Folder-level RBAC is enforced in non-Enterprise deployments

Grafana Configuration
1

What I have:

  • self-hosted non-licensed grafana deployed in Kubernetes via official helm chart (chart version 8.10.1, app version 11.5.2)
  • dashboards sidecar enabled, and grafana successfully discovers and creates dashboards from ConfigMap resources
  • there are users with Admin and Viewer rights using this Grafana instance

What I do:

  • create ConfigMap with dashboard that has folder definition. This folder doesn’t exist in grafana yet:
apiVersion: v1
kind: ConfigMap
metadata:
  name: dashboard
  namespace: namespace  
  labels:
    grafana_dashboard: 'true'
  annotations:
    grafana_folder: my-folder
data:
  dashboard.json: |
    <DASHBOARD_JSON>

What I expect:

  • grafana creates new folder named “my-folder”
  • dashboard is placed under created folder
  • access rights on folder level are not enforced, and grafana users with Admin and Viewer rights both can use this folder and open dashboards stored in it

What I see in fact:

  • folder is created
  • only users with Admin rights can access dashboard
  • Viewers can’t open created dashboard.

Questions:

  1. This ticket mentions that RBAC for folder level is an Enterpise-only feature. Does it mean that current behavior is a bug and will be fixed in the future?
  2. Is there a way to define folder-level access rights through ConfigMap fields/annotations or via patching dashboard provider settings?
2

In your non-Enterprise Grafana setup, folder-level RBAC is enforced, which is actually expected behavior as folder-level access control is an Enterprise-only feature. As a result, only Admin users can access dashboards within a folder, while Viewers cannot. This isn’t a bug and won’t be fixed in the open-source version. Unfortunately, you can’t define folder-level access rights through ConfigMap or other settings in non-Enterprise Grafana, and you’d need to upgrade to Grafana Enterprise for this feature.

1 Like