Files
grafana/docs/sources/enterprise/access-control/fine-grained-access-control-references.md
Karl Persson 36c997a625 Access Control: Add fine-grained access control to ldap handlers (#35525)
* Add new accesscontrol action for ldap config reload

* Update ldapAdminEditRole with new ldap config reload permission

* wrap /ldap/reload with accesscontrol authorize middleware

* document new action and update fixed:ldap:admin:edit with said action

* add fake accesscontrol implementation for tests

* Add accesscontrol tests for ldap handlers

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-06-11 15:58:18 +02:00

3.4 KiB

+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++

Fine-grained access control references

The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).

Fine-grained access fixed roles

Fixed roles Permissions Descriptions
fixed:permissions:admin:read roles:read
roles:list
roles.builtin:list
Allows to list and get available roles and built-in role assignments.
fixed:permissions:admin:edit All permissions from fixed:permissions:admin:read and
roles:write
roles:delete
roles.builtin:add
roles.builtin:remove
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments.
fixed:reporting:admin:read reports:read
reports:send
reports.settings:read
Allows to read reports and report settings.
fixed:reporting:admin:edit All permissions from fixed:reporting:admin:read and
reports.admin:write
reports:delete
reports.settings:write
Allows every read action for reports and in addition allows to administer reports.
fixed:users:admin:read users.authtoken:list
users.quotas:list
users:read
users.teams:read
Allows to list and get users and related information.
fixed:users:admin:edit All permissions from fixed:users:admin:read and
users.password:update
users:write
users:create
users:delete
users:enable
users:disable
users.permissions:update
users:logout
users.authtoken:update
users.quotas:update
Allows every read action for users and in addition allows to administer users.
fixed:users:org:read org.users:read Allows to get user organizations.
fixed:users:org:edit All permissions from fixed:users:org:read and
org.users:add
org.users:remove
org.users.role:update
Allows every read action for user organizations and in addition allows to administer user organizations.
fixed:ldap:admin:read ldap.user:read
ldap.status:read
Allows to read LDAP information and status.
fixed:ldap:admin:edit All permissions from fixed:ldap:admin:read and
ldap.user:sync
ldap.config:reload
Allows every read action for LDAP and in addition allows to administer LDAP.
fixed:settings:admin:edit settings:write Update all settings

Default built-in role assignments

Built-in roles Associated roles Descriptions
Grafana Admin fixed:permissions:admin:edit
fixed:permissions:admin:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
fixed:users:admin:edit
fixed:users:admin:read
fixed:users:org:edit
fixed:users:org:read
fixed:ldap:admin:edit
fixed:ldap:admin:read
fixed:settings:admin:edit
Allows access to resources which [Grafana Server Admin]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has permissions by default.
Admin fixed:users:org:edit
fixed:users:org:read
fixed:reporting:admin:edit
fixed:reporting:admin:read
Allows access to resource which [Admin]({{< relref "../../permissions/organization_roles.md" >}}) has permissions by default.