |
+| datasources:create | n/a |
+
+### Examples
+
**Example Graphite Request**:
```http
@@ -357,6 +420,16 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
`PUT /api/datasources/:datasourceId`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ----------------- | ---------------------------------------------------------------------------- |
+| datasources:write | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example Request**:
```http
@@ -427,6 +500,16 @@ Content-Type: application/json
`DELETE /api/datasources/:datasourceId`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------ | ---------------------------------------------------------------------------- |
+| datasources:delete | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example Request**:
```http
@@ -449,6 +532,16 @@ Content-Type: application/json
`DELETE /api/datasources/uid/:uid`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------ | -------------------------------------------------------------------------------------- |
+| datasources:delete | datasources:\*
datasources:uid:\*
datasources:uid:kLtEtcRGk (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -471,6 +564,16 @@ Content-Type: application/json
`DELETE /api/datasources/name/:datasourceName`
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------ | ---------------------------------------------------------------------------------------------- |
+| datasources:delete | datasources:\*
datasources:name:\*
datasources:name:test_datasource (single data source) |
+
+### Examples
+
**Example Request**:
```http
diff --git a/docs/sources/http_api/datasource_permissions.md b/docs/sources/http_api/datasource_permissions.md
index 66f6e93ba7c..dc7e2d970f9 100644
--- a/docs/sources/http_api/datasource_permissions.md
+++ b/docs/sources/http_api/datasource_permissions.md
@@ -9,6 +9,9 @@ aliases = ["/docs/grafana/latest/http_api/datasourcepermissions/"]
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
+> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
+> Refer to specific resources to understand what permissions are required.
+
This API can be used to enable, disable, list, add and remove permissions for a data source.
Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything.
@@ -23,6 +26,16 @@ The permission levels for the permission field:
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------------------ | ---------------------------------------------------------------------------- |
+| datasources.permissions:toggle | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -58,6 +71,16 @@ Status codes:
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------------------ | ---------------------------------------------------------------------------- |
+| datasources.permissions:toggle | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -93,6 +116,16 @@ Status codes:
Gets all existing permissions for the data source with the given `id`.
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
+
+| Action | Scope |
+| ---------------------------- | ---------------------------------------------------------------------------- |
+| datasources.permissions:read | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -154,6 +187,16 @@ Status codes:
Adds a user permission for the data source with the given `id`.
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------------------ | ---------------------------------------------------------------------------- |
+| datasources.permissions:create | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example request:**
```http
@@ -218,6 +261,16 @@ Status codes:
Removes the permission with the given `permissionId` for the data source with the given `id`.
+### Required permissions
+
+See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
+
+| Action | Scope |
+| ------------------------------ | ---------------------------------------------------------------------------- |
+| datasources.permissions:delete | datasources:\*
datasources:id:\*
datasources:id:1 (single data source) |
+
+### Examples
+
**Example request:**
```http