Doubt about how Grafana solves permissions with folder/dashboard

Hi all, I’m facing an issue with the following configuration for permissions in a folder/dashboard structure:

  • Folder A: Team A (viewer)
  • Dashboard A: Team B (Editor)
  • Dashboard A is inside Folder A
  • User A is part of Team A and Team B

What’s happening is user A have access to edit tools in the Dashboard A, but he can’t save it as in Folder A he only have Viewer role.
Following the documentation in https://grafana.com/docs/grafana/next/permissions/dashboard-folder-permissions/ it was not clear to me if this is the expected behaviour…

Edit: If I remove the user from Team A he gets the correct permissions in the dashboard (so I’d say this is at the very least inconsistent).

What will be the best way to handle a situation where different teams have dashboards inside the same folder and only especific teams should have access to edit/save specific dashboards?

Thanks a lot in advance. Regards

Hello!

I’m a little bit confused :smiley:

You can have this structure:

Folder1 - all teams are viewers.
Dash1 - all teams are viewers.
Dash2 - team1 editors role, others are still viewers.
Dash3 - team1 and team2 are editors, others are still viewers.

Hey,

I think the issue comes when team1 is viewer in the folder, team2 is editor in the dashboard and the user is part of both teams. (In this example team1 is a superset of team2).

Following your suggestion you say it will be better to not have this “team1” as a superset but better independent teams and give them all access to the folder?

User1 is a part of both teams.

Team1 - viewer in folder1 and viewer in dash1.
Team2 - viewer in folder1 and editor in dash1.

So user1 should have a permission to edit dash1. But he won’t manage other dashboards in this folder, only view(if there are no other permissions ofc)

Also, you can add personal permissions for users in dashboard settings.

P.S. Grafana can’t make team in team, you will always have independent teams.

I’ll try to be clearer here, since I think this is becoming hard to explain :smiley:

Follow this having always in mind user1 is part of team1 and team2
From what I was able to test:

  • If dash1 has Team1 as viewer inherited from folder1 I can’t add the team explicitly to dashboard permissions (Grafana will throw an error, which makes sense).
  • If Team2 is viewer in folder1 and editor in folder1/dash1 user1 will be able to manage the dashboard and to save it
    • If in this situation I add Team1 as viewer in folder1 the user can still manage folder1/dashb1 but not save it
    • Again in this situation if I remove Team2 permissions from folder1, user1 can still manage folder1/dashb1 but not save it

As you explained Grafana can’t handle team aggreations (that’s the reason why user1 is in team1 and team2)

So this to me points to some issue on how Grafana is solving the permissions at the “save” time… not sure if this was clearer or just made things even more confusing :stuck_out_tongue:

Understood.

But I couldn’t repeat this one:

But repeated this:

About second example, absolutely, because when you deleted permission for folder, you still have permission for dashboard. But because of 0 permission on folder where dashboard is, you cannot make any changes.

I think the decision is to make independent folders for each team.

Blowed my mind, actually.
Hope guys will invent a folders tree, so we could confuse each others a lot.