opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-09-23 18:52:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
Eve Meelan 6edd2e7296 Everything in Cloud free updates (#69948) 
* updates for everything in Free

* more cloud free
2023-06-12 11:14:02 -07:00

163 lines
66 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
aliases:
- ../../../enterprise/access-control/fine-grained-access-control-references/
- ../../../enterprise/access-control/rbac-fixed-basic-role-definitions/
description: This topic includes a table that lists permission associated with Grafana
fixed and basic roles.
menuTitle: RBAC role definitions
title: Grafana RBAC role definitions
weight: 70
---
# RBAC role definitions
{{% admonition type="note" %}}
Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud](/docs/grafana-cloud).
{{% /admonition %}}
The following tables list permissions associated with basic and fixed roles.
## Basic role assignments
| Basic role | Associated fixed roles | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:organization:reader`<br>`fixed:organization:maintainer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer`<br>`fixed:datasources.caching:reader`<br>`fixed:datasources.caching:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:plugins:maintainer`<br>`fixed:authentication.config:writer` | Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments. |
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:reader`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:reader`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:reader`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:reader`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:apikeys:reader`<br>`fixed:apikeys:writer`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:reader`<br>`fixed:datasources.caching:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:plugins:writer` | Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
| Editor | `fixed:datasources:explorer`<br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled<br>`fixed:alerting:writer`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader` | Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
| Viewer | `fixed:datasources:id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader` | Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
## Fixed role definitions
| Fixed role | Permissions | Description |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:alerting.instances:writer` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*` | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles) |
| `fixed:alerting.instances:reader` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*` | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles) |
| `fixed:alerting.notifications:writer` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles) |
| `fixed:alerting.notifications:reader` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*` | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.rules:writer` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) |
| `fixed:alerting.rules:reader` | `alert.rule:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) |
| `fixed:alerting:writer` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer` | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting:reader` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader` | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles) |
| `fixed:alerting.provisioning:writer` | `alert.provisioning:read` and `alert.provisioning:write` | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles) |
| `fixed:annotations.dashboard:writer` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard` | Create, update and delete dashboard annotations and annotation tags. |
| `fixed:annotations:reader` | `annotations:read` for scopes `annotations:type:*` | Read all annotations and annotation tags. |
| `fixed:annotations:writer` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*` | Read, create, update and delete all annotations and annotation tags. |
| `fixed:apikeys:reader` | `apikeys:read` for scope `apikeys:*` | Read all api keys. |
| `fixed:apikeys:writer` | All permissions from `fixed:apikeys:reader` and <br> `apikeys:create` <br> `apikeys:delete` for scope `apikeys:*` | Read, create, delete all api keys. |
| `fixed:authentication.config:writer` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*` | Read and update authentication and SAML settings. |
| `fixed:dashboards:creator` | `dashboards:create`<br>`folders:read` | Create dashboards. |
| `fixed:dashboards.insights:reader` | `dashboards.insights:read` | Read dashboard insights data and see presence indicators. |
| `fixed:dashboards.permissions:reader` | `dashboards.permissions:read` | Read all dashboard permissions. |
| `fixed:dashboards.permissions:writer` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write` | Read and update all dashboard permissions. |
| `fixed:dashboards.public:writer` | `dashboards.public:write` | Create, update, delete or pause a public dashboard. |
| `fixed:dashboards:reader` | `dashboards:read` | Read all dashboards. |
| `fixed:dashboards:writer` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:edit`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write` | Read, create, update, and delete all dashboards. |
| `fixed:datasources.caching:reader` | `datasources.caching:read` | Read data source query caching settings. |
| `fixed:datasources.caching:writer` | `datasources.caching:read`<br>`datasources.caching:write` | Enable, disable, or update query caching settings. |
| `fixed:datasources:explorer` | `datasources:explore` | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
| `fixed:datasources:id:reader` | `datasources.id:read` | Read the ID of a data source based on its name. |
| `fixed:datasources.insights:reader` | `datasources.insights:read` | Read data source insights data. |
| `fixed:datasources.permissions:reader` | `datasources.permissions:read` | Read data source permissions. |
| `fixed:datasources.permissions:writer` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write` | Create, read, or delete permissions of a data source. |
| `fixed:datasources:reader` | `datasources:read`<br>`datasources:query` | Read and query data sources. |
| `fixed:datasources:writer` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Read, query, create, delete, or update a data source. |
| `fixed:folders.permissions:reader` | `folders.permissions:read` | Read all folder permissions. |
| `fixed:folders.permissions:writer` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write` | Read and update all folder permissions. |
| `fixed:folders:creator` | `folders:create` | Create folders in the root level. If granted together with `folders:write` permission, also allows creating subfolders under all folders. |
| `fixed:folders:reader` | `folders:read`<br>`dashboards:read` | Read all folders and dashboards. |
| `fixed:folders:writer` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write` | Read, create, update, and delete all folders and dashboards. If granted together with `fixed:folders:creator`, allows creating subfolders under all folders. |
| `fixed:ldap:reader` | `ldap.user:read`<br>`ldap.status:read` | Read the LDAP configuration and LDAP status information. |
| `fixed:ldap:writer` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Read and update the LDAP configuration, and read LDAP status information. |
| `fixed:licensing:reader` | `licensing:read`<br>`licensing.reports:read` | Read licensing information and licensing reports. |
| `fixed:licensing:writer` | All permissions from `fixed:licensing:viewer` and <br>`licensing:write`<br>`licensing:delete` | Read licensing information and licensing reports, update and delete the license token. |
| `fixed:org.users:reader` | `org.users:read` | Read users within a single organization. |
| `fixed:org.users:writer` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write` | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
| `fixed:organization:maintainer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write` | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally. |
| `fixed:organization:reader` | `orgs:read`<br>`orgs.quotas:read` | Read an organization and its quotas. |
| `fixed:organization:writer` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write` | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences. |
| `fixed:plugins.app:reader` | `plugins.app:access` | Access application plugins (still enforcing the organization role). |
| `fixed:plugins:maintainer` | `plugins:install` | Install and uninstall plugins. |
| `fixed:plugins:writer` | `plugins:write` | Enable and disable plugins and edit plugins' settings. |
| `fixed:provisioning:writer` | `provisioning:reload` | Reload provisioning. |
| `fixed:reports:reader` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Read all reports and shared report settings. |
| `fixed:reports:writer` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write` | Create, read, update, or delete all reports and shared report settings. |
| `fixed:roles:reader` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read` | Read all access control roles, roles and permissions assigned to users, teams. |
| `fixed:roles:writer` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove` | Create, read, update, or delete all roles, assign or unassign roles to users, teams. |
| `fixed:roles:resetter` | `roles:write` with scope `permissions:type:escalate` | Reset basic roles to their default. |
| `fixed:serviceaccounts:reader` | `serviceaccounts:read` | Read Grafana service accounts. |
| `fixed:serviceaccounts:creator` | `serviceaccounts:create` | Create Grafana service accounts. |
| `fixed:serviceaccounts:writer` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write` | Create, update, read and delete all Grafana service accounts and manage service account permissions. |
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read` | Create a team and list organization users (required to manage the created team). |
| `fixed:teams:writer` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write` | Create, read, update and delete teams and manage team memberships. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`<br>` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
| `fixed:users:writer` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write` | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users. |
### Alerting roles
If alerting is [enabled]({{< relref "../../../../alerting/migrating-alerts/opt-out/" >}}), you can use predefined roles to manage user access to alert rules, alert instances, and alert notification settings and create custom roles to limit user access to alert rules in a folder.
Access to Grafana alert rules is an intersection of many permissions:
- Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
- Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder]({{< relref "./plan-rbac-rollout-strategy/#create-a-custom-role-to-access-alerts-in-a-folder" >}}).
### Grafana OnCall roles (beta)
{{% admonition type="note" %}}
Available from Grafana 9.4 in early access.
{{% /admonition %}}
{{% admonition type="note" %}}
This feature is behind the `accessControlOnCall` feature toggle.
You can enable feature toggles through configuration file or environment variables. See configuration [docs]({{< relref "../../../../setup-grafana/configure-grafana/#feature_toggles" >}}) for details.
{{% /admonition %}}
If you are using [Grafana OnCall](https://grafana.com/docs/oncall/latest/get-started/), you can try out the integration between Grafana OnCall and RBAC.
This will allow you to control access to different OnCall features using the following RBAC roles:
| Fixed role | Permissions | Description |
| --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
| `plugins:grafana-oncall-app:reader` | `plugins.app:access`<br>`grafana-oncall-app.alert-groups:read`<br>`grafana-oncall-app.integrations:read`<br>`grafana-oncall-app.escalation-chains:read`<br>`grafana-oncall-app.schedules:read`<br>`grafana-oncall-app.chatops:read`<br>`grafana-oncall-app.outgoing-webhooks:read`<br>`grafana-oncall-app.maintenance:read`<br>`grafana-oncall-app.notification-settings:read`<br>`grafana-oncall-app.user-settings:read`<br>`grafana-oncall-app.other-settings:read` | Read everything in OnCall. |
| `plugins:grafana-oncall-app:oncaller` | All permissions from `plugins:grafana-oncall-app:reader` and `grafana-oncall-app.alert-groups:write`<br>`grafana-oncall-app.schedules:write` | Read everything in OnCall and edit alert groups and schedules. |
| `plugins:grafana-oncall-app:editor` | All permissions from `plugins:grafana-oncall-app:oncaller` and `grafana-oncall-app.notifications:read`<br>`grafana-oncall-app.integrations:test`<br>`grafana-oncall-app.schedules:export`<br>`grafana-oncall-app.chatops:write`<br>`grafana-oncall-app.maintenance:write`<br>`grafana-oncall-app.notification-settings:write`<br>`grafana-oncall-app.user-settings:write` | Read everything in OnCall and edit alert groups, schedules, ChatOps, maintenance, notification settings, and user's own settings. |
| `plugins:grafana-oncall-app:admin` | All permissions from `plugins:grafana-oncall-app:editor` and `grafana-oncall-app.integrations:write`<br>`grafana-oncall-app.escalation-chains:write`<br>`grafana-oncall-app.chatops:update-settings:write`<br>`grafana-oncall-app.outgoing-webhooks:write`<br>`grafana-oncall-app.api-keys:write`<br>`grafana-oncall-app.user-settings:admin`<br>`grafana-oncall-app.other-settings:write` | Read and edit everything in OnCall. |
| `plugins:grafana-oncall-app:alert-groups-reader` | `plugins.app:access`<br>`grafana-oncall-app.alert-groups:read` | Read OnCall alert groups. |
| `plugins:grafana-oncall-app:alert-groups-editor` | `plugins.app:access`<br>`grafana-oncall-app.alert-groups:read`<br>`grafana-oncall-app.alert-groups:write` | Create, read, update and delete OnCall alert groups. |
| `plugins:grafana-oncall-app:integrations-reader` | `plugins.app:access`<br>`grafana-oncall-app.integrations:read` | Read OnCall integrations. |
| `plugins:grafana-oncall-app:integrations-editor` | `plugins.app:access`<br>`grafana-oncall-app.integrations:read`<br>`grafana-oncall-app.integrations:write`<br>`grafana-oncall-app.integrations:test` | Create, read, update and delete OnCall integrations. |
| `plugins:grafana-oncall-app:escalation-chains-reader` | `plugins.app:access`<br>`grafana-oncall-app.escalation-chains:read` | Read OnCall escalation chains. |
| `plugins:grafana-oncall-app:escalation-chains-editor` | `plugins.app:access`<br>`grafana-oncall-app.escalation-chains:read`<br>`grafana-oncall-app.escalation-chains:write` | Create, read, update and delete OnCall escalation chains. |
| `plugins:grafana-oncall-app:schedules-reader` | `plugins.app:access`<br>`grafana-oncall-app.schedules:read` | Read OnCall schedules. |
| `plugins:grafana-oncall-app:schedules-editor` | `plugins.app:access`<br>`grafana-oncall-app.schedules:read`<br>`grafana-oncall-app.schedules:write`<br>`grafana-oncall-app.schedules:export` | Create, read, update and delete OnCall schedules. |
| `plugins:grafana-oncall-app:chatops-reader` | `plugins.app:access`<br>`grafana-oncall-app.chatops:read` | Read OnCall ChatOps. |
| `plugins:grafana-oncall-app:chatops-editor` | `plugins.app:access`<br>`grafana-oncall-app.chatops:read`<br>`grafana-oncall-app.chatops:write`<br>`grafana-oncall-app.chatops:update-settings` | Read and update OnCall ChatOps. |
| `plugins:grafana-oncall-app:outgoing-webhooks-reader` | `plugins.app:access`<br>`grafana-oncall-app.outgoing-webhooks:read` | Read OnCall outgoing webhooks. |
| `plugins:grafana-oncall-app:outgoing-webhooks-editor` | `plugins.app:access`<br>`grafana-oncall-app.outgoing-webhooks:read`<br>`grafana-oncall-app.outgoing-webhooks:write` | Create, read, update and delete OnCall outgoing webhooks. |
| `plugins:grafana-oncall-app:maintenance-reader` | `plugins.app:access`<br>`grafana-oncall-app.maintenance:read` | Read OnCall maintenance. |
| `plugins:grafana-oncall-app:maintenance-editor` | `plugins.app:access`<br>`grafana-oncall-app.maintenance:read`<br>`grafana-oncall-app.maintenance:write` | Read and update OnCall maintenance. |
| `plugins:grafana-oncall-app:api-keys-reader` | `plugins.app:access`<br>`grafana-oncall-app.api-keys:read` | Read OnCall API keys. |
| `plugins:grafana-oncall-app:api-keys-editor` | `plugins.app:access`<br>`grafana-oncall-app.api-keys:read`<br>`grafana-oncall-app.api-keys:write` | Create, read, update and delete OnCall API keys. Also grants access to be able to consume the OnCall API. |
| `plugins:grafana-oncall-app:notification-settings-reader` | `plugins.app:access`<br>`grafana-oncall-app.notification-settings:read` | Read OnCall notification settings. |
| `plugins:grafana-oncall-app:notification-settings-editor` | `plugins.app:access`<br>`grafana-oncall-app.notification-settings:read`<br>`grafana-oncall-app.notification-settings:write` | Read and update OnCall notification settings. |
| `plugins:grafana-oncall-app:user-settings-reader` | `plugins.app:access`<br>`grafana-oncall-app.user-settings:read` | Read user's own OnCall user settings. |
| `plugins:grafana-oncall-app:user-settings-editor` | `plugins.app:access`<br>`grafana-oncall-app.user-settings:read`<br>`grafana-oncall-app.user-settings:write` | Read and update user's own OnCall user settings. |
| `plugins:grafana-oncall-app:user-settings-admin` | `plugins.app:access`<br>`grafana-oncall-app.user-settings:read`<br>`grafana-oncall-app.user-settings:write`<br>`grafana-oncall-app.user-settings:admin` | Read and update OnCall user settings for all users. |
| `plugins:grafana-oncall-app:settings-reader` | `plugins.app:access`<br>`grafana-oncall-app.other-settings:read` | Read OnCall settings. |
| `plugins:grafana-oncall-app:settings-editor` | `plugins.app:access`<br>`grafana-oncall-app.other-settings:read`<br>`grafana-oncall-app.other-settings:write` | Read and update OnCall settings. |
The following table lists the default RBAC OnCall role assignments to the basic roles:
| Basic role | Associated fixed roles | Description |
| ------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Grafana Admin | `plugins:grafana-oncall-app:admin` | Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments. |
| Admin | `plugins:grafana-oncall-app:admin` | Default [Grafana organization administrator]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
| Editor | `plugins:grafana-oncall-app:editor` | Default [Editor]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
| Viewer | `plugins:grafana-oncall-app:reader` | Default [Viewer]({{< relref "../#organization-users-and-permissions" >}}) assignments. |
Reference in New Issue View Git Blame Copy Permalink