grafana/docs/sources/enterprise/access-control/fine-grained-access-control-references.md

+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++

Fine-grained access control references

The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).

Fine-grained access fixed roles

Fixed roles	Permissions	Descriptions
fixed:permissions:admin:read	roles:read roles:list roles.builtin:list	Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:edit	All permissions from fixed:permissions:admin:read and roles:write roles:delete roles.builtin:add roles.builtin:remove	Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:provisioning:admin	provisioning:reload	Allow provisioning configurations to be reloaded.
fixed:reporting:admin:read	reports:read reports:send reports.settings:read	Allows to read reports and report settings.
fixed:reporting:admin:edit	All permissions from fixed:reporting:admin:read and reports.admin:write reports:delete reports.settings:write	Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:read	users.authtoken:list users.quotas:list users:read users.teams:read	Allows to list and get users and related information.
fixed:users:admin:edit	All permissions from fixed:users:admin:read and users.password:update users:write users:create users:delete users:enable users:disable users.permissions:update users:logout users.authtoken:update users.quotas:update	Allows every read action for users and in addition allows to administer users.
fixed:users:org:read	org.users:read	Allows to get user organizations.
fixed:users:org:edit	All permissions from fixed:users:org:read and org.users:add org.users:remove org.users.role:update	Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:read	ldap.user:read ldap.status:read	Allows to read LDAP information and status.
fixed:ldap:admin:edit	All permissions from fixed:ldap:admin:read and ldap.user:sync ldap.config:reload	Allows every read action for LDAP and in addition allows to administer LDAP.
fixed:server:admin:read	server.stats:read	Read server stats
fixed:settings:admin:read	settings:read	Read settings
fixed:settings:admin:edit	All permissions from fixed:settings:admin:read and settings:write	Update settings
fixed:datasource:editor:read	datasources:explore	Explore datasources

Default built-in role assignments

Built-in role	Associated role	Description
Grafana Admin	fixed:permissions:admin:edit fixed:permissions:admin:read fixed:provisioning:admin fixed:reporting:admin:edit fixed:reporting:admin:read fixed:users:admin:edit fixed:users:admin:read fixed:users:org:edit fixed:users:org:read fixed:ldap:admin:edit fixed:ldap:admin:read fixed:server:admin:read fixed:settings:admin:read fixed:settings:admin:edit	Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default.
Admin	fixed:users:org:edit fixed:users:org:read fixed:reporting:admin:edit fixed:reporting:admin:read	Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default.
Editor	fixed:datasource:editor:read