Grafana Access Control
Grafana controls access through Organizations, Teams, and Roles. In a BizFirstGO deployment, access control determines which engineers can view dashboards, which can edit them, and which data sources each team can query — preventing cross-tenant data exposure.
Grafana Roles
| Role | Permissions | Typical Assignment |
|---|---|---|
| Viewer | View dashboards and panels; cannot edit or create; can use Explore (if granted) | Business stakeholders, tenant admins viewing their own data |
| Editor | All Viewer permissions + create/edit dashboards, panels, alerts; cannot manage users or data sources | Operations engineers, on-call engineers |
| Admin | All Editor permissions + manage users, teams, data sources, plugins, and organization settings | Platform engineering team lead |
| Server Admin | Super-admin: manages Organizations, global settings, and all users | Grafana infrastructure owner (one or two people) |
Organizations
Grafana Organizations are fully isolated namespaces — separate dashboards, data sources, users, and alert rules. A BizFirstGO deployment may use Organizations to separate environments:
# Recommended Organization structure for BizFirstGO
Organization 1: Production
- Data sources: Loki-prod, Prometheus-prod, Tempo-prod
- Dashboards: All pre-built BizFirstGO dashboards (read-only provisioned)
- Users: Platform team (Admin/Editor), Operations (Viewer), On-Call (Editor)
Organization 2: Staging
- Data sources: Loki-staging, Prometheus-staging, Tempo-staging
- Dashboards: Same dashboards, pointing to staging data sources
- Users: All engineers (Editor), QA team (Viewer)
Organization 3: Development
- Data sources: Loki-dev, Prometheus-dev, Tempo-dev
- Users: All developers (Editor)
- Note: More permissive — developers can create experimental dashboardsA Grafana user can be a member of multiple Organizations with different roles in each. An engineer may be an Editor in the Development org but a Viewer-only in Production. Switch between Organizations using the top-left Organization switcher in Grafana.
Teams and Dashboard Folder Permissions
Within an Organization, Teams control access to specific dashboard folders:
# Grafana team-based access configuration
# (via API or provisioning)
Teams in Production Org:
- platform-team: Editor on all folders
- operations-team: Viewer on /BizFirstGO/, Editor on /Runbooks/
- tenant-ops: Viewer on /Tenant-Health/ only
# Dashboard folders with permissions:
/BizFirstGO/ → All teams: Viewer
/BizFirstGO/PreBuilt/ → platform-team: Editor, others: Viewer
/BizFirstGO/Runbooks/ → operations-team: Editor
/BizFirstGO/Tenant-Health/ → tenant-ops: Viewer (their data only)Data Source Permissions
Data source permissions control which users and teams can query a data source directly (via Explore) — not just through dashboards. By default, all Editors can query all data sources. Restrict if tenants should not cross-query each other's data:
# Grafana data source permissions (Grafana Enterprise feature)
# Or use Loki's built-in multi-tenancy enforcement
# Default (OSS Grafana):
# All Editors can query all data sources
# Viewers can only view dashboards — cannot use Explore
# With data source permissions (Enterprise):
Loki-prod:
- platform-team: Query + Admin
- operations-team: Query only
- tenant-ops: No direct access (dashboards only)
# Tenant isolation at the Loki level (works with OSS):
# Pass X-Scope-OrgID header per tenant
# Grafana forwards the user's org ID automaticallyProvisioning Users and Teams via Configuration
# grafana-provisioning/access-control/teams.yaml
# Note: Team provisioning requires Grafana Enterprise
# For OSS, manage teams via the Grafana API or UI
# Create teams via Grafana API:
curl -X POST http://admin:admin@grafana:3000/api/teams \
-H "Content-Type: application/json" \
-d '{"name": "operations-team", "orgId": 1}'
# Add members to team:
curl -X POST http://admin:admin@grafana:3000/api/teams/1/members \
-H "Content-Type: application/json" \
-d '{"userId": 5}'LDAP / SSO Integration
For enterprise BizFirstGO deployments, integrate Grafana with corporate identity providers to avoid managing separate user accounts:
# grafana.ini — LDAP integration
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
# ldap.toml — Map LDAP groups to Grafana roles
[[servers]]
host = "ldap.bizfirstai.internal"
port = 389
bind_dn = "cn=grafana-svc,ou=service-accounts,dc=bizfirstai,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_base_dns = ["ou=users,dc=bizfirstai,dc=com"]
search_filter = "(sAMAccountName=%s)"
[[servers.group_mappings]]
group_dn = "cn=platform-engineering,ou=groups,dc=bizfirstai,dc=com"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=operations,ou=groups,dc=bizfirstai,dc=com"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "cn=business-users,ou=groups,dc=bizfirstai,dc=com"
org_role = "Viewer"# grafana.ini — OAuth 2.0 / OIDC (e.g., Azure AD, Okta)
[auth.generic_oauth]
enabled = true
name = BizFirstAI SSO
client_id = ${OAUTH_CLIENT_ID}
client_secret = ${OAUTH_CLIENT_SECRET}
scopes = openid email profile groups
auth_url = https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
api_url = https://graph.microsoft.com/oidc/userinfo
role_attribute_path = contains(groups[*], 'platform-engineering') && 'Admin' || contains(groups[*], 'operations') && 'Editor' || 'Viewer'BizFirstGO Recommended Access Control Setup
Create three Organizations: Production, Staging, Development
Fully isolate production dashboards and data sources from non-production environments.
Create teams: platform-team, operations-team, tenant-ops
Assign team-level folder permissions so each team sees only the dashboards relevant to them.
Integrate SSO (LDAP or OIDC)
Map corporate directory groups to Grafana roles. Avoid managing passwords in Grafana — SSO provides central revocation.
Restrict Explore for Viewers
In grafana.ini, set viewers_can_edit = false and ensure Explore is only accessible to Editor-and-above to prevent ad-hoc data access by business users.
Use Loki multi-tenancy for tenant isolation
Enforce tenant data boundaries at the Loki level (X-Scope-OrgID header), not just at the dashboard level — this prevents a misconfigured dashboard from leaking cross-tenant logs.
A user who can view a dashboard can only see the data rendered in that dashboard's panels. But if they have Editor role, they can also use Grafana Explore to query any data source directly — including querying across tenants if Loki multi-tenancy is not configured. Always configure Loki's auth_enabled: true for production deployments to enforce tenant isolation at the storage layer.