Hey,
I am trying to understand how to collect data from users, teams, and organizations via API requests. I see that the data only returns successfully (without a 403 status) if I either assign admin permissions to a service account or use basic authentication and give the user admin permissions during creation. This means that viewer permissions result in a 403 for all requests.
My question is: In Grafana OSS, is there an option to grant minimal permissions (other than admin) to collect all the data, or is this the only way?
Each API method has Required permissions, which role used for API call must have.
Permissions for basic roles:
So Viewer doesn’t have teams permissions, so when you use it for team API call, then Grafana responds 403 = Forbidden (because used role doesn’t have required permissions).
You can use (paid) Grafana Enterprise, where you can define own role (with read permissions for everything), but I don’t believe that exists in OSS.
In Grafana OSS, collecting data via API requests generally requires certain permissions to ensure the security and integrity of the system. However, by default, only users with admin permissions can access user, team, and organization data through the API. If you’re encountering 403 status codes when trying to use minimal or viewer permissions, this is because these roles are not granted sufficient access to perform those API operations.
Grafana does not offer a native feature to grant minimal permissions that allow access to all data via API while avoiding admin-level access. As a workaround, you may consider creating a custom role or using the viewer or editor roles with the appropriate permissions, but this still may not grant full access to API endpoints that require admin privileges. Another option is to use a service account with the necessary access rights tailored to the required operations. Always ensure that the service account or user has the least privileges necessary to reduce security risks.