Best way to create and embed grafana dashboard with tenant seperation?

Hello, i wanted to do consult about the best and secured way to share a dashboard between tenants.

So - I have a data source (which is eventually a DB) - divided into tenants, each tenant has it’s own table.
I want to show a grafana dashboard in my application, instead of creating those graphs by myself.

What i was thinking is:

  1. Have an internal grafana instance
  2. Create a dashboard on the DB, and create a full dashboard, saving it to a json.
  3. Each time a tenant wants to show his dashboard, i’ll take the JSON, import the dashboard (through API?) with the correct table name, then i’ll create a snapshot.
  4. i’ll then delete the dashboard from grafana
  5. i’ll share the snapshot in my app (embed it).

Your thoughts?

1 Like


What would happen to this process when you get a raise and you decide to go on a well deserved vacation in Cancun?

We will have other engineers that understand this flow?

  • i can’t share grafana directly to the users

any other thoughts?

Funny, I was looking to the similar scenario.
What works for us :

  • ensure the security via a secure auth (JWT for us)
  • pass the JWT token in embedding IFrame and establish user Identity in grafana
  • in grafana use the ${} variable to query user specific information

What doesn’t work, and if @ariel14 have pointers, that would be greatly appreciated :

  1. embed in an Iframe or some other way the whole dashboard not just the panel
  2. Make the ${} read-only in the datastore. If a user can change the dashaboard, not to be able to change the query to remove the filter based on userID.

#2 is a limitation when we will want later to allow users to author the dasbhoards

Why can"t you share grafana directly?

sometime embedding the dashboard can help a better experience, especially for products intended for not engineers. Each transition outside of the main product is a point of friction

1 Like

We plan to embed it, but giving the real grafana instance might be an issue because of security.

@floringrigoriu right now you gave users just a read only access?

1 Like

for a given user you can invite in organization and can assigned the appropriate role [viewer/ editor / admin]
I’m at level of prototype, so I did that manually in the config UI, but I’m sure there is an API

once an use logs in, a JWT user is created, for that user I can use this API to add to current organization, where the concept of organization in Grafana is what in other environments is called tenant

Is it per dashboard? Because I’ll have several dashboards (per tenant).
And you don’t mind the queries are visible?

I would not go the manual approach. A data driven (think ACL) self service portal would be my choice imo.

Once configured, it would not involve any engineers