Permissions on Grafana Labs

Organization roles

Sat, 04 Apr 2026 12:26:57 +0000

Organization roles

Refer to Fine-grained access Control in Grafana Enterprise for managing Organization roles with fine-grained permissions.

Users can belong to one or more organizations. A user’s organization membership is tied to a role that defines what the user is allowed to do in that organization. Grafana supports multiple organizations in order to support a wide variety of deployment models, including using a single Grafana instance to provide service to multiple potentially untrusted organizations.

In most cases, Grafana is deployed with a single organization.

Each organization can have one or more data sources.

All dashboards are owned by a particular organization.

Note: Most metric databases do not provide per-user series authentication. This means that organization data sources and dashboards are available to all users in a particular organization.

Compare roles

The table below compares what each role can do. Read the sections below for more detailed explanations.

	Admin	Editor	Viewer
View dashboards	x	x	x
Add, edit, delete dashboards	x	x
Add, edit, delete folders	x	x
View playlists	x	x	x
Create, update, delete playlists	x	x
Access Explore	x	x
Add, edit, delete data sources	x
Add and edit users	x
Add and edit teams	x
Change organizations settings	x
Change team settings	x
Configure app plugins	x

If you are running Grafana Enterprise, you can grant and revoke access by using fine-grained roles and permissions, refer to Fine-grained access Control for more information.

Organization admin role

Can do everything scoped to the organization. For example:

Can add, edit, and delete data sources.
Can add and edit users and teams in their organization.
Can add, edit, and delete folders containing dashboards for data sources associated with their organization. They can also edit folder permissions.
Can configure app plugins and organization settings.
Can do everything allowed by the Editor role.

Editor role

Can view, add, and edit dashboards, panels, and alert rules in dashboards they have access to. This can be disabled on specific folders and dashboards.
Can add, edit, and delete folders containing dashboards for data sources associated with their organization. They cannot edit folder permissions.
Can create, update, or delete playlists.
Can access Explore.
Can add, edit, or delete alert notification channels.
Cannot add, edit, or delete data sources.
Cannot manage other organizations, users, and teams.

This role can be changed with the Grafana server setting editors_can_admin. If you set this to true, then users with the Editor role can also administrate dashboards, folders, and teams they create. This is especially useful for enabling self-organizing teams to administer their own dashboards.

Viewer role

Can view any dashboard they have access to. This can be disabled on specific folders and dashboards.
Cannot add, edit, or delete data sources.
Cannot add, edit, or delete dashboards or panels.
Cannot create, update, or delete playlists.
Cannot add, edit, or delete alert notification channels.
Cannot access Explore.
Cannot manage other organizations, users, and teams.

This role can be changed with the Grafana server setting viewers_can_edit. If you set this to true, then users with the Viewer role can:

Make transient dashboard edits, meaning they can modify panels and queries but not save the changes or create new dashboards.
Access and use Explore.

This is especially useful for public Grafana installations where you want anonymous users to be able to edit panels and queries but not save or create new dashboards.

Dashboard and folder permissions

Sat, 04 Apr 2026 12:26:57 +0000

Grant dashboard and folder permissions

You can assign and remove permissions for organization roles, users, and teams for specific dashboards and dashboard folders. This topic explains how to grant permissions to specific folders and dashboards. To learn more about denying access to certain Grafana users, refer to Restricting access.

Permission levels

There are three permission levels for files and folders. Each of the permissions is processed independently. They permissions are separate from organization roles.

Admin - Can create, edit, or delete dashboards. Can create, edit, and delete folders. Can also change dashboard and folder permissions.
Edit - Can create and edit dashboards. Cannot change folder or dashboard permissions, or add, edit, or delete folders.
View - Can only view existing dashboards and folders.

Grant folder permissions

Folder permissions apply to the folder and all dashboards contained within it.

In the sidebar, hover your mouse over the Dashboards (squares) icon and then click Manage.
Hover your mouse cursor over a folder and then click Go to folder.
Go to the Permissions tab, and then click Add Permission.
In Add Permission For, select User, Team, or one of the role options.
In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
In the third box, select the permission you want to add.
Click Save.

Grant dashboard permissions

In the top right corner of your dashboard, click the cog icon to go to Dashboard settings.
Go to the Permissions tab, and then click Add Permission.
In Add Permission For, select User, Team, or one of the role options.
In the second box, select the user or team to add permission for. Skip this step if you selected a role option in the previous step.
In the third box, select the permission you want to add.
Click Save.

Edit permissions

To change existing permissions, navigate to the permissions page as described above. Instead of clicking Add permission, change or delete permissions already assigned. Changes take effect immediately.

Restricting access

Sat, 04 Apr 2026 12:26:57 +0000

Restricting access

Refer to Fine-grained access Control in Grafana Enterprise to understand how to use fine-grained permissions to restrict access.

The highest permission always wins so if you for example want to hide a folder or dashboard from others you need to remove the Organization Role based permission from the Access Control List (ACL).

You cannot override permissions for users with the Organization Admin role. Admins always have access to everything.
A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. You need to remove or lower the permission level of the more general rule.

Here are some examples of how Grafana resolves multiple permissions.

Example 1 (user1 has the Editor Role)

Permissions for a dashboard:

Everyone with Editor role can edit
user1 can view

Result: user1 has Edit permission as the highest permission always wins.

Example 2 (user1 has the Viewer Role and is a member of team1)

Permissions for a dashboard:

Everyone with Viewer role can view
user1 Can Edit
team1 Can Admin

Result: user1 has Admin permission as the highest permission always wins.

Example 3

Permissions for a dashboard:

user1 can admin (inherited from parent folder)
user1 can edit

Result: You cannot override to a lower permission. user1 has Admin permission as the highest permission always wins.

Data source permissions

Sat, 04 Apr 2026 12:26:57 +0000

Data source permissions

Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific users and teams.

Note: Data source permissions are only available in Grafana Enterprise. For more information, refer to Data source permissions in Grafana Enterprise.