ContextQMD
Back to Grafana

Configure Team LBAC for Tempo or Cloud Traces

docs/sources/administration/data-source-management/teamlbac/configure-teamlbac-for-tempo/index.md

13.1.07.4 KB
Original Source

Configure team label-based access control for Tempo or Cloud Traces

{{< docs/private-preview product="Label-based access control for traces" >}}

Team label-based access control (LBAC) for Cloud Traces or Tempo lets you restrict which spans teams can access by defining rules using trace attributes. LBAC provides fine-grained, team-based access control within a single tenant and mirrors the experience used for logs and metrics LBAC in Grafana Cloud.

Grafana uses the term LBAC as an umbrella term for label-based access control for all data sources. Traces use attributes, not labels, for access control, but the Grafana UI surfaces this functionality as LBAC for consistency.

This feature only applies to Grafana Cloud Traces, specifically, the Cloud-provisioned tracing data source. If you want to use this feature with a Tempo data source, contact Grafana Support to make sure that this is enabled in your organization.

How LBAC works

When a user queries tracing data source, Grafana evaluates the user’s team memberships and the LBAC rules assigned to those teams. These rules are added to the request so the Cloud Traces data source returns only permitted spans or attributes.

LBAC rules use attribute selectors, such as:

{ resource.service.name="checkout", resource.env="prod" }

Multiple conditions in the same rule use AND (,), while multiple rules across teams use OR.

Before you begin

  • Be sure that you have the permission setup to create a Tempo or Cloud Traces tenant in Grafana Cloud.
  • Be sure that you have administrator permissions for Grafana.
  • Be sure that you have a team setup in Grafana.

Known limitations

  • Autocomplete in search is still under development.
  • LBAC is restricted to only contain resource scope attributes.
  • There is a slight performance degradation for users with multiple rules.

Configure team LBAC for traces

Follow this workflow when adding a new data source. The data source must be hosted by Grafana and not self-managed.

  1. Start your Grafana Cloud instance.

  2. Access Tempo or Cloud Traces data sources details for your stack.

  3. Copy Tempo or Cloud Traces details and create a Cloud Access Policy.

  4. In Grafana Cloud, navigate to Administration > Users and access > Cloud Access Policies.

    • Create an access policy for the Tempo or Cloud Traces data source.
    • Ensure the access policy includes traces:read permissions.
    • Ensure the access policy doesn't include labels rules.

  5. In Grafana, select Tempo or Cloud Traces or create new data source.

  6. Navigate back to the Tempo or Cloud Traces data source.

    • Set up the Tempo or Cloud Traces data source using basic authentication. Use the userID/tenantID as the username. Use the token from your access policy as the password.
    • Select Save and connect.

  7. Go to the Permissions tab of the newly created Tempo or Cloud Traces data source. Here, you find the LBAC for data sources rules section.

  8. Choose a team from the Team dropdown.

  9. Enter attribute selectors such as:

    { resource.service.name="checkout", resource.env="prod" }

    Refer to the Examples section below for more examples.

  10. Select Save.

Examples of LBAC rules

An LBAC rule is a logql query that filters logs or metrics based on labels. LBAC rules for traces also use some TraceQL syntax for attribute selection. Each rule operates independently as its own filter, separate from other rules within a team.

LBAC rules guidelines:

  • Use only resource scope attributes, for example { resource.env="prod" }.
  • Only string values are supported.
  • Use double quotes for string values, for example: { resource.env="prod" }.
  • You can use regular expressions matching with =~ operator, for example: { resource.team =~ "team-a|team-b" }.
  • You can have up to two conditions in the same rule using a comma (,) as an AND operator, for example: { resource.env="prod", resource.team="frontend" }.

Refer to Create LBAC for data sources rules for a supported data source for more information.

Single rule

Limit users to only see spans from the payments API.

{ resource.service.name="payments-api" }

This example matches spans with team A or team B. This single example is faster than using multiple rules with the same label.

{ resource.team =~ "team-a|team-b" }

Multiple rules

Two rules combined to give user access to spans from prod environment or the billing team.

{ resource.env="prod" }
{ resource.team="billing" }

This example gives users access to spans from the frontend team in the prod environment or the checkout team but doesn't enforce additional conditions. The comma (,) acts as an AND operator within the same rule.

{ resource.env="prod", resource.team="frontend" }
{ resource.team="checkout" }

User on multiple teams

Users on multiple teams receive access based on all combined LBAC rules assigned to each team.

Team A → { resource.cluster="us-east-1" } Team B → { resource.service.name="frontend" }

How LBAC affects returned data

Cloud Traces supports three redaction modes that control how unauthorized spans are handled in trace by ID search responses. The active mode is configured per tenant. To change the mode for your organization, contact Grafana Support.

Attributes mode (default)

Non-matching spans are included in the response but have their attributes and intrinsics redacted. Only the following minimal fields remain visible on redacted spans:

  • traceId, spanId, parentId
  • name, kind
  • timestamps
  • status

You can extend the set of always-visible fields by configuring allowed_attributes, which sets a list of scoped attributes and intrinsics that are never redacted, For example, you can set span:name, resource.service.name, event:name, or scope.version so they are never redacted, even from non-matching spans. Contact Grafana Support to configure allowed_attributes for your organization.

Spans mode

Non-matching spans are removed from the response entirely. This can result in broken traces where a returned span has no matching parent, creating gaps in the span tree.

Error mode

If any span in a requested trace does not match the LBAC policy, the entire request returns a 404 error. This is the strictest mode and is suited for environments where partial trace visibility is not acceptable.

For Search, metrics, and autocomplete endpoints, only spans matching the LBAC rules appear regardless of the configured redaction mode.

Manage LBAC rules

To edit an existing LBAC rule, follow these steps:

  1. Open your stack and select your Tempo or Cloud Traces data source.
  2. Select Permissions.
  3. Scroll to Data access.
  4. Select the rule you want to edit and click the Pencil (Edit) icon.
  5. Modify Attribute filters.
  6. Select Save.

To delete an existing LBAC rule, follow these steps:

Open your stack and select your Tempo or Cloud Traces data source.

  1. Select Permissions.
  2. Scroll to Data access.
  3. Select the rule you want to edit.
  4. Select the X (Delete) icon.
  5. Confirm deletion.