docs/sources/administration/roles-and-permissions/_index.md
A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system. For example, the Admin role includes permissions for an administrator to create and delete users.
You can assign a user one of three types of permission sets:
{{< admonition type="note" >}} If you're using Grafana Enterprise or Grafana Cloud, you can also control access to data sources and use role-based access control to grant user access to read and write permissions to specific Grafana resources.
For more information about access control options available with Grafana Enterprise, refer to Grafana Enterprise user permissions features. {{< /admonition >}}
A Grafana server administrator (sometimes referred to as a Grafana Admin) manages server-wide settings and access to resources such as organizations, users, and licenses. Grafana includes a default server administrator that you can use to manage all of Grafana, or you can divide that responsibility among other server administrators that you create.
{{< admonition type="caution" >}} The server administrator role is distinct from the organization administrator role. {{< /admonition >}}
A server administrator can perform the following tasks:
{{< admonition type="note" >}} The server administrator (Grafana Admin) role does not exist in Grafana Cloud. {{< /admonition >}}
To assign or remove server administrator privileges, see Server user management.
All Grafana users belong to at least one organization. An organization is an entity that exists within your instance of Grafana.
Permissions assigned to a user within an organization control the extent to which the user has access to and can update the following organization resources:
For more information about managing organization users, refer to User management.
{{< admonition type="caution" >}} If you're using Grafana Cloud, Grafana Support is not authorised to make any organization role changes. Instead, contact your org administrator. {{< /admonition >}}
Organization role-based permissions are global, which means that each permission level applies to all Grafana resources within an given organization. For example, an editor can see and update all dashboards in an organization, unless those dashboards have been specifically restricted using dashboard permissions.
Grafana uses the following roles to control user access:
The following table lists permissions for each role.
| Permission | Organization administrator | Editor | Viewer | No Basic Role |
|---|---|---|---|---|
| View dashboards | yes | yes | yes | |
| Add, edit, delete dashboards | yes | yes | ||
| Add, edit, delete folders | yes | yes | ||
| View playlists | yes | yes | yes | |
| Add, edit, delete playlists | yes | yes | ||
| Create library panels | yes | yes | ||
| View annotations | yes | yes | yes | |
| Add, edit, delete annotations | yes | yes | ||
| Access Explore | yes | yes | ||
| Query data sources directly | yes | yes | yes | |
| Add, edit, delete data sources | yes | |||
| Add and edit users | yes | |||
| Add and edit teams | yes | |||
| Change organizations settings | yes | |||
| Change team settings | yes | |||
| Configure application plugins | yes |
When you want to extend a viewer's ability to edit and save dashboard changes or limit an editor's permission to modify a dashboard, you can assign permissions to dashboards and folders. For example, you might want a certain viewer to be able to edit a dashboard. While that user can see all dashboards, you can grant them access to update only one of them.
Important: The dashboard permissions you specify override the organization permissions you assign to the user for the selected entity.
You can specify the following permissions to dashboards and folders.
Important: When a user creates a dashboard or folder at the top level, they are automatically granted Admin permissions for it. This does not apply to dashboards within a folder or to subfolders.
For more information about assigning dashboard folder permissions, refer to Grant dashboard folder permissions.
For more information about assigning dashboard permissions, refer to Grant dashboard permissions.
A team is a group of users within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user can belong to multiple teams.
You can assign a team member one of the following permissions:
Because teams exist inside an organization, the organization administrator can manage all teams.
For details on managing teams, see Team management.
While Grafana OSS includes a robust set of permissions and settings that you can use to manage user access to server and organization resources, you might find that you require additional capabilities.
Grafana Enterprise provides the following permissions-related features:
By default, a user can query any data source in an organization, even if the data source is not linked to the user's dashboards.
Data source permissions enable you to restrict data source query permissions to specific Users, Service Accounts, and Teams. For more information about assigning data source permissions, refer to Data source permissions.
RBAC provides you a way of granting, changing, and revoking user read and write access to Grafana resources, such as users, reports, and authentication.
For more information about RBAC, refer to Role-based access control.
Want to know more? Complete the Create users and teams tutorial to learn how to set up users and teams.