Changing Grafana role when using OAuth

djsanek1 · February 4, 2022, 1:40pm

There were several PR to disable changing roles for external users:

I am not sure why it’s a thing.

We are using AzureAD as a source for our users. We are not getting role info from it.
With that said our approach was to apply roles individually inside Grafana. And this was working great.

Not sure what was the decision to disable it, with that said it would be great if that can be under some flag in the config to change such behavior.

Environment:

Grafana version: 8.3.3
Data source type & version: N\A
OS Grafana is installed on: N\A
User OS & Browser: N\A

jangaraj · February 4, 2022, 8:06pm

You don’t need to have a roles from your identity provider. You can write role assignment based on any claim. E.g. on email claim:

GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(['mail1@mail.com','mail2@mail.com'], email) && 'Admin' || 'Viewer'

=> users with emails mail1@mail.com,mail2@mail.coom are admins and others are viewers only.

djsanek1 · February 4, 2022, 10:02pm

We have more than 20k users.
So adding them to the config is not an option

jangaraj · February 4, 2022, 10:35pm

Do you manage roles of 20k users manually? That’s IMHO task exactly for IDP provided roles/groups.

Topic		Replies	Views
Issues with Grafana and Azure AD as IDP Configuration azure	0	423	March 10, 2021
Grafana Authentication/Authorization via OAUTH and AzureAD Configuration azure	4	2498	March 25, 2020
How to enable Role mapping for Azure AD Groups/ Users (Grafana OSS) Authentication azure , grafana-roles , azure-ad	0	67	April 17, 2025
New users being assigned incorrect role (AAD OAuth) Grafana	3	893	June 12, 2024
Keep local role control whilst using Azure AD? Authentication	0	421	March 28, 2022

Changing Grafana role when using OAuth

Related topics