docs/sources/setup-grafana/configure-access/multi-team-access.md
If your organization has multiple teams using Grafana, you can use a single Grafana Enterprise deployment or a single Grafana Cloud stack to manage access across teams using roles and folders. This approach reduces complexity, simplifies identity and access management, and facilitates cross-team collaboration.
By using a single Grafana instance to manage access, you can:
Consider the following setup of three teams:
Follow these suggested steps to structure, configure, and set permissions to access data in your Grafana instance:
For more information on how to install a Grafana instance:
{{< admonition type="note" >}} For guidance on when to use one stack versus multiple, refer to Stack architecture guidance. {{< /admonition >}}
After you’ve deployed your Grafana instance:
To design a folder setup that helps users quickly understand where to go, what they can access, and what they can manage:
fixed:teams:read fixed role. This means they can share items in their team folder with other teams, to encourage collaboration and learning from each other.{{< figure src="/media/docs/grafana/oac/AccessTeams01.png" max-width="750px" alt="Teams and folders in the stack, and the related admin permissions Team A and Team B have been granted" >}}
Next, focus on how teams interact with data to decide further access needs.
Grant the datasources:explorer fixed role to all teams so they can use the Drilldown apps for easily exploring data sources.
However, you may need to protect data in shared resources. For example, all teams can be forwarding metrics to a shared data source, but not everyone needs to see all of the data. In this case, grant each team query access to the data relevant for them, based on label based access controls (LBAC) per team. This way, you’ll maintain a central observability pipeline but still preserve data separation.
If any of your teams, Team A for example, need to build and manage their own data sources for product-specific use cases, grant the datasources:creator fixed role so they can create and manage their own data sources independently.
{{< figure src="/media/docs/grafana/oac/AccessTeams02.png" max-width="750px" alt="Teams and data sources in the stack, and the related permissions Team A and Team B have been granted" >}}
Some Grafana resources, such as service accounts, alert contact points, Fleet Management collectors, and other feature resources, are not linked to teams but are managed at the stack level. For these type of resources, assign fixed roles to teams carefully.
For example, users working in Frontend Observability need a writer fixed role so that they can create and manage services.
{{< figure src="/media/docs/grafana/oac/AccessTeams03.png" max-width="750px" alt="Grafana Cloud Frontend Observability resources in the stack, and the related permissions Team A have been granted" >}}
After you've made sure the model is working, you can codify it.
You can add any new users to your Grafana instance with an Identity Provider through SCIM. Use role sync to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP..
You can also use Terraform to provision teams their folders, fixed roles, and shared data source LBAC rules. For example, if you need to add a new team (Team D), you only need to add the new team to Grafana and run the Terraform script, which will automatically set them up to start using Grafana.
{{< figure src="/media/docs/grafana/oac/AccessTeams04.png" max-width="750px" alt="Add new Team D from Okta and automate the rest of their IAM setup using Terraform" >}}
Read on to learn more about access management: