I am running Grafana v5.2.4 (0bbac5c) on Ubuntu Linux 16.04. I would like to restrict the ability of a particular user only to one particular dashboard. I have made this dashboard the home dashboard for that user, but how do I prevent the user from switching to a different dashboard?
I have read the part of the documentation about permissions but it seems to be outdated. There is no “Permissions” tab under “Dashboards”. Nor “Dashboards” or “Settings”, for that matter. All I can see there are “Manage”, “Playlists”, and “Snapshots” tabs. I’ve also looked at Configuration/Users, Configuration/Teams, Configuration/Preferences, Configuration/Server Admin/Users, Configuration/Server Admin/Settings, and Configuration/Server Admin/Orgs but I can’t find anywhere how to indicate which dashboards a user is allowed to access.
Dashboards -> Manage -> configure folders -> you have to use folders structure because folders have permissions. Linked doc looks good to me - I guess you just don’t use folders.
I had everything in the General folder; I didn’t realize that it’s not possible to set permissions for this folder.
OK, I have created a special folder where I moved the dashboard that I want to be restricted to a particular user. However, I still don’t understand how to do it. To be precise, I want a particular user (let’s call it Test) to be able to view-only the dashboard Test and nothing else. (If other users can view the dashboard Test, that’s not a problem; I just want the user Test not to be able to view anything else.)
I have created a folder Testing and have moved the dashboard Test there. How do I lock this user out of the other dashboards? Should I move all other dashboards to some other folder? The user Test currently has a Viewer role, should I remove that? Or should I create a team and make him a member of this team? And then what? This is so non-intuitive…
From the documentation I can understand how to add permission for a user to view a particular dashboard, but not how to deny him this ability… I can’t take the “Viewer” role away from him, because every existing user must have either Viewer, or Editor, or Admin role, no?
3 Likes
I have solved this issue creating different Organizations.
In an Org you truly assign who can view, edit and admin, and nobody else can access
Hello, what do you mean by that? Can you explain in a little more detail?
I’m kind of struck with same problem like @vbontchev. Could you please provide your solutions @micelshima . it will be really helpful. Thanks
Nothing special. In Grafana OSS you have Org 1 by default where you create folders and dashboards, and assign permissions to them with roles (admin, editor and viewer).
I created groups in AD to assign to those roles (ldap.toml).
There are no more roles to play with, so the user must be inside viewer with the rest of users.
So I created a new Org in Grafana (inside Server Admin menu) where I created just that dashboard (and related datasources) and created a group in AD to control that access too where I put that user
1 Like
From my pov using different organizations is an overshoot, you have to replicate all your dashboards for every organization.
one simple way is:
- create a folder and put all your dashboards in
- give to the folder view rights to “see all” users or teams, these rights will be inherited by all dashboards in the folder.
- Give to the specific dashboards view rights to “see only something” users or teams.
Making different orgs is like having two different Grafana instances on the same PC.
I understand your first two bullet points but on the third one how do you create ‘see only something’ users/teams?
As far as I can see users/teams are one of three admin, editor or viewer? Where are the options to limit access?
Thanks in advance.
Mihailo
I found a way but its a little bit complicated and it is done in reverse.
Create 2 folders & create the special dashboard in folder 2. (Suppose that every other dashboard is in folder 1). Go to permissions from folder 1 and delete the default editor & viewer permissions. Now when the special user (editor/viewer) access Grafana, only folder 2 will be visible. But every other user in the org will face the same thing. Now you need to create a team for everyone except the special user, add permissions for that team in folder 1
1 Like
