mirror of
https://github.com/grafana/grafana.git
synced 2025-09-25 08:03:59 +08:00
36c997a625
* Add new accesscontrol action for ldap config reload * Update ldapAdminEditRole with new ldap config reload permission * wrap /ldap/reload with accesscontrol authorize middleware * document new action and update fixed:ldap:admin:edit with said action * add fake accesscontrol implementation for tests * Add accesscontrol tests for ldap handlers Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
3.4 KiB
3.4 KiB
+++ title = "Fine-grained access control references" description = "Refer to fine-grained access control references" keywords = ["grafana", "fine-grained-access-control", "roles", "fixed-roles", "built-in-role-assignments", "permissions", "enterprise"] weight = 130 +++
Fine-grained access control references
The reference information that follows complements conceptual information about [Roles]({{< relref "./roles.md" >}}).
Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
|---|---|---|
fixed:permissions:admin:read |
roles:readroles:listroles.builtin:list |
Allows to list and get available roles and built-in role assignments. |
fixed:permissions:admin:edit |
All permissions from fixed:permissions:admin:read and roles:writeroles:deleteroles.builtin:addroles.builtin:remove |
Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
fixed:reporting:admin:read |
reports:readreports:sendreports.settings:read |
Allows to read reports and report settings. |
fixed:reporting:admin:edit |
All permissions from fixed:reporting:admin:read and reports.admin:writereports:deletereports.settings:write |
Allows every read action for reports and in addition allows to administer reports. |
fixed:users:admin:read |
users.authtoken:listusers.quotas:listusers:readusers.teams:read |
Allows to list and get users and related information. |
fixed:users:admin:edit |
All permissions from fixed:users:admin:read and users.password:updateusers:writeusers:createusers:deleteusers:enableusers:disableusers.permissions:updateusers:logoutusers.authtoken:updateusers.quotas:update |
Allows every read action for users and in addition allows to administer users. |
fixed:users:org:read |
org.users:read |
Allows to get user organizations. |
fixed:users:org:edit |
All permissions from fixed:users:org:read and org.users:addorg.users:removeorg.users.role:update |
Allows every read action for user organizations and in addition allows to administer user organizations. |
fixed:ldap:admin:read |
ldap.user:readldap.status:read |
Allows to read LDAP information and status. |
fixed:ldap:admin:edit |
All permissions from fixed:ldap:admin:read and ldap.user:syncldap.config:reload |
Allows every read action for LDAP and in addition allows to administer LDAP. |
fixed:settings:admin:edit |
settings:write |
Update all settings |
Default built-in role assignments
| Built-in roles | Associated roles | Descriptions |
|---|---|---|
| Grafana Admin | fixed:permissions:admin:editfixed:permissions:admin:readfixed:reporting:admin:editfixed:reporting:admin:readfixed:users:admin:editfixed:users:admin:readfixed:users:org:editfixed:users:org:readfixed:ldap:admin:editfixed:ldap:admin:readfixed:settings:admin:edit |
Allows access to resources which [Grafana Server Admin]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has permissions by default. |
| Admin | fixed:users:org:editfixed:users:org:readfixed:reporting:admin:editfixed:reporting:admin:read |
Allows access to resource which [Admin]({{< relref "../../permissions/organization_roles.md" >}}) has permissions by default. |