Grafana 7 and 8 oss version.
Maybe someone solved a similar problem?
Problem: We have an Organization with user1-1, user1-2, user2-1 and user2-2, all user1-* are in team1 and user2-* are in team2.
Question: is it possible for users from team1, when using a common dashboard for both teams, that the variable would take the value 10, and for users from team2 it would take the value 20?
Now this is solved by creating a dashboard for each team, where the variable has a different value, but if there are more than 100 such teams…
is it possible to capture the currently logged in user and hence that user’s team?
can you give a little more detail? Or is this a question for the developers?
Raising this question to see if someone or something has come along with a solution by now. Like the OP, we want to leverage the same dashboard, but with data filtering based upon current user. Ideal solution would be row-level filtering (from the data source) based upon passed through user identity/credentials (in the connection), but that’s not something Grafana supports. So, looking for any alternative approach that saves us from creating copies of dashboards with different settings to accomplish this filtering.
Does the datasource have the user.id? Also what is the datasource and can you pass it the global user id
Datasource is PostgreSQL.
I was hoping for a way to enforce this through user/adminstrative security controls at the Grafana level. If we incorporate user.id (or related identity element such as team) into the database query then the potential exists for a user with edit privileges to create their own queries against the data source and bypass this filter. I could implement a strategy to implement views (with embedded filters) on the database and restrict access to those objects by associated database connection credentials (and likewise Grafana security on the connections). But I’m not sure how to implement such a set of connections and still not end up with multiple dashboards (one for each connection and related data filters)?
1 Like
Look into rbac which is not in oss version but enterprise
Did you mean RBAC or LBAC? Google can’t find TBAC.
According to docs, LBAC says it’s for Prometheus data connections; not sure about PostgreSQL support?
1 Like
Yep rbac. For using user.id, we do not give users direct query access to tables
We give permission to the service account used to run grafana service.
That user is what has the only perm not directly to tables but stored procedures that way users cannot query willy nilly
Stored procedures require user id
1 Like